From 7ce8330aa6885189882b774ea75dbac891c51d69 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Fri, 27 Sep 2024 18:49:36 +0900 Subject: [PATCH] shellcheck fixup --- bin/authorized_key_location_change.sh | 28 +++++++++-------- bin/collect_login_data.sh | 41 ++++++++++++++----------- bin/delete_user.sh | 14 ++++----- bin/lock_user.sh | 17 +++++++---- bin/rename_user.sh | 43 ++++++++++++++------------- bin/unlock_user.sh | 24 +++++++++------ 6 files changed, 96 insertions(+), 71 deletions(-) diff --git a/bin/authorized_key_location_change.sh b/bin/authorized_key_location_change.sh index f87a4fe..0e55105 100755 --- a/bin/authorized_key_location_change.sh +++ b/bin/authorized_key_location_change.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +# shellcheck disable=SC2059 + # check if we need to move the users authorized keys to the central location TEST=1; @@ -30,9 +32,10 @@ done; SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_MASTER_AUTHORIZED_FILE=''; # SSH_AUTHORIZED_FILE=''; +# shellcheck disable=SC2013 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do - if [ ! -z $(echo "${cf}" | grep "%u") ]; then - SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); + if echo "$cf" | grep -q "%u"; then + SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}"; if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; exit; @@ -43,8 +46,9 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "No central authorized_keys file detected, no change check needed"; exit; fi; +# shellcheck disable=SC2013 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do - if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then + if ! echo "${cf}" | grep -q -- "--master"; then SSH_MASTER_AUTHORIZED_FILE="${cf}"; if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l @@ -86,20 +90,20 @@ fi; # loop over passwd file # if not in no action then check if .ssh/authorized_keys file exists -cat /etc/passwd | cut -d ":" -f 1,6 | -while read user_home; do +cut -d ":" -f 1,6 /etc/passwd | +while read -r user_home; do username=$(echo "${user_home}" | cut -d ":" -f 1); master_user=0; # skip admin usernames - if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then + if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; continue; fi; - if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then + if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line"; continue; fi; - if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then + if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file"; continue; fi; @@ -115,10 +119,10 @@ while read user_home; do continue; fi; # check those keys are in the master key list - if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then + if [[ " ${MASTER_KEY[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then master_user=1; ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}"); - if [ ! -z "${ssh_key_diff}" ]; then + if [ -n "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file"; exit; fi; @@ -148,12 +152,12 @@ while read user_home; do if [ ${TEST} -eq 0 ]; then cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; # secure new folder: chown/chmod/chattr - chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; + chown "${username}" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; # confirm ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); - if [ ! -z "${ssh_key_diff}" ]; then + if [ -n "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}"; break; fi; diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh index de8bc24..0cc35d4 100755 --- a/bin/collect_login_data.sh +++ b/bin/collect_login_data.sh @@ -9,7 +9,7 @@ if [[ "$EUID" -ne "0" ]]; then fi; # base folder -BASE_FOLDER=$(dirname $(readlink -f $0))"/"; +BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; # auth log file AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; if [ ! -f "${AUTH_LOG}" ]; then @@ -22,13 +22,19 @@ RUN_FULL_LOG=0; # option parsing while getopts ":fd" opt; do case "${opt}" in - f|full) + f) # full echo "[!!!] Run through all log files to collect data"; RUN_FULL_LOG=1; ;; - d|deubg) + d) # deubg DEBUG=1; ;; + \?) + echo ""; + echo "-f Collect all log data again"; + echo "-d Debug output"; + exit 1; + ;; esac; done; @@ -37,8 +43,8 @@ function