ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

shellcheck fixup

Browse Source
This commit is contained in:
Clemens Schwaighofer
2024-09-27 18:49:36 +09:00
parent d8f9710593
commit 4b11a51d67
6 changed files with 96 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
bin/authorized_key_location_change.sh
View File

@@ -1,5 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# shellcheck disable=SC2059
# check if we need to move the users authorized keys to the central location # check if we need to move the users authorized keys to the central location
TEST=1; TEST=1;
@@ -30,9 +32,10 @@ done;
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_MASTER_AUTHORIZED_FILE=''; SSH_MASTER_AUTHORIZED_FILE='';
# SSH_AUTHORIZED_FILE=''; # SSH_AUTHORIZED_FILE='';
# shellcheck disable=SC2013
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
if [ ! -z $(echo "${cf}" | grep "%u") ]; then if echo "$cf" | grep -q "%u"; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
exit; exit;
@@ -43,8 +46,9 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "No central authorized_keys file detected, no change check needed"; echo "No central authorized_keys file detected, no change check needed";
exit; exit;
fi; fi;
# shellcheck disable=SC2013
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then if ! echo "${cf}" | grep -q -- "--master"; then
SSH_MASTER_AUTHORIZED_FILE="${cf}"; SSH_MASTER_AUTHORIZED_FILE="${cf}";
if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
@@ -86,20 +90,20 @@ fi;
# loop over passwd file # loop over passwd file
# if not in no action then check if .ssh/authorized_keys file exists # if not in no action then check if .ssh/authorized_keys file exists
cat /etc/passwd | cut -d ":" -f 1,6 | cut -d ":" -f 1,6 /etc/passwd |
while read user_home; do while read -r user_home; do
username=$(echo "${user_home}" | cut -d ":" -f 1); username=$(echo "${user_home}" | cut -d ":" -f 1);
master_user=0; master_user=0;
# skip admin usernames # skip admin usernames
if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
continue; continue;
fi; fi;
if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line"; printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
continue; continue;
fi; fi;
if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file"; printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
continue; continue;
fi; fi;
@@ -115,10 +119,10 @@ while read user_home; do
continue; continue;
fi; fi;
# check those keys are in the master key list # check those keys are in the master key list
if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then if [[ " ${MASTER_KEY[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
master_user=1; master_user=1;
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}"); ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
if [ ! -z "${ssh_key_diff}" ]; then if [ -n "${ssh_key_diff}" ]; then
printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file"; printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
exit; exit;
fi; fi;
@@ -148,12 +152,12 @@ while read user_home; do
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
# secure new folder: chown/chmod/chattr # secure new folder: chown/chmod/chattr
chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chown "${username}" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
# confirm # confirm
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
if [ ! -z "${ssh_key_diff}" ]; then if [ -n "${ssh_key_diff}" ]; then
printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}"; printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
break; break;
fi; fi;

