shellcheck fixup

bin/authorized_key_location_change.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+# shellcheck disable=SC2059
+
 # check if we need to move the users authorized keys to the central location
 
 TEST=1;
@@ -30,9 +32,10 @@ done;
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_MASTER_AUTHORIZED_FILE='';
 # SSH_AUTHORIZED_FILE='';
+# shellcheck disable=SC2013
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
-	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
-		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+	if echo "$cf" | grep -q "%u"; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
 		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
 			exit;
@@ -43,8 +46,9 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 	echo "No central authorized_keys file detected, no change check needed";
 	exit;
 fi;
+# shellcheck disable=SC2013
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
-	if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then
+	if ! echo "${cf}" | grep -q -- "--master"; then
 		SSH_MASTER_AUTHORIZED_FILE="${cf}";
 		if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
 			echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
@@ -86,20 +90,20 @@ fi;
 
 # loop over passwd file
 # if not in no action then check if .ssh/authorized_keys file exists
-cat /etc/passwd | cut -d ":" -f 1,6 |
-while read user_home; do
+cut -d ":" -f 1,6 /etc/passwd |
+while read -r user_home; do
 	username=$(echo "${user_home}" | cut -d ":" -f 1);
 	master_user=0;
 	# skip admin usernames
-	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
+	if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
 		continue;
 	fi;
-	if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
+	if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
 		continue;
 	fi;
-	if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then
+	if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
 		continue;
 	fi;
@@ -115,10 +119,10 @@ while read user_home; do
 		continue;
 	fi;
 	# check those keys are in the master key list
-	if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then
+	if [[ " ${MASTER_KEY[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		master_user=1;
 		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
-		if [ ! -z "${ssh_key_diff}" ]; then
+		if [ -n "${ssh_key_diff}" ]; then
 			printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
 			exit;
 		fi;
@@ -148,12 +152,12 @@ while read user_home; do
 	if [ ${TEST} -eq 0 ]; then
 		cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
 		# secure new folder: chown/chmod/chattr
-		chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chown "${username}" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
 		chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
 		chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
 		# confirm
 		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
-		if [ ! -z "${ssh_key_diff}" ]; then
+		if [ -n "${ssh_key_diff}" ]; then
 			printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
 			break;
 		fi;

bin/collect_login_data.sh

@@ -9,7 +9,7 @@ if [[ "$EUID" -ne "0" ]]; then
 fi;
 
 # base folder
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 # auth log file
 AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 if [ ! -f "${AUTH_LOG}" ]; then
@@ -22,13 +22,19 @@ RUN_FULL_LOG=0;
 # option parsing
 while getopts ":fd" opt; do
 	case "${opt}" in
-		f|full)
+		f) # full
 			echo "[!!!] Run through all log files to collect data";
 			RUN_FULL_LOG=1;
 			;;
-		d|deubg)
+		d) # deubg
 			DEBUG=1;
 			;;
+		\?)
+			echo "";
+			echo "-f Collect all log data again";
+			echo "-d Debug output";
+			exit 1;
+			;;
 	esac;
 done;
 
@@ -37,8 +43,8 @@ function prD()
 	message="${1}";
 	debug=${2:-0};
 	lb_off=${3:-0};
-	if [ ${debug} -eq 1 ]; then
-		if [ ${lb_off} -eq 1 ]; then
+	if [ "${debug}" -eq 1 ]; then
+		if [ "${lb_off}" -eq 1 ]; then
 			echo -n "${message}";
 		else
 			echo "${message}";
@@ -72,25 +78,26 @@ function parseLog()
 	# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
 	# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
 	printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
-	prD "${msg}" ${debug} 1;
+	prD "${msg}" "${debug}" 1;
 	# find auth user in current auth file
 	# if not there attach, else replace date only
 	found=$(grep "${auth_user};" "${auth_log}");
 	if [ -z "${found}" ]; then
-		prD " | Write new" ${debug};
+		prD " | Write new" "${debug}";
 		echo "${auth_user};${auth_date}" >> "${auth_log}";
 	else
-		prD " | Replace old" ${debug};
+		prD " | Replace old" "${debug}";
 		sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
 	fi;
 }
 
-printf -v msg "Run date: %s %s" $(date +"%F %T")
+printf -v msg "Run date: %s" "$(date +"%F %T")"
 prD "${msg}" ${DEBUG};
 
