Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
365b52efe5 | ||
|
|
b10cb62612 | ||
|
|
1f4e295e9f |
25
Readme.md
25
Readme.md
@@ -199,6 +199,31 @@ The public key part can be extracted from the SSH PEM key with
|
||||
|
||||
*[PEM]* is the placeholder for the filename
|
||||
|
||||
## Lock and unlock uses
|
||||
|
||||
If a user should be stopped from logging in via ssh the user needs to be removed from the sshallow or sshforward groups. Note that the sshforward group only exists on jump hosts and can normally be ignored.
|
||||
|
||||
Default 100% ignored users are 'root', 'ec2-user', 'admin', 'ubuntu'
|
||||
|
||||
### Lock users
|
||||
|
||||
`bin/lock_users.sh -t <user 1> <user 2> ...`
|
||||
|
||||
The `-t` flag is for test run.
|
||||
|
||||
If the user is not in the sshallow or sshreject group the change will be skipped.
|
||||
Locked users will be moved to the sshreject group
|
||||
|
||||
### Unlock users
|
||||
|
||||
If a user exists in the sshreject group the user can be unlocked
|
||||
|
||||
`bin/unlock_uses.sh -t -s <allow|forward> <user 1> <user 2> ...`
|
||||
|
||||
Like the lock user script it will only work on users in the sshreject group. But here the target allow / forward group must be selected.
|
||||
|
||||
If not set it defaults to allow, if a user_list.txt file with this user exist it will try to extract this data if the `-s` option is not set
|
||||
|
||||
## Last login check scripts
|
||||
|
||||
There are two scripts that can be user to check if and when the user has logged in the last time.
|
||||
|
||||
@@ -41,21 +41,26 @@ echo "Max age no login : ${max_age_create} days";
|
||||
for ssh_group in ${ssh_groups[@]}; do
|
||||
echo "--------------------->"
|
||||
echo "Checking Group : ${ssh_group}";
|
||||
for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
|
||||
for username in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
|
||||
# check that user exists in passwd
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User $username does not exists in /etc/passwd file";
|
||||
continue;
|
||||
fi;
|
||||
account_age=0;
|
||||
delete_user=0;
|
||||
out_string="";
|
||||
#echo "* Checking user ${user}";
|
||||
#echo "* Checking user ${username}";
|
||||
# check user create time, if we have set it in comment
|
||||
user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
|
||||
user_create_date=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
|
||||
# if empty try last password set time
|
||||
if [ -z "${user_create_date}" ]; then
|
||||
# user L 11/09/2020 0 99999 7 -1
|
||||
user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
|
||||
user_create_date=$(passwd -S ${username} | cut -d " " -f 3);
|
||||
fi;
|
||||
# last try is user home .bash_logout
|
||||
if [ -z "${user_create_date}" ]; then
|
||||
home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
|
||||
home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
|
||||
user_create_date=$(stat -c %Z "${home_dir}");
|
||||
fi;
|
||||
|
||||
@@ -63,15 +68,15 @@ echo "Checking Group : ${ssh_group}";
|
||||
# users. Use the collect script from systemd-logind or /var/log/secure
|
||||
# Username Port From Latest
|
||||
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022
|
||||
last_login_string=$(lastlog -u ${user} | sed 1d);
|
||||
last_login_string=$(lastlog -u ${username} | sed 1d);
|
||||
search="Never logged in";
|
||||
found="";
|
||||
# problem with running rep check in if
|
||||
if [ -f "${AUTH_LOG}" ]; then
|
||||
found=$(grep "${user};" "${AUTH_LOG}");
|
||||
found=$(grep "${username};" "${AUTH_LOG}");
|
||||
fi;
|
||||
if [ ! -z "${found}" ]; then
|
||||
last_login_date=$(grep "${user};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
|
||||
last_login_date=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
|
||||
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
|
||||
if [ ${last_login} -gt ${max_age_login} ]; then
|
||||
out_string="[!] last ssh log in ${last_login} days ago";
|
||||
@@ -109,15 +114,15 @@ echo "Checking Group : ${ssh_group}";
|
||||
fi;
|
||||
# build delete output
|
||||
if [ ${delete_user} = 1 ]; then
|
||||
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
|
||||
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_group}" "${username}" "${ssh_reject_group}")$'\n';
|
||||
fi;
|
||||
printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
|
||||
printf "* Checking user %-20s: %s\n" "${username}" "${out_string}";
|
||||
done;
|
||||
done;
|
||||
echo "--------------------->"
|
||||
echo "Showing current SSH Reject users:"