41
bin/collect_login_data.sh
View File

@@ -9,7 +9,7 @@ if [[ "$EUID" -ne "0" ]]; then
fi; fi;
# base folder # base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
# auth log file # auth log file
AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
if [ ! -f "${AUTH_LOG}" ]; then if [ ! -f "${AUTH_LOG}" ]; then
@@ -22,13 +22,19 @@ RUN_FULL_LOG=0;
# option parsing # option parsing
while getopts ":fd" opt; do while getopts ":fd" opt; do
case "${opt}" in case "${opt}" in
f|full) f) # full
echo "[!!!] Run through all log files to collect data"; echo "[!!!] Run through all log files to collect data";
RUN_FULL_LOG=1; RUN_FULL_LOG=1;
;; ;;
d|deubg) d) # deubg
DEBUG=1; DEBUG=1;
;; ;;
\?)
echo "";
echo "-f Collect all log data again";
echo "-d Debug output";
exit 1;
;;
esac; esac;
done; done;
@@ -37,8 +43,8 @@ function prD()
message="${1}"; message="${1}";
debug=${2:-0}; debug=${2:-0};
lb_off=${3:-0}; lb_off=${3:-0};
if [ ${debug} -eq 1 ]; then if [ "${debug}" -eq 1 ]; then
if [ ${lb_off} -eq 1 ]; then if [ "${lb_off}" -eq 1 ]; then
echo -n "${message}"; echo -n "${message}";
else else
echo "${message}"; echo "${message}";
@@ -72,25 +78,26 @@ function parseLog()
# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}") # $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1; # prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}" printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
prD "${msg}" ${debug} 1; prD "${msg}" "${debug}" 1;
# find auth user in current auth file # find auth user in current auth file
# if not there attach, else replace date only # if not there attach, else replace date only
found=$(grep "${auth_user};" "${auth_log}"); found=$(grep "${auth_user};" "${auth_log}");
if [ -z "${found}" ]; then if [ -z "${found}" ]; then
prD " | Write new" ${debug}; prD " | Write new" "${debug}";
echo "${auth_user};${auth_date}" >> "${auth_log}"; echo "${auth_user};${auth_date}" >> "${auth_log}";
else else
prD " | Replace old" ${debug}; prD " | Replace old" "${debug}";
sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}"; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
fi; fi;
} }
printf -v msg "Run date: %s %s" $(date +"%F %T") printf -v msg "Run date: %s" "$(date +"%F %T")"
prD "${msg}" ${DEBUG}; prD "${msg}" ${DEBUG};
# Collector script for login information via journalctl # Collector script for login information via journalctl
# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
readonly init_version=$(/proc/1/exe --version | head -n 1); init_version=$(/proc/1/exe --version | head -n 1);
readonly init_version;
if [ -z "${init_version##*systemd*}" ]; then if [ -z "${init_version##*systemd*}" ]; then
LOG_TARGET="systemd"; LOG_TARGET="systemd";
# for journalctl # for journalctl
@@ -103,8 +110,8 @@ if [ -z "${init_version##*systemd*}" ]; then
fi; fi;
# READ as other format so we get the YEAR -o short-iso # READ as other format so we get the YEAR -o short-iso
START_YEAR=$(date +%Y -d "1 day ago"); START_YEAR=$(date +%Y -d "1 day ago");
journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" | journalctl -u systemd-logind --no-pager -o short-iso "${OPT_START_DATE}" "${OPT_END_DATE}" | grep ": New session" |
while read line; do while read -r line; do
# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
# date: 5 chars # date: 5 chars
# time: 8 chars # time: 8 chars
@@ -120,11 +127,11 @@ else
# for secure/auth log # for secure/auth log
if [ $RUN_FULL_LOG -eq 1 ]; then if [ $RUN_FULL_LOG -eq 1 ]; then
# we loop over EACH file and get the DATE so we can have the correct YEAR # we loop over EACH file and get the DATE so we can have the correct YEAR
for sfile in $(ls -1 /var/log/secure*bz2); do for sfile in /var/log/secure*bz2; do
tz=$(stat -c %Z "${sfile}"); tz=$(stat -c %Z "${sfile}");
START_YEAR=$(date +%Y -d @${tz}); START_YEAR=$(date +%Y -d @"${tz}");
bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do while read -r line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done; done;
done; done;
@@ -132,8 +139,8 @@ else
START_DATE="sshd" START_DATE="sshd"
fi; fi;
START_YEAR=$(date +%Y -d "1 day ago"); START_YEAR=$(date +%Y -d "1 day ago");
cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" | grep "${START_DATE}" "/var/log/secure" | grep ": session opened for user" | grep " by (uid=0)" |
while read line; do while read -r line; do
parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
done; done;
fi; fi;