 # Collector script for login information via journalctl
 # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
-readonly init_version=$(/proc/1/exe --version | head -n 1);
+init_version=$(/proc/1/exe --version | head -n 1);
+readonly init_version;
 if [ -z "${init_version##*systemd*}" ]; then
 	LOG_TARGET="systemd";
 	# for journalctl
@@ -103,8 +110,8 @@ if [ -z "${init_version##*systemd*}" ]; then
 	fi;
 	# READ as other format so we get the YEAR -o short-iso
 	START_YEAR=$(date +%Y -d "1 day ago");
-	journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
-	while read line; do
+	journalctl -u systemd-logind --no-pager -o short-iso "${OPT_START_DATE}" "${OPT_END_DATE}" | grep ": New session" |
+	while read -r line; do
 		# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
 		# date: 5 chars
 		# time: 8 chars
@@ -120,11 +127,11 @@ else
 	# for secure/auth log
 	if [ $RUN_FULL_LOG -eq 1 ]; then
 		# we loop over EACH file and get the DATE so we can have the correct YEAR
-		for sfile in $(ls -1 /var/log/secure*bz2); do
+		for sfile in /var/log/secure*bz2; do
 			tz=$(stat -c %Z "${sfile}");
-			START_YEAR=$(date +%Y -d @${tz});
+			START_YEAR=$(date +%Y -d @"${tz}");
 			bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
-			while read line; do
+			while read -r line; do
 				parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
 			done;
 		done;
@@ -132,8 +139,8 @@ else
 		START_DATE="sshd"
 	fi;
 	START_YEAR=$(date +%Y -d "1 day ago");
-	cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" |
-	while read line; do
+	grep "${START_DATE}" "/var/log/secure" | grep ": session opened for user" | grep " by (uid=0)" |
+	while read -r line; do
 		parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
 	done;
 fi;

bin/delete_user.sh

@@ -15,10 +15,10 @@ TEST=0; # do not run any actions
 BACKUP=1;
 while getopts ":tb" opt; do
 	case "${opt}" in
-		t|test)
+		t) # var/log/secure*bz2
 			TEST=1;
 			;;
-		b|nobackup)
+		b) # nobackup
 			BACKUP=0;
 			;;
 		\?)
@@ -32,7 +32,7 @@ while getopts ":tb" opt; do
 done;
 shift "$((OPTIND-1))"
 
-if [ $(whoami) != "root" ]; then
+if [ "$(whoami)" != "root" ]; then
 	if [ ${TEST} -eq 0 ]; then
 		echo "Script must be run as root user";
 		exit;
@@ -53,10 +53,10 @@ timestamp=$(date +%Y%m%d-%H%M%S);
 # character to set getween info blocks
 separator="#";
 # base folder for all data
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 root_folder="${BASE_FOLDER}../";
 backup_folder="${BASE_FOLDER}../backup/";
-SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
+# SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
 input_file='user_list.txt';
 user_list_file="${root_folder}${input_file}";
 # log file
@@ -72,7 +72,7 @@ ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
-	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+	if [ -n "$(echo "${cf}" | grep "%u")" ]; then
 		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
 		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
@@ -95,7 +95,7 @@ for username in "$@"; do
 	fi;
 	# skip ignore users, note that if a user is not in the sshallow list anyway
 	# we skip them too, this is just in case check
-	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
+	if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		echo "[!] User ${username} is in the ignore user list";
 		continue;
 	fi;

bin/lock_user.sh

@@ -9,14 +9,18 @@
 TEST=0; # no delete, just print
 while getopts ":t" opt; do
 	case "${opt}" in
-		t|test)
+		t) # test
 			TEST=1;
 			;;
+		\?)
+			echo "";
+			echo "-t test run, do not lock users";
+			;;
 	esac;
 done;
 shift "$((OPTIND-1))"
 
