ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

shellcheck based code cleanup

Browse Source
This commit is contained in:
Clemens Schwaighofer
2024-09-04 11:16:05 +09:00
parent 5bf30a8b2f
commit e4ed6fed8d
2 changed files with 59 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
bin/authorized_key_location_change.sh
View File

@@ -7,14 +7,14 @@ LIST=0;
SKIP_USERS=();
while getopts ":gls:" opt; do
case "${opt}" in
g|go)
g) # go
# default we test
TEST=0;
;;
s|skip)
s) # skip
SKIP_USERS+=("${OPTARG}");
;;
l|list)
l) # list
LIST=1;
;;
\?)
@@ -29,7 +29,7 @@ done;
# detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_MASTER_AUTHORIZED_FILE='';
SSH_AUTHORIZED_FILE='';
# SSH_AUTHORIZED_FILE='';
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
@@ -66,7 +66,7 @@ if [ ${LIST} -eq 1 ]; then
fi;
# base folder
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
# output printf
PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
# list of user accounts we will never touch

109
bin/create_user.sh
View File

@@ -30,16 +30,16 @@ INFO=0; # no creation of anything, just print info strings
GO=0; # without this flag the script will exit with an info box
while getopts ":gtih:" opt; do
case "${opt}" in
g|go)
g) # go
GO=1;
;;
t|test)
t) # test
TEST=1;
;;
i|info)
i) # info
INFO=1;
;;
h|home)
h) # home
HOME_LOCATION="${OPTARG}";
;;
\?)
@@ -58,7 +58,7 @@ timestamp=$(date +%Y%m%d-%H%M%S)
# character to set getween info blocks
separator="#";
# base folder for all data
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
# home folder is always thome
HOME_BASE="/home/";
# config location
@@ -66,10 +66,12 @@ CONFIG_BASE="${BASE_FOLDER}../config/";
# check config folder for .env file with HOME_LOCATION
# only use if HOME_LOCATION not yet set
if [ -z "${HOME_LOCATION}" ] && [ -f "${CONFIG_BASE}create_user.cfg" ]; then
source <(grep = ${CONFIG_BASE}create_user.cfg | sed 's/ *= */=/g')
# shellcheck source=../config/create_user.cfg"
# shellcheck disable=SC1091
source <(grep "=" "${CONFIG_BASE}create_user.cfg" | sed 's/ *= */=/g')
fi;
if [ ! -z "${HOME_LOCATION}" ]; then
if [ -n "${HOME_LOCATION}" ]; then
# must start with / as it has to be from root
if [ "${HOME_LOCATION##/*}" ]; then
echo "Home location folder must start with a slash (/): ${HOME_LOCATION}";
@@ -88,10 +90,10 @@ if [ ! -d "${HOME_FOLDER}" ]; then
error=1;
fi;
# allow 10 to 39 length for password
if [ ! -z "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
if [ -n "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
echo "Password length set error, can only be a value between 10 and 39";
error=1;
elif [ -z ${PASSWORD_LENGTH} ]; then
elif [ -z "${PASSWORD_LENGTH}" ]; then
PASSWORD_LENGTH=14;
fi;
# home dir error abort
@@ -114,9 +116,10 @@ ssh_forward_ok=0;
# detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE='';
# shellcheck disable=SC2013
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
if echo "$cf" | grep -q "%u"; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
exit;
@@ -133,24 +136,21 @@ if [ ! -d "${ROOT_FOLDER}${output_zip_folder}" ]; then
mkdir "${ROOT_FOLDER}${output_zip_folder}";
fi;
# check if password generate software is installed
# if [ ! command -v pwgen &> /dev/null ]; then
if [ -z $(command -v pwgen) ]; then
if [ -z "$(command -v pwgen)" ]; then
echo "Missing pwgen application, aborting";
error=1;
fi;
# check for zip
# if [ ! command -v zip &> /dev/null ]; then
if [ -z $(command -v zip) ]; then
if [ -z "$(command -v zip)" ]; then
echo "Missing zip application, aborting";