14
bin/delete_user.sh
View File

@@ -15,10 +15,10 @@ TEST=0; # do not run any actions
BACKUP=1; BACKUP=1;
while getopts ":tb" opt; do while getopts ":tb" opt; do
case "${opt}" in case "${opt}" in
t|test) t) # var/log/secure*bz2
TEST=1; TEST=1;
;; ;;
b|nobackup) b) # nobackup
BACKUP=0; BACKUP=0;
;; ;;
\?) \?)
@@ -32,7 +32,7 @@ while getopts ":tb" opt; do
done; done;
shift "$((OPTIND-1))" shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user"; echo "Script must be run as root user";
exit; exit;
@@ -53,10 +53,10 @@ timestamp=$(date +%Y%m%d-%H%M%S);
# character to set getween info blocks # character to set getween info blocks
separator="#"; separator="#";
# base folder for all data # base folder for all data
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
root_folder="${BASE_FOLDER}../"; root_folder="${BASE_FOLDER}../";
backup_folder="${BASE_FOLDER}../backup/"; backup_folder="${BASE_FOLDER}../backup/";
SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; # SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
input_file='user_list.txt'; input_file='user_list.txt';
user_list_file="${root_folder}${input_file}"; user_list_file="${root_folder}${input_file}";
# log file # log file
@@ -72,7 +72,7 @@ ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE=''; SSH_AUTHORIZED_FILE='';
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
if [ ! -z $(echo "${cf}" | grep "%u") ]; then if [ -n "$(echo "${cf}" | grep "%u")" ]; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
@@ -95,7 +95,7 @@ for username in "$@"; do
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; echo "[!] User ${username} is in the ignore user list";
continue; continue;
fi; fi;

17
bin/lock_user.sh
View File

@@ -9,14 +9,18 @@
TEST=0; # no delete, just print TEST=0; # no delete, just print
while getopts ":t" opt; do while getopts ":t" opt; do
case "${opt}" in case "${opt}" in
t|test) t) # test
TEST=1; TEST=1;
;; ;;
\?)
echo "";
echo "-t test run, do not lock users";
;;
esac; esac;
done; done;
shift "$((OPTIND-1))" shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user"; echo "Script must be run as root user";
exit; exit;
@@ -34,7 +38,7 @@ fi;
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group # ssh reject group
ssh_reject_group="sshreject"; ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then if ! grep -q "${ssh_reject_group}:" /etc/group; then
echo "Missing ssh reject group: ${ssh_reject_group}"; echo "Missing ssh reject group: ${ssh_reject_group}";
exit; exit;
fi; fi;
@@ -51,7 +55,7 @@ for username in "$@"; do
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; echo "[!] User ${username} is in the ignore user list";
continue; continue;
fi; fi;
@@ -72,16 +76,17 @@ for username in "$@"; do
fi; fi;
# if user is in ssh allow group and ALSO in ssh forward group -> bad # if user is in ssh allow group and ALSO in ssh forward group -> bad
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
if [ ! -z "${ssh_remove_group}" ]; then if [ -n "${ssh_remove_group}" ]; then
echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
break; break;
fi; fi;
ssh_remove_group="${ssh_forward_group}"; ssh_remove_group="${ssh_forward_group}";
fi; fi;
if [ ! -z "${ssh_remove_group}" ]; then if [ -n "${ssh_remove_group}" ]; then
# remove user from ssh group and add to reject groups # remove user from ssh group and add to reject groups
echo "[*] User ${username} will be removed from ${ssh_remove_group}"; echo "[*] User ${username} will be removed from ${ssh_remove_group}";
if [ ${TEST} -eq 1 ]; then if [ ${TEST} -eq 1 ]; then
# shellcheck disable=SC2059
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
else else
gpasswd -d "${username}" "${ssh_remove_group}"; gpasswd -d "${username}" "${ssh_remove_group}";