-if [ $(whoami) != "root" ]; then
+if [ "$(whoami)" != "root" ]; then
 	if [ ${TEST} -eq 0 ]; then
 		echo "Script must be run as root user";
 		exit;
@@ -34,7 +38,7 @@ fi;
 ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 # ssh reject group
 ssh_reject_group="sshreject";
-if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
+if ! grep -q "${ssh_reject_group}:" /etc/group; then
 	echo "Missing ssh reject group: ${ssh_reject_group}";
 	exit;
 fi;
@@ -51,7 +55,7 @@ for username in "$@"; do
 	fi;
 	# skip ignore users, note that if a user is not in the sshallow list anyway
 	# we skip them too, this is just in case check
-	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
+	if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		echo "[!] User ${username} is in the ignore user list";
 		continue;
 	fi;
@@ -72,16 +76,17 @@ for username in "$@"; do
 	fi;
 	# if user is in ssh allow group and ALSO in ssh forward group -> bad
 	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
-		if [ ! -z "${ssh_remove_group}" ]; then
+		if [ -n "${ssh_remove_group}" ]; then
 			echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
 			break;
 		fi;
 		ssh_remove_group="${ssh_forward_group}";
 	fi;
-	if [ ! -z "${ssh_remove_group}" ]; then
+	if [ -n "${ssh_remove_group}" ]; then
 		# remove user from ssh group and add to reject groups
 		echo "[*] User ${username} will be removed from ${ssh_remove_group}";
 		if [ ${TEST} -eq 1 ]; then
+			# shellcheck disable=SC2059
 			printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
 		else
 			gpasswd -d "${username}" "${ssh_remove_group}";

bin/rename_user.sh

@@ -12,15 +12,15 @@ OLD_USERNAME="";
 NEW_USERNAME="";
 while getopts ":to:n:" opt; do
 	case "${opt}" in
-		t|test)
+		t) # test
 			TEST=1;
 			;;
-		o|old-user)
+		o) # old-user
 			if [ -z "${OLD_USERNAME}" ]; then
 				OLD_USERNAME="${OPTARG}";
 			fi;
 			;;
-		n|new-user)
+		n) # new-user
 			if [ -z "${NEW_USERNAME}" ]; then
 				NEW_USERNAME="${OPTARG}";
 			fi;
@@ -36,7 +36,7 @@ while getopts ":to:n:" opt; do
 done;
 shift "$((OPTIND-1))"
 
-if [ $(whoami) != "root" ]; then
+if [ "$(whoami)" != "root" ]; then
 	if [ ${TEST} -eq 0 ]; then
 		echo "Script must be run as root user";
 		exit;
@@ -47,15 +47,15 @@ fi;
 
 error=0;
 host=$(hostname);
-timestamp=$(date +%Y%m%d-%H%M%S);
+# timestamp=$(date +%Y%m%d-%H%M%S);
 # character to set getween info blocks
 separator="#";
 # base folder for all data
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-root_folder="${BASE_FOLDER}../";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
+ROOT_FOLDER="${BASE_FOLDER}../";
 SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
 input_file='user_list.txt';
-user_list_file="${root_folder}${input_file}";
+user_list_file="${ROOT_FOLDER}${input_file}";
 default_ssh_keytype='ed25519';
 ssh_keytype='';
 # log file
@@ -69,13 +69,14 @@ fi;
 ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
-SSH_AUTHORIZED_FILE='';
+# SSH_AUTHORIZED_FILE='';
+# shellcheck disable=SC2013
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
-	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
-		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+	if echo "$cf" | grep -q "%u"; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
 		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
-			error=1;
+			exit;
 		fi;
 	fi;
 done;
@@ -101,11 +102,11 @@ fi;
 
 # skip ignore users, note that if a user is not in the sshallow list anyway
 # we skip them too, this is just in case check
-if [[ " ${ignore_users[*]} " =~ " ${OLD_USERNAME} " ]]; then
+if [[ " ${ignore_users[*]} " =~ [[:space:]]${OLD_USERNAME}[[:space:]] ]]; then
 	echo "[!] User ${OLD_USERNAME} is in the ignore user list";
 	error=1;
 fi;
-if [[ " ${ignore_users[*]} " =~ " ${NEW_USERNAME} " ]]; then
+if [[ " ${ignore_users[*]} " =~ [[:space:]]${NEW_USERNAME}[[:space:]] ]]; then
 	echo "[!] User ${NEW_USERNAME} is in the ignore user list";
 	error=1;
 fi;
@@ -128,12 +129,12 @@ if [ -f "${user_list_file}" ]; then
 		error=1;
 	fi;
 	# if the old user exists but as DELETED -> no go
-	if [ ! -z $(echo "${user_list_entry}" | grep "#DELETED-") ]; then
+	if ! echo "${user_list_entry}" | grep -q "#DELETED-"; then
 		echo "[!!!] User ${OLD_USERNAME} has been flagged as deleted";
 		error=1;
 	fi;
 	# if new user name already exists in user list file for whatever reason
-	if [ $(grep "${NEW_USERNAME}" "${user_list_file}") ]; then
+	if grep -q "${NEW_USERNAME}" "${user_list_file}"; then
 		echo "[!!!] User ${NEW_USERNAME} exists in user_list.txt file";
 		error=1;
 	fi;
@@ -146,17 +147,17 @@ fi;
 # parse user list entry for group/hostname/ssh type key to build ssh key list
 