error=1;
fi;
# check if sshallow or sshfoward group exists
if [ -z $(cat /etc/group | grep "sshallow:") ]; then
if ! grep -q "sshallow:" "/etc/group"; then
echo "Missing ssh access group: sshallow";
error=1;
fi;
# flag if we can set ssh forward
if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
if ! grep -q "sshforward:" "/etc/group"; then
ssh_forward_ok=1;
fi;
# check if user list file exists
@@ -159,10 +159,10 @@ if [ ! -f "${ROOT_FOLDER}${input_file}" ]; then
error=1;
fi;
# make sure my own folder is owned by root and 600 (except for testing)
if [ $(stat -c %a .) != "600" ]; then
if [ "$(stat -c %a .)" != "600" ]; then
echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
fi;
if [ $(whoami) != "root" ]; then
if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then
echo "Script must be run as root user";
error=1;
@@ -183,14 +183,13 @@ if [ $error -eq 1 ]; then
fi;
# create users
cat "${ROOT_FOLDER}${input_file}" |
while read i; do
while read -r i; do
# skip rows start with # (comment)
if [[ "${i}" =~ ^\# ]]; then
continue;
fi;
# POS 2: make lower case, remove spaces
username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
# check username is alphanumeric with .
if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}";
@@ -199,11 +198,11 @@ while read i; do
fi;
fi;
# POS 3: groups
_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
_group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
group=$(echo "${_group}" | cut -d "," -f 1);
sub_group="";
# POS 4: ssh access type
ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
# if not allow or forward, set to access
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -226,14 +225,14 @@ while read i; do
# POS 5: do we have a password preset
_password=$(echo "${i}" | cut -d ";" -f 5);
# POS 6: override host name, lowercase and spaces removed
_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
if [ -z "${_hostname}" ]; then
hostname=${host};
else
hostname=${_hostname};
fi;
# POS 7: ssh keytype override
_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
if [ "${_ssh_keytype}" = "rsa" ]; then
ssh_keytype="${_ssh_keytype}";
#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
@@ -272,7 +271,7 @@ while read i; do
if [ ${INFO} -eq 1 ]; then
# test if pub file exists or not, test if user exists
echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
if getent passwd ${username} > /dev/null 2>&1; then
if getent passwd "${username}" > /dev/null 2>&1; then
echo -n ", User exists";
fi;
if [ -f "${ssh_keyfile_check_pub}" ]; then
@@ -286,7 +285,7 @@ while read i; do
# add group for each entry in _group
for create_group in ${_group//,/ }; do
if [ ${TEST} -eq 0 ]; then
groupadd -f ${create_group};
groupadd -f "${create_group}";
else
echo "$> groupadd -f ${create_group}";
fi;
@@ -299,9 +298,9 @@ while read i; do
echo "++ Create '${username}:${group}(${sub_group})'";
if [ ${TEST} -eq 0 ]; then
# comment is user create time
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
useradd -c "$(date +"%F")" -s /bin/bash -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}";
else
echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
echo "$> useradd -c \"$(date +"%F")\" -s /bin/bash -g ${group}${sub_group_opt} -d \"${HOME_FOLDER}${username}\" -m \"${username}\"";
fi;
fi;
# set the auth file
@@ -316,7 +315,7 @@ while read i; do
# Note we only create a password if we need it
# password + store pwgen 10 1 -1
if [ -z "${_password}" ]; then
password=$(printf "%s" $(pwgen ${PASSWORD_LENGTH} 1));
