Merge branch 'master' into shellecheck-cleanup

bin/create_user.sh

@@ -2,13 +2,14 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>|<no login flag>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
 # Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
 # <ssh access type> can be
 # allow (full login access)
 # forward (forward/jump host only)
+# if in this column with pipe (|) the flag "no_login" is set then the default shell will change to "/sbin/nologin"
 # * output file
 # <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
@@ -113,6 +114,10 @@ ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# login shells
+login_shell="/bin/bash";
+no_login_shell="/sbin/nologin";
+user_login_shell="";
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
@@ -201,8 +206,21 @@ while read -r i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	# POS 4: ssh access type
-	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
+	# POS 4: ssh access type and no login flag
+	# no login flag
+	no_login_flag="";
+	# if there is a pipe, check, else ignore
+	if echo "${i}" | cut -d ";" -f 4 | grep -q "|"; then
+		no_login_flag=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 2);
+	fi;
+	# anything set in no login shell flag, we set no login shell
+	if [ -n "${no_login_flag}" ]; then
+		user_login_shell="${no_login_shell}";
+	else
+		user_login_shell="${login_shell}";
+	fi;
+	# ssh access type
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -220,7 +238,7 @@ while read -r i; do
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
-		sub_group_opt=" -G ${sub_group}";
+		sub_group_opt=" -G ${ssh_group},${sub_group}";
 	fi;
 	# POS 5: do we have a password preset
 	_password=$(echo "${i}" | cut -d ";" -f 5);
@@ -298,9 +316,9 @@ while read -r i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c "$(date +"%F")" -s /bin/bash -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}";
+			useradd -c "$(date +"%F")" -s "${user_login_shell}" -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}";
 		else
-			echo "$> useradd -c \"$(date +"%F")\" -s /bin/bash -g ${group}${sub_group_opt} -d \"${HOME_FOLDER}${username}\" -m \"${username}\"";
+			echo "$> useradd -c \"$(date +"%F")\" -s \"${user_login_shell}\" -g \"${group}${sub_group_opt}\" -d \"${HOME_FOLDER}${username}\" -m \"${username}\"";
 		fi;
 	fi;
 	# set the auth file

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type