Rename script names, add lock script

Add a user lock script to move users from ssh allow/foward group to ssh
reject group.

Rename user_create.sh script to create_user.sh script and add new ssh
allow/foward flag in user_list.txt file after group block and before
password name block

Update check last login script with better add/remove from groups

Readme.md

@@ -21,6 +21,7 @@ Alternate download: `git clone http://gitlab-ap.factory.tools/scripts-collection
 ## Folders
 
 Inside the base folder there are
+
 * ssh-keygen for temporary holding the PEM/PUB files
 * zip file which holds the created user list, password and PEM/PUB files
 
@@ -56,7 +57,8 @@ It can also be left empty. It is not used at the moment
 The file can hold comments. The first character in the line must be a *#*
 
 Example file
-```
+
+```csv
 user1;some.name;group-a;;hostname
 user2;othername;group-a;;
 # I am a comment
@@ -96,10 +98,11 @@ The current directory **MUST** be the directory where '*user_list.txt*' is store
 
 Then run the script without any options
 
-`$> /root/bin/user_create.sh`
+`$> /root/bin/create_user.sh`
 
 Sample output for above example file
-```
+
+```txt
 ++ Create 'some.name:group-a'
  > Create ssh key-pair '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem'
 Generating public/private rsa key pair.
@@ -125,7 +128,8 @@ The key's randomart image is:
 ```
 
 If the public pem file is already provided the output will be a bit different
-```
+
+```txt
 ++ Create 'some.name:group-a'
  < Use existing public ssh key '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub'
  > Create .ssh folder
@@ -136,7 +140,8 @@ If the public pem file is already provided the output will be a bit different
 There is no SSH key generate output but *Use existing public ssh key* information line
 
 If the user has been created, the creating will be skipped
-```
+
+```txt
 -- Skip 'some.name:group-a'
 ```
 
@@ -145,7 +150,8 @@ If the user has been created, the creating will be skipped
 The generated users and the passwords are stored in the '*user_password.YYYYMMDD-hhmmss.txt*' file
 
 For above the output will be
-```
+
+```csv
 2020-11-27 13:51:01;sever.hostname.org;hostname;some.name;Aeh9uph8Oo
 2020-11-27 13:51:02;sever.hostname.org;;othername;AePejoo9ch
 2020-11-27 13:51:02;sever.hostname.org;;username;setpassword
@@ -155,7 +161,8 @@ Note that the *sever.hostname.org* is set from the hostname of the server where
 The name *hostname* is set if the hostname field in hser `user_list.txt` file is set
 