prD() message="${1}"; debug=${2:-0}; lb_off=${3:-0}; - if [ ${debug} -eq 1 ]; then - if [ ${lb_off} -eq 1 ]; then + if [ "${debug}" -eq 1 ]; then + if [ "${lb_off}" -eq 1 ]; then echo -n "${message}"; else echo "${message}"; @@ -72,25 +78,26 @@ function parseLog() # $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}") # prD "USER: $auth_user | DATE: $auth_date" ${debug} 1; printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}" - prD "${msg}" ${debug} 1; + prD "${msg}" "${debug}" 1; # find auth user in current auth file # if not there attach, else replace date only found=$(grep "${auth_user};" "${auth_log}"); if [ -z "${found}" ]; then - prD " | Write new" ${debug}; + prD " | Write new" "${debug}"; echo "${auth_user};${auth_date}" >> "${auth_log}"; else - prD " | Replace old" ${debug}; + prD " | Replace old" "${debug}"; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}"; fi; } -printf -v msg "Run date: %s %s" $(date +"%F %T") +printf -v msg "Run date: %s" "$(date +"%F %T")" prD "${msg}" ${DEBUG}; # Collector script for login information via journalctl # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log -readonly init_version=$(/proc/1/exe --version | head -n 1); +init_version=$(/proc/1/exe --version | head -n 1); +readonly init_version; if [ -z "${init_version##*systemd*}" ]; then LOG_TARGET="systemd"; # for journalctl @@ -103,8 +110,8 @@ if [ -z "${init_version##*systemd*}" ]; then fi; # READ as other format so we get the YEAR -o short-iso START_YEAR=$(date +%Y -d "1 day ago"); - journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" | - while read line; do + journalctl -u systemd-logind --no-pager -o short-iso "${OPT_START_DATE}" "${OPT_END_DATE}" | grep ": New session" | + while read -r line; do # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. # date: 5 chars # time: 8 chars @@ -120,11 +127,11 @@ else # for secure/auth log if [ $RUN_FULL_LOG -eq 1 ]; then # we loop over EACH file and get the DATE so we can have the correct YEAR - for sfile in $(ls -1 /var/log/secure*bz2); do + for sfile in /var/log/secure*bz2; do tz=$(stat -c %Z "${sfile}"); - START_YEAR=$(date +%Y -d @${tz}); + START_YEAR=$(date +%Y -d @"${tz}"); bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | - while read line; do + while read -r line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; done; @@ -132,8 +139,8 @@ else START_DATE="sshd" fi; START_YEAR=$(date +%Y -d "1 day ago"); - cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" | - while read line; do + grep "${START_DATE}" "/var/log/secure" | grep ": session opened for user" | grep " by (uid=0)" | + while read -r line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; fi; diff --git a/bin/delete_user.sh b/bin/delete_user.sh index 300bc26..0c121b9 100755 --- a/bin/delete_user.sh +++ b/bin/delete_user.sh @@ -15,10 +15,10 @@ TEST=0; # do not run any actions BACKUP=1; while getopts ":tb" opt; do case "${opt}" in - t|test) + t) # var/log/secure*bz2 TEST=1; ;; - b|nobackup) + b) # nobackup BACKUP=0; ;; \?) @@ -32,7 +32,7 @@ while getopts ":tb" opt; do done; shift "$((OPTIND-1))" -if [ $(whoami) != "root" ]; then +if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; @@ -53,10 +53,10 @@ timestamp=$(date +%Y%m%d-%H%M%S); # character to set getween info blocks separator="#"; # base folder for all data -BASE_FOLDER=$(dirname $(readlink -f $0))"/"; +BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; root_folder="${BASE_FOLDER}../"; backup_folder="${BASE_FOLDER}../backup/"; -SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; +# SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; input_file='user_list.txt'; user_list_file="${root_folder}${input_file}"; # log file @@ -72,7 +72,7 @@ ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_AUTHORIZED_FILE=''; for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do - if [ ! -z $(echo "${cf}" | grep "%u") ]; then + if [ -n "$(echo "${cf}" | grep "%u")" ]; then SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; @@ -95,7 +95,7 @@ for username in "$@"; do fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check - if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then + if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then echo "[!] User ${username} is in the ignore user list"; continue; fi; diff --git a/bin/lock_user.sh b/bin/lock_user.sh index 1dbce24..b462a69 100755 --- a/bin/lock_user.sh +++ b/bin/lock_user.sh @@ -9,14 +9,18 @@ TEST=0; # no delete, just print while getopts ":t" opt; do case "${opt}" in - t|test) + t) # test TEST=1; ;; + \?) + echo ""; + echo "-t test run, do not lock users"; + ;; esac; done; shift "$((OPTIND-1))" -if [ $(whoami) != "root" ]; then +if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; @@ -34,7 +38,7 @@ fi; ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; -if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then +if ! grep -q "${ssh_reject_group}:" /etc/group; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; @@ -51,7 +55,7 @@ for username in "$@"; do fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check - if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then + if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then echo "[!] User ${username} is in the ignore user list"; continue; fi; @@ -72,16 +76,17 @@ for username in "$@"; do fi; # if user is in ssh allow group and ALSO in ssh forward group -> bad if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then - if [ ! -z "${ssh_remove_group}" ]; then + if [ -n "${ssh_remove_group}" ]; then echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; break; fi; ssh_remove_group="${ssh_forward_group}"; fi; - if [ ! -z "${ssh_remove_group}" ]; then + if [ -n "${ssh_remove_group}" ]; then # remove user from ssh group and add to reject groups echo "[*] User ${username} will be removed from ${ssh_remove_group}"; if [ ${TEST} -eq 1 ]; then + # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; else gpasswd -d "${username}" "${ssh_remove_group}"; diff --git a/bin/rename_user.sh b/bin/rename_user.sh index c053f39..d7af9ed 100644 --- a/bin/rename_user.sh +++ b/bin/rename_user.sh @@ -12,15 +12,15 @@ OLD_USERNAME=""; NEW_USERNAME=""; while getopts ":to:n:" opt; do case "${opt}" in - t|test) + t) # test TEST=1; ;; - o|old-user) + o) # old-user if [ -z "${OLD_USERNAME}" ]; then OLD_USERNAME="${OPTARG}"; fi; ;; - n|new-user) + n) # new-user if [ -z "${NEW_USERNAME}" ]; then NEW_USERNAME="${OPTARG}"; fi; @@ -36,7 +36,7 @@ while getopts ":to:n:" opt; do done; shift "$((OPTIND-1))" -if [ $(whoami) != "root" ]; then +if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; @@ -47,15 +47,15 @@ fi; error=0; host=$(hostname); -timestamp=$(date +%Y%m%d-%H%M%S); +# timestamp=$(date +%Y%m%d-%H%M%S); # character to set getween info blocks separator="#"; # base folder for all data -BASE_FOLDER=$(dirname $(readlink -f $0))"/"; -root_folder="${BASE_FOLDER}../"; +BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; +ROOT_FOLDER="${BASE_FOLDER}../"; SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/'; input_file='user_list.txt'; -user_list_file="${root_folder}${input_file}"; +user_list_file="${ROOT_FOLDER}${input_file}"; default_ssh_keytype='ed25519'; ssh_keytype=''; # log file @@ -69,13 +69,14 @@ fi; ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; -SSH_AUTHORIZED_FILE=''; +# SSH_AUTHORIZED_FILE=''; +# shellcheck disable=SC2013 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do - if [ ! -z $(echo "${cf}" | grep "%u") ]; then - SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); + if echo "$cf" | grep -q "%u"; then + SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}"; if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; - error=1; + exit; fi; fi; done; @@ -101,11 +102,11 @@ fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check -if [[ " ${ignore_users[*]} " =~ " ${OLD_USERNAME} " ]]; then +if [[ " ${ignore_users[*]} " =~ [[:space:]]${OLD_USERNAME}[[:space:]] ]]; then echo "[!] User ${OLD_USERNAME} is in the ignore user list"; error=1; fi; -if [[ " ${ignore_users[*]} " =~ " ${NEW_USERNAME} " ]]; then +if [[ " ${ignore_users[*]} " =~ [[:space:]]${NEW_USERNAME}[[:space:]] ]]; then echo "[!] User ${NEW_USERNAME} is in the ignore user list"; error=1; fi; @@ -128,12 +129,12 @@ if [ -f "${user_list_file}" ]; then error=1; fi; # if the old user exists but as DELETED -> no go - if [ ! -z $(echo "${user_list_entry}" | grep "#DELETED-") ]; then + if ! echo "${user_list_entry}" | grep -q "#DELETED-"; then echo "[!!!] User ${OLD_USERNAME} has been flagged as deleted"; error=1; fi; # if