43
bin/rename_user.sh
View File

@@ -12,15 +12,15 @@ OLD_USERNAME="";
NEW_USERNAME=""; NEW_USERNAME="";
while getopts ":to:n:" opt; do while getopts ":to:n:" opt; do
case "${opt}" in case "${opt}" in
t|test) t) # test
TEST=1; TEST=1;
;; ;;
o|old-user) o) # old-user
if [ -z "${OLD_USERNAME}" ]; then if [ -z "${OLD_USERNAME}" ]; then
OLD_USERNAME="${OPTARG}"; OLD_USERNAME="${OPTARG}";
fi; fi;
;; ;;
n|new-user) n) # new-user
if [ -z "${NEW_USERNAME}" ]; then if [ -z "${NEW_USERNAME}" ]; then
NEW_USERNAME="${OPTARG}"; NEW_USERNAME="${OPTARG}";
fi; fi;
@@ -36,7 +36,7 @@ while getopts ":to:n:" opt; do
done; done;
shift "$((OPTIND-1))" shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user"; echo "Script must be run as root user";
exit; exit;
@@ -47,15 +47,15 @@ fi;
error=0; error=0;
host=$(hostname); host=$(hostname);
timestamp=$(date +%Y%m%d-%H%M%S); # timestamp=$(date +%Y%m%d-%H%M%S);
# character to set getween info blocks # character to set getween info blocks
separator="#"; separator="#";
# base folder for all data # base folder for all data
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
root_folder="${BASE_FOLDER}../"; ROOT_FOLDER="${BASE_FOLDER}../";
SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
input_file='user_list.txt'; input_file='user_list.txt';
user_list_file="${root_folder}${input_file}"; user_list_file="${ROOT_FOLDER}${input_file}";
default_ssh_keytype='ed25519'; default_ssh_keytype='ed25519';
ssh_keytype=''; ssh_keytype='';
# log file # log file
@@ -69,13 +69,14 @@ fi;
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# detect ssh authorized_keys setting # detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE=''; # SSH_AUTHORIZED_FILE='';
# shellcheck disable=SC2013
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
if [ ! -z $(echo "${cf}" | grep "%u") ]; then if echo "$cf" | grep -q "%u"; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
error=1; exit;
fi; fi;
fi; fi;
done; done;
@@ -101,11 +102,11 @@ fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${OLD_USERNAME} " ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${OLD_USERNAME}[[:space:]] ]]; then
echo "[!] User ${OLD_USERNAME} is in the ignore user list"; echo "[!] User ${OLD_USERNAME} is in the ignore user list";
error=1; error=1;
fi; fi;
if [[ " ${ignore_users[*]} " =~ " ${NEW_USERNAME} " ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${NEW_USERNAME}[[:space:]] ]]; then
echo "[!] User ${NEW_USERNAME} is in the ignore user list"; echo "[!] User ${NEW_USERNAME} is in the ignore user list";
error=1; error=1;
fi; fi;
@@ -128,12 +129,12 @@ if [ -f "${user_list_file}" ]; then
error=1; error=1;
fi; fi;
# if the old user exists but as DELETED -> no go # if the old user exists but as DELETED -> no go
if [ ! -z $(echo "${user_list_entry}" | grep "#DELETED-") ]; then if ! echo "${user_list_entry}" | grep -q "#DELETED-"; then
echo "[!!!] User ${OLD_USERNAME} has been flagged as deleted"; echo "[!!!] User ${OLD_USERNAME} has been flagged as deleted";
error=1; error=1;
fi; fi;
# if new user name already exists in user list file for whatever reason # if new user name already exists in user list file for whatever reason
if [ $(grep "${NEW_USERNAME}" "${user_list_file}") ]; then if grep -q "${NEW_USERNAME}" "${user_list_file}"; then
echo "[!!!] User ${NEW_USERNAME} exists in user_list.txt file"; echo "[!!!] User ${NEW_USERNAME} exists in user_list.txt file";
error=1; error=1;
fi; fi;
@@ -146,17 +147,17 @@ fi;
# parse user list entry for group/hostname/ssh type key to build ssh key list # parse user list entry for group/hostname/ssh type key to build ssh key list
# POS 3: groups # POS 3: groups
_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' '); _group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
group=$(echo "${_group}" | cut -d "," -f 1); group=$(echo "${_group}" | cut -d "," -f 1);
# POS 6: override host name, lowercase and spaces removed # POS 6: override host name, lowercase and spaces removed
_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' '); _hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
if [ -z "${_hostname}" ]; then if [ -z "${_hostname}" ]; then
hostname=${host}; hostname=${host};
else else
hostname=${_hostname}; hostname=${_hostname};
fi; fi;
# POS 7: ssh keytype override # POS 7: ssh keytype override
_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' '); _ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
if [ "${_ssh_keytype}" = "rsa" ]; then if [ "${_ssh_keytype}" = "rsa" ]; then
ssh_keytype="${_ssh_keytype}"; ssh_keytype="${_ssh_keytype}";
else else
@@ -170,7 +171,7 @@ new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USE
# rename user # rename user
if [ $TEST -eq 0 ]; then if [ $TEST -eq 0 ]; then
echo "usermod with ${new_home_dir}"; echo "usermod with ${new_home_dir}";
usermod -l ${NEW_USERNAME} -m -d "${new_home_dir}" ${OLD_USERNAME}; usermod -l "${NEW_USERNAME}" -m -d "${new_home_dir}" "${OLD_USERNAME}";
else else
echo "$> usermod -l ${NEW_USERNAME} -m -d \"${new_home_dir}\" ${OLD_USERNAME};"; echo "$> usermod -l ${NEW_USERNAME} -m -d \"${new_home_dir}\" ${OLD_USERNAME};";
fi fi
@@ -234,6 +235,8 @@ if [ $TEST -eq 0 ]; then
echo "update ${user_list_file}"; echo "update ${user_list_file}";
sed -i -e "s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/" "${user_list_file}"; sed -i -e "s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/" "${user_list_file}";
else else
# just as is print the sed command from above
# shellcheck disable=SC2028
echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/\" \"${user_list_file}\";"; echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/\" \"${user_list_file}\";";
fi; fi;