 If a existing pem public key is used, the entry for a new user will be
-```
+
+```csv
 2020-11-27 13:53:18;sever.hostname.org;;some.name;[ALREADY SET]
 ```
 
@@ -181,7 +188,6 @@ The SSH PEM key password can be reset or changed with
 To remove the password use this `-N ""`
 
 **NOTE**
-
 If the command is used like this it will be stored in the history file.
 For scurity reason it is recommended to not give the -P and -N options when changing the password.
 
@@ -192,3 +198,29 @@ The public key part can be extracted from the SSH PEM key with
 `$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
 
 *[PEM]* is the placeholder for the filename
+
+## Last login check scripts
+
+There are two scripts that can be user to check if and when the user has logged in the last time.
+
+Because of users who do not open shells (for example sftp users) we cannot rely on lastlog, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data.
+
+Data is stored in `auth-log/user_auth.log` folder as `user;last login date`
+
+This script should be run every day via crontab as root:
+
+```crontab
+0 1 * * * root /root/users/bin/collect_login_data.sh
+```
+
+The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
+
+This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created.
+
+Currently only information is printed out and no action is done itself.
+
+The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
+
+```crontab
+0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
+```

auth-log/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

bin/check_last_login.sh

@@ -5,8 +5,8 @@
 
 # base folder
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-# which group holds the ssh allowed login users (outside of admin users)
-ssh_group='sshallow';
+# which groups holds the ssh allowed login users (outside of admin users)
+ssh_groups=('sshforward' 'sshallow');
 ssh_reject_group='sshreject';
 # date now for compare
 now=$(date +"%s");
@@ -17,9 +17,11 @@ max_age_create=30;
 day=86400;
 # delete account strings
 delete_accounts="";
-user_group_tpl="deluser %s %s;adduser %s %s;";
+user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
 # log base folder
 LOG="${BASE_FOLDER}/../log";
+# auth log file user;date from collect_login_data script
+AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
@@ -36,61 +38,86 @@ echo "Hostname          : "$(hostname);
 echo "Run date          : "$(date +"%F %T");
 echo "Max age last login: ${max_age_login} days";
 echo "Max age no login  : ${max_age_create} days";
-for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
-# for user in clemens test42; do
-	account_age=0;
-	delete_user=0;
-	out_string="";
-	#echo "* Checking user ${user}";
-	# check user create time, if we have set it in comment
-	user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
-	# if empty try last password set time
-	if [ -z "${user_create_date}" ]; then
-		# user L 11/09/2020 0 99999 7 -1
-		user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
-	fi;
-	# last try is user home .bash_logout
-	if [ -z "${user_create_date}" ]; then
-		home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
-		user_create_date=$(stat -c %Z "${home_dir}");
-	fi;
-	# Username         Port     From             Latest
-	# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
-	last_login_string=$(lastlog -u ${user} | sed 1d);
-	search="Never logged in";
-	# if we have "** Never logged in**" the user never logged in
-	if [ ! -z "${last_login_string##*$search*}" ]; then
-		# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
-		# awk '{for(i=4;i<=NF;++i)printf $i FS}'
-		last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
-		# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
-		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
-		if [ ${last_login} -gt ${max_age_login} ]; then
-			out_string="[!] last logged in ${last_login} days ago";
-			delete_user=1;
-		else
-			out_string="OK";
+for ssh_group in ${ssh_groups[@]}; do
+echo "--------------------->"
+echo "Checking Group    : ${ssh_group}";
+	for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
+		account_age=0;
+		delete_user=0;
+		out_string="";
+		#echo "* Checking user ${user}";
+		# check user create time, if we have set it in comment
+		user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
+		# if empty try last password set time
+		if [ -z "${user_create_date}" ]; then
+			# user L 11/09/2020 0 99999 7 -1
+			user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
 		fi;
