diff --git a/Readme.md b/Readme.md index e1fc991..bc491d2 100644 --- a/Readme.md +++ b/Readme.md @@ -98,7 +98,7 @@ The current directory **MUST** be the directory where '*user_list.txt*' is store Then run the script without any options -`$> /root/bin/user_create.sh` +`$> /root/bin/create_user.sh` Sample output for above example file diff --git a/bin/check_last_login.sh b/bin/check_last_login.sh index b43e7b6..3c83bd2 100755 --- a/bin/check_last_login.sh +++ b/bin/check_last_login.sh @@ -17,7 +17,7 @@ max_age_create=30; day=86400; # delete account strings delete_accounts=""; -user_group_tpl="deluser %s %s;adduser %s %s;"; +user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;"; # log base folder LOG="${BASE_FOLDER}/../log"; # auth log file user;date from collect_login_data script diff --git a/bin/user_create.sh b/bin/create_user.sh similarity index 84% rename from bin/user_create.sh rename to bin/create_user.sh index 9ee4e0f..e5270d4 100755 --- a/bin/user_create.sh +++ b/bin/create_user.sh @@ -2,12 +2,15 @@ # * input file # user_list.txt -# ;;[,sub group,sub group];[override password];[override hostname];[override ssh key type] +# ;;[,sub group,sub group];;[override password];[override hostname];[override ssh key type] # lines with # are skipped # already created users are skipped -# Mandatory: ;; +# Mandatory: ;;; +# can be +# allow (full login access) +# forward (forward/jump host only) # * output file -# ;;;; +# ;;;;; # If already existing PEM key is used then is [ALREADY SET] # # * PEM KEY @@ -21,7 +24,7 @@ # into the ssh-keygen/ folder # They pem pub key must follow the set rules above -# SET TO 1 to TEST [will no create user/group/folder] +# SET TO 1 to TEST [will not create user/group/folder] TEST=0; # no creation except ssh keys INFO=0; # no creation of anything, just print info strings while getopts ":ti" opt; do @@ -48,7 +51,9 @@ output_zip="users.${timestamp}.zip" ssh_keygen_folder='ssh-keygen/'; ssh_keygen_folder_created_pub='ssh-keygen-created-pub/'; ssh_keytype='ed25519'; -ssh_group='sshallow'; +# sshallow or sshforward +ssh_group=''; +ssh_forward_ok=0; # check if ssh key folder exists if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then mkdir "${root_folder}${ssh_keygen_folder}"; @@ -69,11 +74,15 @@ if [ -z $(command -v zip) ]; then echo "Missing zip application, aborting"; exit; fi; -# check if sshallow group exists -if [ -z $(cat /etc/group | grep "${ssh_group}:") ]; then - echo "Missing ssh access group: ${ssh_group}"; +# check if sshallow or sshfoward group exists +if [ -z $(cat /etc/group | grep "sshallow:") ]; then + echo "Missing ssh access group: sshallow"; exit; fi; +# flag if we can set ssh forward +if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then + ssh_forward_ok=1; +fi; # check if user list file exists if [ ! -f "${root_folder}${input_file}" ]; then echo "Missing ${root_folder}${input_file}"; @@ -103,6 +112,17 @@ while read i; do _group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' '); group=$(echo "${_group}" | cut -d "," -f 1); sub_group=""; + ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' '); + # if not allow or forward, set to access + if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then + echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow"; + ssh_access_type="allow"; + fi; + if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then + echo "[!!!] sshforward group does not exsts, cannot set user ${user}"; + break; + fi; + ssh_group="ssh${ssh_access_type}"; # sshallow group is always added sub_group_opt=" -G ${ssh_group}"; # check if "," inside and extract sub groups @@ -141,7 +161,7 @@ while read i; do if [ ${INFO} -eq 1 ]; then # test if pub file exists or not, test if user exists - echo -n "User: '${user}:${group}(${sub_group})', SSH: ${ssh_keygen_id}"; + echo -n "User: '${user}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}"; if getent passwd ${user} > /dev/null 2>&1; then echo -n ", User exists"; fi; @@ -211,10 +231,11 @@ while read i; do if [ ${skip_ssh} -eq 0 ]; then # write login info to output file if [ ${TEST} -eq 0 ]; then - echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}; + create_output_file="${root_folder}${output_file}"; else - echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}".TEST"; + create_output_file="${root_folder}${output_file}.TEST"; fi; + echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password}";"${ssh_allow_type} >> ${create_output_file}; # create the SSH foler and authorized access file with correct permissions echo " > Create .ssh folder"; if [ ${TEST} -eq 0 ]; then diff --git a/bin/lock_user.sh b/bin/lock_user.sh new file mode 100755 index 0000000..4fa6973 --- /dev/null +++ b/bin/lock_user.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash + +# disable a user by removing them from the sshallow/sshforward group +# and move them to the sshreject group + +# SET TO 1 to TEST [will not move user in groups] +TEST=0; # no creation except ssh keys +INFO=0; # no creation of anything, just print info strings +while getopts ":ti" opt; do + case "${opt}" in + t|test) + TEST=1; + ;; + i|info) + INFO=1; + ;; + esac; +done; + +if [ $# -eq 0 ]; then + echo "Must give at least one user name"; + exit; +fi; + +# ssh reject group +ssh_reject_group="sshreject"; +if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then + echo "Missing ssh reject group: ${ssh_reject_group}"; + exit; +fi; +ssh_allow_group="sshallow"; +ssh_forward_group="sshfoward"; +delete_accounts=""; +user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;"; + +echo "--------------------->" +# $1 ... $n +for username in "$@"; do + # check that user exists in passwd + if [ -z $(cat /etc/passwd | grep "${username}:") ]; then + echo "[!] User $username does not exists in /etc/passwd file"; + continue; + fi; + # if not check if in reject list + if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then + echo "[.] User $username already in the ${ssh_reject} list"; + continue; + fi; + # check if user is in sshallow/forward list + ssh_remove_group=''; + if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then + ssh_remove_group="${ssh_allow_group}"; + fi; + # if user is in ssh allow group and ALSO in ssh forward group -> bad + if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then + if [ ! -z "${ssh_remove_group}" ]; then + echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; + break; + fi; + ssh_remove_group="${ssh_forward_group}"; + fi; + if [ ! -z "${ssh_remove_group}" ]; then + # remove user from ssh group and add to reject groups + echo "[*] User $username will be removed from ${ssh_remove_group}"; + delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n'; + else + # skip not ssh user + echo "[?] User $username not in any ssh allow/foward groups"; + fi; +done; +if [ ! -z "${delete_accounts}" ]; then + echo "--------------------->" + echo "% Run list below to move users to reject ssh group"; + echo ""; + echo "${delete_accounts}"; +fi; + +# __END__ diff --git a/user_list.txt-sample b/user_list.txt-sample index f6993aa..b17993f 100644 --- a/user_list.txt-sample +++ b/user_list.txt-sample @@ -1 +1 @@ -#user_id;user_name;group,subgroup;override password;override hostname;override ssh type +#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type