24
bin/unlock_user.sh
View File

@@ -10,19 +10,24 @@ TEST=0; # no delete, just print
SSH_GROUP_ADD=''; SSH_GROUP_ADD='';
while getopts ":ts:" opt; do while getopts ":ts:" opt; do
case "${opt}" in case "${opt}" in
t|test) t) # test
TEST=1; TEST=1;
;; ;;
s|sshgroup) s) # sshgroup
if [ -z "${SSH_GROUP_ADD}" ]; then if [ -z "${SSH_GROUP_ADD}" ]; then
SSH_GROUP_ADD=${OPTARG}; SSH_GROUP_ADD=${OPTARG};
fi; fi;
;; ;;
\?)
echo "";
echo "-t Test only, do not change user lock status";
echo "-s <group> Override ssh group from user_list.txt for this user";
;;
esac; esac;
done; done;
shift "$((OPTIND-1))" shift "$((OPTIND-1))"
if [ $(whoami) != "root" ]; then if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user"; echo "Script must be run as root user";
exit; exit;
@@ -36,19 +41,19 @@ if [ $# -eq 0 ]; then
exit; exit;
fi; fi;
if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then if [ -n "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
echo "sshgroup option can only be 'allow' or 'forward'"; echo "sshgroup option can only be 'allow' or 'forward'";
exit; exit;
fi; fi;
BASE_FOLDER=$(dirname $(readlink -f $0))"/"; BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
root_folder="${BASE_FOLDER}../"; root_folder="${BASE_FOLDER}../";
input_file='user_list.txt'; input_file='user_list.txt';
# ignore users (root and admin users) # ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group # ssh reject group
ssh_reject_group="sshreject"; ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then if ! grep -q "${ssh_reject_group}:" /etc/group; then
echo "Missing ssh reject group: ${ssh_reject_group}"; echo "Missing ssh reject group: ${ssh_reject_group}";
exit; exit;
fi; fi;
@@ -65,7 +70,7 @@ for username in "$@"; do
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; echo "[!] User ${username} is in the ignore user list";
continue; continue;
fi; fi;
@@ -88,9 +93,9 @@ for username in "$@"; do
# if not valid use allow # if not valid use allow
ssh_add_group="${SSH_GROUP_ADD}"; ssh_add_group="${SSH_GROUP_ADD}";
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' '); ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr '[:upper]' '[:lower:]' | tr -d ' ');
fi; fi;
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then if [ "${ssh_add_group}" != "allow" ] && [ "${ssh_add_group}" != "forward" ]; then
ssh_add_group="allow"; ssh_add_group="allow";
fi; fi;
ssh_add_group="ssh${ssh_add_group}"; ssh_add_group="ssh${ssh_add_group}";
@@ -100,6 +105,7 @@ for username in "$@"; do
# remove user from ssh group and add to reject groups # remove user from ssh group and add to reject groups
echo "[*] User ${username} will be added to ${ssh_add_group}"; echo "[*] User ${username} will be added to ${ssh_add_group}";
if [ ${TEST} -eq 1 ]; then if [ ${TEST} -eq 1 ]; then
# shellcheck disable=SC2059
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
else else
gpasswd -d "${username}" "${ssh_reject_group}"; gpasswd -d "${username}" "${ssh_reject_group}";