-	elif [ ! -z "${user_create_date}" ]; then
-		user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
-		# if all empty, we continue with only check if user has last login date
-		# else get days since creation
-		#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
-		account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
-		if [ ${account_age} -gt ${max_age_create} ]; then
-			out_string="[!] Never logged in, account created ${account_age} days ago";
-			delete_user=1;
-		else
-			out_string="OK";
+		# last try is user home .bash_logout
+		if [ -z "${user_create_date}" ]; then
+			home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
+			user_create_date=$(stat -c %Z "${home_dir}");
 		fi;
-	else
-		out_string="[!!!] Never logged in and we have no create date";
-	fi;
-	# build delete output
-	if [ ${delete_user} = 1 ]; then
-		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
-	fi;
-	printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
+
+		# below only works if the user logged in, a lot of them are just file upload
+		# users. Use the collect script from systemd-logind or /var/log/secure
+		# Username         Port     From             Latest
+		# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
+		last_login_string=$(lastlog -u ${user} | sed 1d);
+		search="Never logged in";
+		found="";
+		# problem with running rep check in if
+		if [ -f "${AUTH_LOG}" ]; then
+			found=$(grep "${user};" "${AUTH_LOG}");
+		fi;
+		if [ ! -z "${found}" ]; then
+			last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
+			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+			if [ ${last_login} -gt ${max_age_login} ]; then
+				out_string="[!] last ssh log in ${last_login} days ago";
+				delete_user=1;
+			else
+				out_string="OK [ssh]";
+			fi;
+		elif [ ! -z "${last_login_string##*$search*}" ]; then
+			# if we have "** Never logged in**" the user never logged in
+			# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
+			# awk '{for(i=4;i<=NF;++i)printf $i FS}'
+			last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
+			# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
+			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+			if [ ${last_login} -gt ${max_age_login} ]; then
+				out_string="[!] last terminal log in ${last_login} days ago";
+				delete_user=1;
+			else
+				out_string="OK [lastlog]";
+			fi;
+		elif [ ! -z "${user_create_date}" ]; then
+			user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
+			# if all empty, we continue with only check if user has last login date
+			# else get days since creation
+			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
+			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+			if [ ${account_age} -gt ${max_age_create} ]; then
+				out_string="[!] Never logged in, account created ${account_age} days ago";
+				delete_user=1;
+			else
+				out_string="OK [first login]";
+			fi;
+		else
+			out_string="[!!!] Never logged in and we have no create date";
+		fi;
+		# build delete output
+		if [ ${delete_user} = 1 ]; then
+			delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
+		fi;
+		printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
+	done;
+done;
+echo "--------------------->"
+echo "Showing current SSH Reject users:"
+for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
+	echo "${user}";
 done;
 if [ ! -z "${delete_accounts}" ]; then
 	echo "--------------------->"

bin/collect_login_data.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+
+# * check we are root
+# if we are not root, bail out
+# if [ $(whoami) != "root" ]; then
+if [[ "$EUID" -ne "0" ]]; then
+	echo "Must be run as root or with sudo command";
+	exit;
+fi;
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# auth log file
+AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
+if [ ! -f "${AUTH_LOG}" ]; then
+	touch "${AUTH_LOG}";
+fi;
+# debug flag
+DEBUG=0;
+# check all logs flag
+RUN_FULL_LOG=0;
+# option parsing
+while getopts ":fd" opt; do
+	case "${opt}" in
+		f|full)
+			echo "[!!!] Run through all log files to collect data";
+			RUN_FULL_LOG=1;
+			;;
+		d|deubg)
+			DEBUG=1;
+			;;
+	esac;
+done;
+
+function prD()
+{
+	message="${1}";
+	debug=${2:-0};
+	lb_off=${3:-0};
+	if [ ${debug} -eq 1 ]; then
+		if [ ${lb_off} -eq 1 ]; then
+			echo -n "${message}";
+		else
+			echo "${message}";
+		fi;
+	fi;
+}
+
+function parseLog()
+{
+	# do we have a key entry, if not add new with last log date
+	# clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS
+	line="${1}";
