diff --git a/bin/create_user.sh b/bin/create_user.sh index 1ed122b..36a011e 100755 --- a/bin/create_user.sh +++ b/bin/create_user.sh @@ -2,13 +2,14 @@ # * input file # user_list.txt -# ;;[,sub group,sub group];;[override password];[override hostname];[override ssh key type] +# ;;[,sub group,sub group];|;[override password];[override hostname];[override ssh key type] # lines with # are skipped # already created users are skipped # Mandatory: ;;; # can be # allow (full login access) # forward (forward/jump host only) +# if in this column with pipe (|) the flag "no_login" is set then the default shell will change to "/sbin/nologin" # * output file # ;;;;; # If already existing PEM key is used then is [ALREADY SET] @@ -113,6 +114,10 @@ ssh_keytype=''; # sshallow or sshforward ssh_group=''; ssh_forward_ok=0; +# login shells +login_shell="/bin/bash"; +no_login_shell="/sbin/nologin"; +user_login_shell=""; # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_AUTHORIZED_FILE=''; @@ -201,8 +206,21 @@ while read -r i; do _group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' '); group=$(echo "${_group}" | cut -d "," -f 1); sub_group=""; - # POS 4: ssh access type - ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr "[:upper:]" "[:lower:]" | tr -d ' '); + # POS 4: ssh access type and no login flag + # no login flag + no_login_flag=""; + # if there is a pipe, check, else ignore + if echo "${i}" | cut -d ";" -f 4 | grep -q "|"; then + no_login_flag=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 2); + fi; + # anything set in no login shell flag, we set no login shell + if [ -n "${no_login_flag}" ]; then + user_login_shell="${no_login_shell}"; + else + user_login_shell="${login_shell}"; + fi; + # ssh access type + ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' '); # if not allow or forward, set to access if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow"; @@ -220,7 +238,7 @@ while read -r i; do # check if "," inside and extract sub groups if [ -z "${_group##*,*}" ]; then sub_group=$(echo "${_group}" | cut -d "," -f 2-); - sub_group_opt=" -G ${sub_group}"; + sub_group_opt=" -G ${ssh_group},${sub_group}"; fi; # POS 5: do we have a password preset _password=$(echo "${i}" | cut -d ";" -f 5); @@ -298,9 +316,9 @@ while read -r i; do echo "++ Create '${username}:${group}(${sub_group})'"; if [ ${TEST} -eq 0 ]; then # comment is user create time - useradd -c "$(date +"%F")" -s /bin/bash -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}"; + useradd -c "$(date +"%F")" -s "${user_login_shell}" -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}"; else - echo "$> useradd -c \"$(date +"%F")\" -s /bin/bash -g ${group}${sub_group_opt} -d \"${HOME_FOLDER}${username}\" -m \"${username}\""; + echo "$> useradd -c \"$(date +"%F")\" -s \"${user_login_shell}\" -g \"${group}${sub_group_opt}\" -d \"${HOME_FOLDER}${username}\" -m \"${username}\""; fi; fi; # set the auth file diff --git a/user_list.txt-sample b/user_list.txt-sample index b17993f..4e5bfa2 100644 --- a/user_list.txt-sample +++ b/user_list.txt-sample @@ -1 +1 @@ -#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type +#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type