Update lock script, add unlock script, minor updates in other scripts

Make sure that lock script reejcts core users
(root/ec2-user/admin/ubuntu)

Unlock script works reverse with also optional check in user_list.txt
for ssh allow/foward group type

Internal:
rename all $user to $username

bin/lock_user.sh

@@ -2,26 +2,36 @@
 
 # disable a user by removing them from the sshallow/sshforward group
 # and move them to the sshreject group
+# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
+# if the -t is not in the first position it will be ignored
 
 # SET TO 1 to TEST [will not move user in groups]
-TEST=0; # no creation except ssh keys
-INFO=0; # no creation of anything, just print info strings
-while getopts ":ti" opt; do
+TEST=0; # no delete, just print
+while getopts ":t" opt; do
 	case "${opt}" in
 		t|test)
 			TEST=1;
 			;;
-		i|info)
-			INFO=1;
-			;;
 	esac;
 done;
+shift "$((OPTIND-1))"
+
+if [ $(whoami) != "root" ]; then
+	if [ ${TEST} -eq 0 ]; then
+		echo "Script must be run as root user";
+		exit;
+	else
+		echo "!!!! Script must be run as root user !!!!";
+	fi;
+fi;
 
 if [ $# -eq 0 ]; then
 	echo "Must give at least one user name";
 	exit;
 fi;
 
+# ignore users (root and admin users)
+ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 # ssh reject group
 ssh_reject_group="sshreject";
 if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
@@ -30,20 +40,29 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 fi;
 ssh_allow_group="sshallow";
 ssh_forward_group="sshfoward";
-delete_accounts="";
-user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
+user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"
 # $1 ... $n
 for username in "$@"; do
+	# skip if there is an option hidden
+	if [[ ${_arg:0:1} = "-" ]]; then
+		continue;
+	fi;
+	# skip ignore users, note that if a user is not in the sshallow list anyway
+	# we skip them too, this is just in case check
+	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
+		echo "[!] User $username is in the ignore user list";
+		continue;
+	fi;
 	# check that user exists in passwd
-	if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
+	if ! id "${username}" &>/dev/null; then
 		echo "[!] User $username does not exists in /etc/passwd file";
 		continue;
 	fi;
 	# if not check if in reject list
-	if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
-		echo "[.] User $username already in the ${ssh_reject} list";
+	if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
+		echo "[.] User $username already in the ${ssh_reject_group} list";
 		continue;
 	fi;
 	# check if user is in sshallow/forward list
@@ -62,17 +81,16 @@ for username in "$@"; do
 	if [ ! -z "${ssh_remove_group}" ]; then
 		# remove user from ssh group and add to reject groups
 		echo "[*] User $username will be removed from ${ssh_remove_group}";
-		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
+		if [ ${TEST} -eq 1 ]; then
+			printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
+		else
+			gpasswd -d "${username}" "${ssh_remove_group}";
+			gpasswd -a "${username}" "${ssh_reject_group}";
+		fi;
 	else
 		# skip not ssh user
 		echo "[?] User $username not in any ssh allow/foward groups";
 	fi;
 done;
-if [ ! -z "${delete_accounts}" ]; then
-	echo "--------------------->"
-	echo "% Run list below to move users to reject ssh group";
-	echo "";
-	echo "${delete_accounts}";
-fi;
 
 # __END__