+	auth_log="${2}";
+	start_year="${3}";
+	logger="${4}";
+	debug=${5:-0};
+
+	#prD "Line: $line" ${debug};
+	# auth user has . at the end, remove that one
+	if [ "${logger}" = "systemd" ]; then
+		# 2022-11-18T20:04:08+0900
+		auth_date=$(echo "${line}" | cut -d " " -f 1);
+		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
+	else
+		auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15);
+		auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
+	fi;
+	auth_date=$(echo "${auth_date}" | date +"%F %T" -f -);
+
+	# $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}")
+	# prD "USER: $auth_user | DATE: $auth_date" ${debug} 1;
+	printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}"
+	prD "${msg}" ${debug} 1;
+	# find auth user in current auth file
+	# if not there attach, else replace date only
+	found=$(grep "${auth_user};" "${auth_log}");
+	if [ -z "${found}" ]; then
+		prD " | Write new" ${debug};
+		echo "${auth_user};${auth_date}" >> "${auth_log}";
+	else
+		prD " | Replace old" ${debug};
+		sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}";
+	fi;
+}
+
+printf -v msg "Run date: %s %s" $(date +"%F %T")
+prD "${msg}" ${DEBUG};
+
+# Collector script for login information via journalctl
+# if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log
+readonly init_version=$(/proc/1/exe --version | head -n 1);
+if [ -z "${init_version##*systemd*}" ]; then
+	LOG_TARGET="systemd";
+	# for journalctl
+	START_DATE=$(date +%F -d "1 day ago");
+	END_DATE=$(date +%F);
+	OPT_START_DATE='';
+	if [ $RUN_FULL_LOG -eq 0 ]; then
+		OPT_START_DATE="-S ${START_DATE}";
+		OPT_END_DATE="-U ${END_DATE}";
+	fi;
+	# READ as other format so we get the YEAR -o short-iso
+	START_YEAR=$(date +%Y -d "1 day ago");
+	journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" |
+	while read line; do
+		# # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user.
+		# date: 5 chars
+		# time: 8 chars
+		# hostname
+		# systemd-logind pid ...
+		# " of user <username>"
+		# we want date + time + username
+		# prefix year with start date year
+		parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
+	done;
+else
+	LOG_TARGET="syslog";
+	# for secure/auth log
+	if [ $RUN_FULL_LOG -eq 1 ]; then
+		# we loop over EACH file and get the DATE so we can have the correct YEAR
+		for sfile in $(ls -1 /var/log/secure*bz2); do
+			tz=$(stat -c %Z "${sfile}");
+			START_YEAR=$(date +%Y -d @${tz});
+			bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" |
+			while read line; do
+				parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
+			done;
+		done;
+		# read all
+		START_DATE="sshd"
+	fi;
+	START_YEAR=$(date +%Y -d "1 day ago");
+	cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" |
+	while read line; do
+		parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG};
+	done;
+fi;
+
+# __END__

bin/create_user.sh

@@ -2,12 +2,15 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
-# Mandatory: <ignored id>;<user name>;<group>
+# Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
+# <ssh access type> can be
+# allow (full login access)
+# forward (forward/jump host only)
 # * output file
-# <date>;<target connect host name>;<hostname>;<username>;<password>
+# <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
 #
 # * PEM KEY
@@ -21,7 +24,7 @@
 # into the ssh-keygen/ folder
 # They pem pub key must follow the set rules above
 
-# SET TO 1 to TEST [will no create user/group/folder]
+# SET TO 1 to TEST [will not create user/group/folder]
 TEST=0; # no creation except ssh keys
 INFO=0; # no creation of anything, just print info strings
 while getopts ":ti" opt; do
@@ -48,7 +51,9 @@ output_zip="users.${timestamp}.zip"
 ssh_keygen_folder='ssh-keygen/';
 ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
 ssh_keytype='ed25519';
-ssh_group='sshallow';
+# sshallow or sshforward
+ssh_group='';
+ssh_forward_ok=0;
 # check if ssh key folder exists
 if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
 	mkdir "${root_folder}${ssh_keygen_folder}";
@@ -58,20 +63,26 @@ if [ ! -d "${root_folder}${output_zip_folder}" ]; then
 	mkdir "${root_folder}${output_zip_folder}";
 fi;
 # check if password generate software is installed
-if [ ! command -v pwgen &> /dev/null ]; then
+# if [ ! command -v pwgen &> /dev/null ]; then
+if [ -z $(command -v pwgen) ]; then
 	echo "Missing pwgen application, aborting";
 	exit;
 fi;
 # check for zip
-if [ ! command -v zip &> /dev/null ]; then
+# if [ ! command -v zip &> /dev/null ]; then
+if [ -z $(command -v zip) ]; then