password=$(printf "%s" "$(pwgen "${PASSWORD_LENGTH}" 1)");
elif [ "${_password}" = "SET_NO_PASSWORD" ]; then
# set empty
echo "* No password set";
@@ -329,7 +328,7 @@ while read i; do
echo " > Create ssh key-pair '${ssh_keyfile}'";
if [ ${TEST} -eq 0 ]; then
ssh-keygen \
-t ${ssh_keytype} \
-t "${ssh_keytype}" \
-f "${ssh_keyfile}" \
-C "${hostname}: ${username}@${group}" \
-a 100 -N "${password}"
@@ -339,9 +338,9 @@ while read i; do
else
found='';
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
found=$(grep "$(cat "${ssh_keyfile_check_pub}")" "${SSH_AUTHORIZED_FILE}");
fi;
if [ ! -z "${found}" ]; then
if [ -n "${found}" ]; then
skip_ssh=1;
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
else
@@ -359,30 +358,30 @@ while read i; do
else
create_output_file="${ROOT_FOLDER}${output_file}.TEST";
fi;
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_access_type} >> ${create_output_file};
echo "$(date +"%F %T");${host};${_hostname};${username};${password};${ssh_access_type}" >> "${create_output_file}";
# create folder only if we do not have central
# create the SSH foler and authorized access file with correct permissions
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo " > Create .ssh folder";
if [ ${TEST} -eq 0 ]; then
mkdir ${HOME_FOLDER}${username}/.ssh/;
mkdir "${HOME_FOLDER}${username}/.ssh/";
else
echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
echo "$> mkdir \"${HOME_FOLDER}${username}/.ssh/\"";
fi;
fi;
# add
echo " > Add public into authorized_keys file";
if [ ${TEST} -eq 0 ]; then
if
[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
[ -n "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
[ -f "${SSH_AUTHORIZED_FILE}" ];
then
chattr -i ${SSH_AUTHORIZED_FILE};
chattr -i "${SSH_AUTHORIZED_FILE}";
fi;
cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
cat "${ssh_keyfile_pub}" > "${SSH_AUTHORIZED_FILE}";
else
if
[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
[ -n "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
[ -f "${SSH_AUTHORIZED_FILE}" ];
then
echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
@@ -393,29 +392,29 @@ while read i; do
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo " > Secure home directory folder .ssh and authorized_keys file";
if [ ${TEST} -eq 0 ]; then
chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
chmod 700 ${HOME_FOLDER}${username}/.ssh/;
chmod 600 ${SSH_AUTHORIZED_FILE};
chown -R "${username}":"${group}" "${HOME_FOLDER}${username}/.ssh/";
chmod 700 "${HOME_FOLDER}${username}/.ssh/";
chmod 600 "${SSH_AUTHORIZED_FILE}";
else
echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
echo "$> chown -R \"${username}\":\"${group}\" \"${HOME_FOLDER}${username}/.ssh/\"";
echo "$> chmod 700 \"${HOME_FOLDER}${username}/.ssh/\"";
echo "$> chmod 600 \"${SSH_AUTHORIZED_FILE}\"";
fi;
else
echo " > Secure central authorized_keys file";
if [ ${TEST} -eq 0 ]; then
chown ${username}:root ${SSH_AUTHORIZED_FILE};
chmod 400 ${SSH_AUTHORIZED_FILE};
chown "${username}":root "${SSH_AUTHORIZED_FILE}";
chmod 400 "${SSH_AUTHORIZED_FILE}";
# set +i so user can't change file
chattr +i ${SSH_AUTHORIZED_FILE};
chattr +i "${SSH_AUTHORIZED_FILE}";
else
echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
echo "$> chown \"${username}\":root \"${SSH_AUTHORIZED_FILE}\"";
echo "$> chmod 400 \"${SSH_AUTHORIZED_FILE}\"";
echo "$> chattr +i \"${SSH_AUTHORIZED_FILE}\"";
fi;
fi;
fi;
done;
done <<< "$(cat "${ROOT_FOLDER}${input_file}")";
# End before anything because this is just info run
if [ ${INFO} -eq 1 ]; then