new user name already exists in user list file for whatever reason - if [ $(grep "${NEW_USERNAME}" "${user_list_file}") ]; then + if grep -q "${NEW_USERNAME}" "${user_list_file}"; then echo "[!!!] User ${NEW_USERNAME} exists in user_list.txt file"; error=1; fi; @@ -146,17 +147,17 @@ fi; # parse user list entry for group/hostname/ssh type key to build ssh key list # POS 3: groups -_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' '); +_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr '[:upper:]' '[:lower:]' | tr -d ' '); group=$(echo "${_group}" | cut -d "," -f 1); # POS 6: override host name, lowercase and spaces removed -_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' '); +_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr '[:upper:]' '[:lower:]' | tr -d ' '); if [ -z "${_hostname}" ]; then hostname=${host}; else hostname=${_hostname}; fi; # POS 7: ssh keytype override -_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' '); +_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr '[:upper:]' '[:lower:]' | tr -d ' '); if [ "${_ssh_keytype}" = "rsa" ]; then ssh_keytype="${_ssh_keytype}"; else @@ -170,7 +171,7 @@ new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USE # rename user if [ $TEST -eq 0 ]; then echo "usermod with ${new_home_dir}"; - usermod -l ${NEW_USERNAME} -m -d "${new_home_dir}" ${OLD_USERNAME}; + usermod -l "${NEW_USERNAME}" -m -d "${new_home_dir}" "${OLD_USERNAME}"; else echo "$> usermod -l ${NEW_USERNAME} -m -d \"${new_home_dir}\" ${OLD_USERNAME};"; fi @@ -234,6 +235,8 @@ if [ $TEST -eq 0 ]; then echo "update ${user_list_file}"; sed -i -e "s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/" "${user_list_file}"; else + # just as is print the sed command from above + # shellcheck disable=SC2028 echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/\" \"${user_list_file}\";"; fi; diff --git a/bin/unlock_user.sh b/bin/unlock_user.sh index bcc9777..be6d4c5 100755 --- a/bin/unlock_user.sh +++ b/bin/unlock_user.sh @@ -10,19 +10,24 @@ TEST=0; # no delete, just print SSH_GROUP_ADD=''; while getopts ":ts:" opt; do case "${opt}" in - t|test) + t) # test TEST=1; ;; - s|sshgroup) + s) # sshgroup if [ -z "${SSH_GROUP_ADD}" ]; then SSH_GROUP_ADD=${OPTARG}; fi; ;; + \?) + echo ""; + echo "-t Test only, do not change user lock status"; + echo "-s Override ssh group from user_list.txt for this user"; + ;; esac; done; shift "$((OPTIND-1))" -if [ $(whoami) != "root" ]; then +if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; @@ -36,19 +41,19 @@ if [ $# -eq 0 ]; then exit; fi; -if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then +if [ -n "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then echo "sshgroup option can only be 'allow' or 'forward'"; exit; fi; -BASE_FOLDER=$(dirname $(readlink -f $0))"/"; +BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; root_folder="${BASE_FOLDER}../"; input_file='user_list.txt'; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; -if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then +if ! grep -q "${ssh_reject_group}:" /etc/group; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; @@ -65,7 +70,7 @@ for username in "$@"; do fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check - if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then + if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then echo "[!] User ${username} is in the ignore user list"; continue; fi; @@ -88,9 +93,9 @@ for username in "$@"; do # if not valid use allow ssh_add_group="${SSH_GROUP_ADD}"; if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then - ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' '); + ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr '[:upper]' '[:lower:]' | tr -d ' '); fi; - if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then + if [ "${ssh_add_group}" != "allow" ] && [ "${ssh_add_group}" != "forward" ]; then ssh_add_group="allow"; fi; ssh_add_group="ssh${ssh_add_group}"; @@ -100,6 +105,7 @@ for username in "$@"; do # remove user from ssh group and add to reject groups echo "[*] User ${username} will be added to ${ssh_add_group}"; if [ ${TEST} -eq 1 ]; then + # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; else gpasswd -d "${username}" "${ssh_reject_group}";