 # POS 3: groups
-_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
+_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
 group=$(echo "${_group}" | cut -d "," -f 1);
 # POS 6: override host name, lowercase and spaces removed
-_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
+_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
 if [ -z "${_hostname}" ]; then
 	hostname=${host};
 else
 	hostname=${_hostname};
 fi;
 # POS 7: ssh keytype override
-_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
+_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr '[:upper:]' '[:lower:]' | tr -d ' ');
 if [ "${_ssh_keytype}" = "rsa" ]; then
 	ssh_keytype="${_ssh_keytype}";
 else
@@ -170,7 +171,7 @@ new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USE
 # rename user
 if [ $TEST -eq 0 ]; then
 	echo "usermod with ${new_home_dir}";
-	usermod -l ${NEW_USERNAME} -m -d "${new_home_dir}" ${OLD_USERNAME};
+	usermod -l "${NEW_USERNAME}" -m -d "${new_home_dir}" "${OLD_USERNAME}";
 else
 	echo "$> usermod -l ${NEW_USERNAME} -m -d \"${new_home_dir}\" ${OLD_USERNAME};";
 fi
@@ -234,6 +235,8 @@ if [ $TEST -eq 0 ]; then
 	echo "update ${user_list_file}";
 	sed -i -e "s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/" "${user_list_file}";
 else
+	# just as is print the sed command from above
+	# shellcheck disable=SC2028
 	echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/\" \"${user_list_file}\";";
 fi;
 

bin/unlock_user.sh

@@ -10,19 +10,24 @@ TEST=0; # no delete, just print
 SSH_GROUP_ADD='';
 while getopts ":ts:" opt; do
 	case "${opt}" in
-		t|test)
+		t) # test
 			TEST=1;
 			;;
-		s|sshgroup)
+		s) # sshgroup
 			if [ -z "${SSH_GROUP_ADD}" ]; then
 				SSH_GROUP_ADD=${OPTARG};
 			fi;
 			;;
+		\?)
+			echo "";
+			echo "-t Test only, do not change user lock status";
+			echo "-s <group> Override ssh group from user_list.txt for this user";
+			;;
 	esac;
 done;
 shift "$((OPTIND-1))"
 
-if [ $(whoami) != "root" ]; then
+if [ "$(whoami)" != "root" ]; then
 	if [ ${TEST} -eq 0 ]; then
 		echo "Script must be run as root user";
 		exit;
@@ -36,19 +41,19 @@ if [ $# -eq 0 ]; then
 	exit;
 fi;
 
-if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
+if [ -n "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
 	echo "sshgroup option can only be 'allow' or 'forward'";
 	exit;
 fi;
 
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 root_folder="${BASE_FOLDER}../";
 input_file='user_list.txt';
 # ignore users (root and admin users)
 ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 # ssh reject group
 ssh_reject_group="sshreject";
-if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
+if ! grep -q "${ssh_reject_group}:" /etc/group; then
 	echo "Missing ssh reject group: ${ssh_reject_group}";
 	exit;
 fi;
@@ -65,7 +70,7 @@ for username in "$@"; do
 	fi;
 	# skip ignore users, note that if a user is not in the sshallow list anyway
 	# we skip them too, this is just in case check
-	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
+	if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
 		echo "[!] User ${username} is in the ignore user list";
 		continue;
 	fi;
@@ -88,9 +93,9 @@ for username in "$@"; do
 	# if not valid use allow
 	ssh_add_group="${SSH_GROUP_ADD}";
 	if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
-		ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+		ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr '[:upper]' '[:lower:]' | tr -d ' ');
 	fi;
-	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
+	if [ "${ssh_add_group}" != "allow" ] && [ "${ssh_add_group}" != "forward" ]; then
 		ssh_add_group="allow";
 	fi;
 	ssh_add_group="ssh${ssh_add_group}";
@@ -100,6 +105,7 @@ for username in "$@"; do
 		# remove user from ssh group and add to reject groups
 		echo "[*] User ${username} will be added to ${ssh_add_group}";
 		if [ ${TEST} -eq 1 ]; then
+			# shellcheck disable=SC2059
 			printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
 		else
 			gpasswd -d "${username}" "${ssh_reject_group}";