 	echo "Missing zip application, aborting";
 	exit;
 fi;
-# check if sshallow group exists
-if [ -z $(cat /etc/group|grep "${ssh_group}:") ]; then
-	echo "Missing ssh access group: ${ssh_group}";
+# check if sshallow or sshfoward group exists
+if [ -z $(cat /etc/group | grep "sshallow:") ]; then
+	echo "Missing ssh access group: sshallow";
 	exit;
 fi;
+# flag if we can set ssh forward
+if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
+	ssh_forward_ok=1;
+fi;
 # check if user list file exists
 if [ ! -f "${root_folder}${input_file}" ]; then
 	echo "Missing ${root_folder}${input_file}";
@@ -101,6 +112,17 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	# if not allow or forward, set to access
+	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
+		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
+		ssh_access_type="allow";
+	fi;
+	if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
+		echo "[!!!] sshforward group does not exsts, cannot set user ${user}";
+		break;
+	fi;
+	ssh_group="ssh${ssh_access_type}";
 	# sshallow group is always added
 	sub_group_opt=" -G ${ssh_group}";
 	# check if "," inside and extract sub groups
@@ -139,7 +161,7 @@ while read i; do
 
 	if [ ${INFO} -eq 1 ]; then
 		# test if pub file exists or not, test if user exists
-		echo -n "User: '${user}:${group}(${sub_group})', SSH: ${ssh_keygen_id}";
+		echo -n "User: '${user}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
 		if getent passwd ${user} > /dev/null 2>&1; then
 			echo -n ", User exists";
 		fi;
@@ -209,10 +231,11 @@ while read i; do
 	if [ ${skip_ssh} -eq 0 ]; then
 		# write login info to output file
 		if [ ${TEST} -eq 0 ]; then
-			echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file};
+			create_output_file="${root_folder}${output_file}";
 		else
-			echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}".TEST";
+			create_output_file="${root_folder}${output_file}.TEST";
 		fi;
+		echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password}";"${ssh_allow_type} >> ${create_output_file};
 		# create the SSH foler and authorized access file with correct permissions
 		echo " > Create .ssh folder";
 		if [ ${TEST} -eq 0 ]; then

bin/lock_user.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# disable a user by removing them from the sshallow/sshforward group
+# and move them to the sshreject group
+
+# SET TO 1 to TEST [will not move user in groups]
+TEST=0; # no creation except ssh keys
+INFO=0; # no creation of anything, just print info strings
+while getopts ":ti" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		i|info)
+			INFO=1;
+			;;
+	esac;
+done;
+
+if [ $# -eq 0 ]; then
+	echo "Must give at least one user name";
+	exit;
+fi;
+
+# ssh reject group
+ssh_reject_group="sshreject";
+if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
+	echo "Missing ssh reject group: ${ssh_reject_group}";
+	exit;
+fi;
+ssh_allow_group="sshallow";
+ssh_forward_group="sshfoward";
+delete_accounts="";
+user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
+
+echo "--------------------->"
+# $1 ... $n
+for username in "$@"; do
+	# check that user exists in passwd
+	if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
+		echo "[!] User $username does not exists in /etc/passwd file";
+		continue;
+	fi;
+	# if not check if in reject list
+	if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
+		echo "[.] User $username already in the ${ssh_reject} list";
+		continue;
+	fi;
+	# check if user is in sshallow/forward list
+	ssh_remove_group='';
+	if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
+		ssh_remove_group="${ssh_allow_group}";
+	fi;
+	# if user is in ssh allow group and ALSO in ssh forward group -> bad
+	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
+		if [ ! -z "${ssh_remove_group}" ]; then
+			echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
+			break;
+		fi;
+		ssh_remove_group="${ssh_forward_group}";
+	fi;
+	if [ ! -z "${ssh_remove_group}" ]; then
+		# remove user from ssh group and add to reject groups
+		echo "[*] User $username will be removed from ${ssh_remove_group}";
+		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
+	else
+		# skip not ssh user
+		echo "[?] User $username not in any ssh allow/foward groups";
+	fi;
+done;
+if [ ! -z "${delete_accounts}" ]; then
+	echo "--------------------->"
+	echo "% Run list below to move users to reject ssh group";
+	echo "";
+	echo "${delete_accounts}";
+fi;
+
+# __END__

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type