Rename script names, add lock script

Add a user lock script to move users from ssh allow/foward group to ssh
reject group.

Rename user_create.sh script to create_user.sh script and add new ssh
allow/foward flag in user_list.txt file after group block and before
password name block

Update check last login script with better add/remove from groups

Readme.md

@@ -98,7 +98,7 @@ The current directory **MUST** be the directory where '*user_list.txt*' is store
 
 Then run the script without any options
 
-`$> /root/bin/user_create.sh`
+`$> /root/bin/create_user.sh`
 
 Sample output for above example file
 

bin/check_last_login.sh

@@ -17,7 +17,7 @@ max_age_create=30;
 day=86400;
 # delete account strings
 delete_accounts="";
-user_group_tpl="deluser %s %s;adduser %s %s;";
+user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
 # log base folder
 LOG="${BASE_FOLDER}/../log";
 # auth log file user;date from collect_login_data script

bin/create_user.sh

@@ -2,12 +2,15 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
-# Mandatory: <ignored id>;<user name>;<group>
+# Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
+# <ssh access type> can be
+# allow (full login access)
+# forward (forward/jump host only)
 # * output file
-# <date>;<target connect host name>;<hostname>;<username>;<password>
+# <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
 #
 # * PEM KEY
@@ -21,7 +24,7 @@
 # into the ssh-keygen/ folder
 # They pem pub key must follow the set rules above
 
-# SET TO 1 to TEST [will no create user/group/folder]
+# SET TO 1 to TEST [will not create user/group/folder]
 TEST=0; # no creation except ssh keys
 INFO=0; # no creation of anything, just print info strings
 while getopts ":ti" opt; do
@@ -48,7 +51,9 @@ output_zip="users.${timestamp}.zip"
 ssh_keygen_folder='ssh-keygen/';
 ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
 ssh_keytype='ed25519';
-ssh_group='sshallow';
+# sshallow or sshforward
+ssh_group='';
+ssh_forward_ok=0;
 # check if ssh key folder exists
 if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
 	mkdir "${root_folder}${ssh_keygen_folder}";
@@ -69,11 +74,15 @@ if [ -z $(command -v zip) ]; then
 	echo "Missing zip application, aborting";
 	exit;
 fi;
-# check if sshallow group exists
-if [ -z $(cat /etc/group | grep "${ssh_group}:") ]; then
-	echo "Missing ssh access group: ${ssh_group}";
+# check if sshallow or sshfoward group exists
+if [ -z $(cat /etc/group | grep "sshallow:") ]; then
+	echo "Missing ssh access group: sshallow";
 	exit;
 fi;
+# flag if we can set ssh forward
+if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
+	ssh_forward_ok=1;
+fi;
 # check if user list file exists
 if [ ! -f "${root_folder}${input_file}" ]; then
 	echo "Missing ${root_folder}${input_file}";
@@ -103,6 +112,17 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	# if not allow or forward, set to access
+	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
+		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
+		ssh_access_type="allow";
+	fi;
+	if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
+		echo "[!!!] sshforward group does not exsts, cannot set user ${user}";
+		break;
+	fi;
+	ssh_group="ssh${ssh_access_type}";
 	# sshallow group is always added
 	sub_group_opt=" -G ${ssh_group}";
 	# check if "," inside and extract sub groups
@@ -141,7 +161,7 @@ while read i; do
 
 	if [ ${INFO} -eq 1 ]; then
 		# test if pub file exists or not, test if user exists
-		echo -n "User: '${user}:${group}(${sub_group})', SSH: ${ssh_keygen_id}";
+		echo -n "User: '${user}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
 		if getent passwd ${user} > /dev/null 2>&1; then
 			echo -n ", User exists";
 		fi;
@@ -211,10 +231,11 @@ while read i; do
 	if [ ${skip_ssh} -eq 0 ]; then
 		# write login info to output file
 		if [ ${TEST} -eq 0 ]; then
-			echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file};
+			create_output_file="${root_folder}${output_file}";
 		else
-			echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}".TEST";
+			create_output_file="${root_folder}${output_file}.TEST";
 		fi;
+		echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password}";"${ssh_allow_type} >> ${create_output_file};
 		# create the SSH foler and authorized access file with correct permissions
 		echo " > Create .ssh folder";
 		if [ ${TEST} -eq 0 ]; then

bin/lock_user.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# disable a user by removing them from the sshallow/sshforward group
+# and move them to the sshreject group
+
+# SET TO 1 to TEST [will not move user in groups]
+TEST=0; # no creation except ssh keys
+INFO=0; # no creation of anything, just print info strings
+while getopts ":ti" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		i|info)
+			INFO=1;
+			;;
+	esac;
+done;
+
+if [ $# -eq 0 ]; then
+	echo "Must give at least one user name";
+	exit;
+fi;
+
+# ssh reject group
+ssh_reject_group="sshreject";
+if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
+	echo "Missing ssh reject group: ${ssh_reject_group}";
+	exit;
+fi;
+ssh_allow_group="sshallow";
+ssh_forward_group="sshfoward";
+delete_accounts="";
+user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
+
+echo "--------------------->"
+# $1 ... $n
+for username in "$@"; do
+	# check that user exists in passwd
+	if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
+		echo "[!] User $username does not exists in /etc/passwd file";
+		continue;
+	fi;
+	# if not check if in reject list
+	if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
+		echo "[.] User $username already in the ${ssh_reject} list";
+		continue;
+	fi;
+	# check if user is in sshallow/forward list
+	ssh_remove_group='';
+	if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
+		ssh_remove_group="${ssh_allow_group}";
+	fi;
+	# if user is in ssh allow group and ALSO in ssh forward group -> bad
+	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
+		if [ ! -z "${ssh_remove_group}" ]; then
+			echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
+			break;
+		fi;
+		ssh_remove_group="${ssh_forward_group}";
+	fi;
+	if [ ! -z "${ssh_remove_group}" ]; then
+		# remove user from ssh group and add to reject groups
+		echo "[*] User $username will be removed from ${ssh_remove_group}";
+		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
+	else
+		# skip not ssh user
+		echo "[?] User $username not in any ssh allow/foward groups";
+	fi;
+done;
+if [ ! -z "${delete_accounts}" ]; then
+	echo "--------------------->"
+	echo "% Run list below to move users to reject ssh group";
+	echo "";
+	echo "${delete_accounts}";
+fi;
+
+# __END__

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type