|
||||
for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
|
||||
echo "${user}";
|
||||
echo "${username}";
|
||||
done;
|
||||
if [ ! -z "${delete_accounts}" ]; then
|
||||
echo "--------------------->"
|
||||
|
||||
@@ -43,7 +43,9 @@ timestamp=$(date +%Y%m%d-%H%M%S)
|
||||
# character to set getween info blocks
|
||||
separator="#";
|
||||
# base folder for all data
|
||||
root_folder=$(pwd)'/';
|
||||
# root_folder=$(pwd)'/';
|
||||
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||
root_folder="${BASE_FOLDER}";
|
||||
input_file='user_list.txt';
|
||||
output_file="user_password.${timestamp}.txt";
|
||||
output_zip_folder='zip/';
|
||||
@@ -108,7 +110,7 @@ while read i; do
|
||||
continue;
|
||||
fi;
|
||||
# make lower case, remove spaces
|
||||
user=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
|
||||
username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
|
||||
_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
|
||||
group=$(echo "${_group}" | cut -d "," -f 1);
|
||||
sub_group="";
|
||||
@@ -119,7 +121,7 @@ while read i; do
|
||||
ssh_access_type="allow";
|
||||
fi;
|
||||
if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
|
||||
echo "[!!!] sshforward group does not exsts, cannot set user ${user}";
|
||||
echo "[!!!] sshforward group does not exsts, cannot set user ${username}";
|
||||
break;
|
||||
fi;
|
||||
ssh_group="ssh${ssh_access_type}";
|
||||
@@ -145,13 +147,13 @@ while read i; do
|
||||
#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
|
||||
fi;
|
||||
# user & group not set
|
||||
if [ -z "${user}" ] || [ -z "${_group}" ]; then
|
||||
echo "[!!!!!] Missing user or group entry for ${user}/${_group}";
|
||||
if [ -z "${username}" ] || [ -z "${_group}" ]; then
|
||||
echo "[!!!!!] Missing user or group entry for ${username}/${_group}";
|
||||
echo "[*** ABORT RUN ***]"
|
||||
break;
|
||||
fi;
|
||||
# SSH file name part without folder
|
||||
ssh_keygen_id="${hostname}${separator}${group}${separator}${user}${separator}${ssh_keytype}.pem";
|
||||
ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
|
||||
# the full file including folder name
|
||||
ssh_keyfile="${root_folder}${ssh_keygen_folder}${ssh_keygen_id}";
|
||||
# publ file if new
|
||||
@@ -161,8 +163,8 @@ while read i; do
|
||||
|
||||
if [ ${INFO} -eq 1 ]; then
|
||||
# test if pub file exists or not, test if user exists
|
||||
echo -n "User: '${user}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
|
||||
if getent passwd ${user} > /dev/null 2>&1; then
|
||||
echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
|
||||
if getent passwd ${username} > /dev/null 2>&1; then
|
||||
echo -n ", User exists";
|
||||
fi;
|
||||
if [ -f "${ssh_keyfile_check_pub}" ]; then
|
||||
@@ -182,15 +184,16 @@ while read i; do
|
||||
fi;
|
||||
done;
|
||||
# check if user is not already created
|
||||
if getent passwd ${user} > /dev/null 2>&1; then
|
||||
echo "-- Skip '${user}:${group}(${sub_group})'";
|
||||
# if getent passwd ${username} > /dev/null 2>&1; then
|
||||
if id "${username}" &>/dev/null; then
|
||||
echo "-- Skip '${username}:${group}(${sub_group})'";
|
||||
else
|
||||
echo "++ Create '${user}:${group}(${sub_group})'";
|
||||
echo "++ Create '${username}:${group}(${sub_group})'";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
# comment is user create time
|
||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
|
||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
|
||||
else
|
||||
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
|
||||
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
|
||||
fi;
|
||||
fi;
|
||||
skip_ssh=0;
|
||||
@@ -210,13 +213,13 @@ while read i; do
|
||||
ssh-keygen \
|
||||
-t ${ssh_keytype} \
|
||||
-f "${ssh_keyfile}" \
|
||||
-C "${hostname}: ${user}@${group}" \
|
||||
-C "${hostname}: ${username}@${group}" \
|
||||
-a 100 -N "${password}"
|
||||
else
|
||||
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${user}@${group} -a 100 -N ${password}";
|
||||
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
|
||||
fi;
|
||||
else
|
||||
found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${user}/.ssh/authorized_keys);
|
||||
found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${username}/.ssh/authorized_keys);
|
||||
if [ ! -z "${found}" ]; then
|
||||
skip_ssh=1;
|
||||
# override previously set with stored one
|
||||
@@ -235,29 +238,29 @@ while read i; do
|
||||
else
|
||||
create_output_file="${root_folder}${output_file}.TEST";
|
||||
fi;
|
||||
echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password}";"${ssh_allow_type} >> ${create_output_file};
|
||||
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
|
||||
# create the SSH foler and authorized access file with correct permissions
|
||||
echo " > Create .ssh folder";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
mkdir /home/${user}/.ssh/;
|
||||
mkdir /home/${username}/.ssh/;
|
||||
else
|
||||
echo "$> mkdir /home/${user}/.ssh/";
|
||||
echo "$> mkdir /home/${username}/.ssh/";
|
||||
fi;
|
||||
echo " > Add public into authorized_keys";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
cat "${ssh_keyfile_pub}" > /home/${user}/.ssh/authorized_keys;
|
||||
cat "${ssh_keyfile_pub}" > /home/${username}/.ssh/authorized_keys;
|
||||
else
|
||||
echo "$> cat ${ssh_keyfile_pub} > /home/${user}/.ssh/authorized_keys";
|
||||
echo "$> cat ${ssh_keyfile_pub} > /home/${username}/.ssh/authorized_keys";
|
||||
fi;
|
||||
echo " > Secure folder .ssh and authorized_keys file";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
chown -R ${user}:${group} /home/${user}/.ssh/;
|
||||
chmod 700 /home/${user}/.ssh/;
|
||||
chmod 600 /home/${user}/.ssh/authorized_keys;
|
||||
chown -R ${username}:${group} /home/${username}/.ssh/;
|
||||
chmod 700 /home/${username}/.ssh/;
|
||||
chmod 600 /home/${username}/.ssh/authorized_keys;
|
||||
else
|
||||
echo "$> chown -R ${user}:${group} /home/${user}/.ssh/";
|
||||
echo "$> chmod 700 /home/${user}/.ssh/";
|
||||
echo "$> chmod 600 /home/${user}/.ssh/authorized_keys";
|
||||
echo "$> chown -R ${username}:${group} /home/${username}/.ssh/";
|
||||
echo "$> chmod 700 /home/${username}/.ssh/";
|
||||
echo "$> chmod 600 /home/${username}/.ssh/authorized_keys";
|
||||
fi;
|
||||
fi;
|
||||
done;
|
||||
|
||||
@@ -2,26 +2,36 @@
|
||||
|
||||
# disable a user by removing them from the sshallow/sshforward group
|
||||
# and move them to the sshreject group
|
||||
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
|
||||
# if the -t is not in the first position it will be ignored
|
||||
|
||||
# SET TO 1 to TEST [will not move user in groups]
|
||||
TEST=0; # no creation except ssh keys
|
||||
INFO=0; # no creation of anything, just print info strings
|
||||
while getopts ":ti" opt; do
|
||||
TEST=0; # no delete, just print
|
||||
while getopts ":t" opt; do
|
||||
case "${opt}" in
|
||||
t|test)
|
||||
TEST=1;
|
||||
;;
|
||||
i|info)
|
||||
INFO=1;
|
||||
;;
|
||||
esac;
|
||||
done;
|
||||
shift "$((OPTIND-1))"
|
||||
|
||||
if [ $(whoami) != "root" ]; then
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
echo "Script must be run as root user";
|
||||
exit;
|
||||
else
|
||||
echo "!!!! Script must be run as root user !!!!";
|
||||
fi;
|
||||
fi;
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
echo "Must give at least one user name";
|
||||
exit;
|
||||
fi;
|
||||
|
||||
# ignore users (root and admin users)
|
||||
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
||||
# ssh reject group
|
||||
ssh_reject_group="sshreject";
|
||||
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
|
||||
@@ -30,20 +40,29 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
|
||||
fi;
|
||||
ssh_allow_group="sshallow";
|
||||
ssh_forward_group="sshfoward";
|
||||
delete_accounts="";
|
||||
user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
|
||||
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
||||
|
||||
echo "--------------------->"
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
# skip if there is an option hidden
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
|
||||
echo "[!] User $username is in the ignore user list";
|
||||
continue;
|
||||
fi;
|
||||
# check that user exists in passwd
|
||||
if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User $username does not exists in /etc/passwd file";
|
||||
continue;
|
||||
fi;
|
||||
# if not check if in reject list
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
|
||||
echo "[.] User $username already in the ${ssh_reject} list";
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
||||
echo "[.] User $username already in the ${ssh_reject_group} list";
|
||||
continue;
|
||||
fi;
|
||||
# check if user is in sshallow/forward list
|
||||
@@ -62,17 +81,16 @@ for username in "$@"; do
|
||||
if [ ! -z "${ssh_remove_group}" ]; then
|
||||
# remove user from ssh group and add to reject groups
|
||||
echo "[*] User $username will be removed from ${ssh_remove_group}";
|
||||
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
|
||||
else
|
||||
gpasswd -d "${username}" "${ssh_remove_group}";
|
||||
gpasswd -a "${username}" "${ssh_reject_group}";
|
||||
fi;
|
||||
else
|
||||
# skip not ssh user
|
||||
echo "[?] User $username not in any ssh allow/foward groups";
|
||||
fi;
|
||||
done;
|
||||
if [ ! -z "${delete_accounts}" ]; then
|
||||
echo "--------------------->"
|
||||
echo "% Run list below to move users to reject ssh group";
|
||||
echo "";
|
||||
echo "${delete_accounts}";
|
||||
fi;
|
||||
|
||||
# __END__
|
||||
|
||||
113
bin/unlock_user.sh
Executable file
113
bin/unlock_user.sh
Executable file
@@ -0,0 +1,113 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# disable a user by removing them from the sshallow/sshforward group
|
||||
# and move them to the sshreject group
|
||||
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
|
||||
# if the -t is not in the first position it will be ignored
|
||||
|
||||
# SET TO 1 to TEST [will not move user in groups]
|
||||
TEST=0; # no delete, just print
|
||||
SSH_GROUP_ADD='';
|
||||
while getopts ":ts:" opt; do
|
||||
case "${opt}" in
|
||||
t|test)
|
||||
TEST=1;
|
||||
;;
|
||||
s|sshgroup)
|
||||
if [ -z "${SSH_GROUP_ADD}" ]; then
|
||||
SSH_GROUP_ADD=${OPTARG};
|
||||
fi;
|
||||
;;
|
||||
esac;
|
||||
done;
|
||||
shift "$((OPTIND-1))"
|
||||
|
||||
if [ $(whoami) != "root" ]; then
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
echo "Script must be run as root user";
|
||||
exit;
|
||||
else
|
||||
echo "!!!! Script must be run as root user !!!!";
|
||||
fi;
|
||||
fi;
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
echo "Must give at least one user name";
|
||||
exit;
|
||||
fi;
|
||||
|
||||
if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
|
||||
echo "sshgroup option can only be 'allow' or 'forward'";
|
||||
exit;
|
||||
fi;
|
||||
|
||||
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||
input_file='user_list.txt';
|
||||
# ignore users (root and admin users)
|
||||
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
||||
# ssh reject group
|
||||
ssh_reject_group="sshreject";
|
||||
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
|
||||
echo "Missing ssh reject group: ${ssh_reject_group}";
|
||||
exit;
|
||||
fi;
|
||||
ssh_allow_group="sshallow";
|
||||
ssh_forward_group="sshfoward";
|
||||
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
||||
|
||||
echo "--------------------->"
|
||||
# $1 ... $n
|
||||
for username in "$@"; do
|
||||
# skip if there is an option hidden
|
||||
if [[ ${_arg:0:1} = "-" ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# skip ignore users, note that if a user is not in the sshallow list anyway
|
||||
# we skip them too, this is just in case check
|
||||
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
|
||||
echo "[!] User $username is in the ignore user list";
|
||||
continue;
|
||||
fi;
|
||||
# check that user exists in passwd
|
||||
if ! id "${username}" &>/dev/null; then
|
||||
echo "[!] User $username does not exists in /etc/passwd file";
|
||||
continue;
|
||||
fi;
|
||||
# check if already in OK groups
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
|
||||
echo "[.] User $username already in the ${ssh_allow_group} list";
|
||||
continue;
|
||||
fi;
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
|
||||
echo "[.] User $username already in the ${ssh_forward_group} list";
|
||||
continue;
|
||||
fi;
|
||||
# try to find user in user_list.txt and get the allow/forward flag from there,
|
||||
# else try to set from option
|
||||
# if not valid use allow
|
||||
ssh_add_group="${SSH_GROUP_ADD}";
|
||||
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${BASE_FOLDER}${input_file}" ]; then
|
||||
ssh_add_group=$(grep "${username}" "${BASE_FOLDER}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
|
||||
fi;
|
||||
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
|
||||
ssh_add_group="allow";
|
||||
fi;
|
||||
ssh_add_group="ssh${ssh_add_group}";
|
||||
|
||||
# check if user is in reject group remove
|
||||
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
||||
# remove user from ssh group and add to reject groups
|
||||
echo "[*] User $username will be added to ${ssh_add_group}";
|
||||
if [ ${TEST} -eq 1 ]; then
|
||||
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
|
||||
else
|
||||
gpasswd -d "${username}" "${ssh_reject_group}";
|
||||
gpasswd -a "${username}" "${ssh_add_group}";
|
||||
fi;
|
||||
else
|
||||
# skip not ssh user
|
||||
echo "[?] User $username not in the ssh reject group";
|
||||
fi;
|
||||
done;
|
||||
|
||||
# __END__
|
||||
Reference in New Issue
Block a user