ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ScriptsCollections:v1.0.1
Branches Tags
ScriptsCollections:master ScriptsCollections:development
ScriptsCollections:v1.2.0 ScriptsCollections:v1.1.2 ScriptsCollections:v1.1.1 ScriptsCollections:v1.1.0 ScriptsCollections:v1.0.3 ScriptsCollections:v1.0.2 ScriptsCollections:v1.0.1 ScriptsCollections:v1.0.0 ScriptsCollections:v0.19.1 ScriptsCollections:v0.19.0 ScriptsCollections:v0.18.1 ScriptsCollections:v0.18.0 ScriptsCollections:v0.17.10 ScriptsCollections:v0.17.9 ScriptsCollections:v0.17.8 ScriptsCollections:v0.17.7 ScriptsCollections:v0.17.6 ScriptsCollections:v0.17.5 ScriptsCollections:v0.17.4 ScriptsCollections:v0.17.3 ScriptsCollections:v0.17.2 ScriptsCollections:v0.17.1 ScriptsCollections:v0.17.0 ScriptsCollections:v0.16.4 ScriptsCollections:v0.16.3 ScriptsCollections:v0.16.2 ScriptsCollections:v0.16.1 ScriptsCollections:v0.16.0 ScriptsCollections:v0.15.0 ScriptsCollections:v0.14.1 ScriptsCollections:v0.14.0 ScriptsCollections:v0.13.1 ScriptsCollections:v0.13.0 ScriptsCollections:v0.12.0 ScriptsCollections:v0.11.0 ScriptsCollections:v0.10.7 ScriptsCollections:v0.10.6 ScriptsCollections:v0.10.5 ScriptsCollections:v0.10.4 ScriptsCollections:v0.10.3 ScriptsCollections:v0.10.2 ScriptsCollections:v0.10.1 ScriptsCollections:v0.10.0 ScriptsCollections:v0.9.0 ScriptsCollections:v0.8.1 ScriptsCollections:v0.8.0 ScriptsCollections:v0.7.2 ScriptsCollections:v0.7.1 ScriptsCollections:v0.7.0 ScriptsCollections:v0.6.0 ScriptsCollections:v0.5.0
...
compare: ScriptsCollections:master
Branches Tags
ScriptsCollections:development ScriptsCollections:master
ScriptsCollections:v1.2.0 ScriptsCollections:v1.1.2 ScriptsCollections:v1.1.1 ScriptsCollections:v1.1.0 ScriptsCollections:v1.0.3 ScriptsCollections:v1.0.2 ScriptsCollections:v1.0.1 ScriptsCollections:v1.0.0 ScriptsCollections:v0.19.1 ScriptsCollections:v0.19.0 ScriptsCollections:v0.18.1 ScriptsCollections:v0.18.0 ScriptsCollections:v0.17.10 ScriptsCollections:v0.17.9 ScriptsCollections:v0.17.8 ScriptsCollections:v0.17.7 ScriptsCollections:v0.17.6 ScriptsCollections:v0.17.5 ScriptsCollections:v0.17.4 ScriptsCollections:v0.17.3 ScriptsCollections:v0.17.2 ScriptsCollections:v0.17.1 ScriptsCollections:v0.17.0 ScriptsCollections:v0.16.4 ScriptsCollections:v0.16.3 ScriptsCollections:v0.16.2 ScriptsCollections:v0.16.1 ScriptsCollections:v0.16.0 ScriptsCollections:v0.15.0 ScriptsCollections:v0.14.1 ScriptsCollections:v0.14.0 ScriptsCollections:v0.13.1 ScriptsCollections:v0.13.0 ScriptsCollections:v0.12.0 ScriptsCollections:v0.11.0 ScriptsCollections:v0.10.7 ScriptsCollections:v0.10.6 ScriptsCollections:v0.10.5 ScriptsCollections:v0.10.4 ScriptsCollections:v0.10.3 ScriptsCollections:v0.10.2 ScriptsCollections:v0.10.1 ScriptsCollections:v0.10.0 ScriptsCollections:v0.9.0 ScriptsCollections:v0.8.1 ScriptsCollections:v0.8.0 ScriptsCollections:v0.7.2 ScriptsCollections:v0.7.1 ScriptsCollections:v0.7.0 ScriptsCollections:v0.6.0 ScriptsCollections:v0.5.0

7 Commits
v1.0.1 ... master

Author SHA1 Message Date
Clemens Schwaighofer
c801ef40b4 Switch from lastlogin to lsogins 
Debian 13 dropped lastlogin, replaced with lastlogin2 which is an extra install.
Switch to lslogins, which also makes parsing much easier
 2025-09-12 10:16:05 +09:00
Clemens Schwaighofer
125cb27de8 Remove URLs from ReadMe 2025-03-14 22:28:19 +09:00
Clemens Schwaighofer
e45b89c582 AWS Delete user, remove all secondary groups first. 
To make sure tha on delete the user is removed from all secondary groups
unset them first before running the userdel command.

-r might not be enought to do that in some situations
 2025-01-06 13:45:51 +09:00
Clemens Schwaighofer
4a8dab7b01 Add base folder for lock user aws script 2024-12-16 15:44:09 +09:00
Clemens Schwaighofer
fa47178ed1 Add central logging for all actions done 
log file "user_management.log"

Each line is
[YYYY-MM-DD HH:mm:ss] [script name] [TEST] ...

[TEST] is only set if we are in a test run

for create user, if info flag is set, we do not write a log
 2024-12-09 11:37:37 +09:00
Clemens Schwaighofer
4629b58a7e Skip empty group on login check 2024-11-11 17:06:24 +09:00
Clemens Schwaighofer
d8cd628ddd Fix for check last login script 
the data reading was split with " " (space) which in the while read kept
it as one row, changed the split character to "\n"
 2024-10-24 13:57:04 +09:00
8 changed files with 275 additions and 92 deletions
Expand all files Collapse all files

9
Readme.md
View File

@@ -11,14 +11,11 @@ The folder holding the script must be owned by *root* and have *600* permissions
```sh ```sh
cd /root/ cd /root/
git clone http://gitlab-ap.factory.tools/scripts-collections/aws-user-create.git users git clone <UrlToGitRepository> users
chown root. users chown root. users
chgrp 600 users chgrp 600 users
``` ```
Alternate download:
`git clone https://git.tequila.jp/ScriptsCollections/AwsUserCreate.git users`
## Folders ## Folders
Inside the base folder there are Inside the base folder there are
@@ -269,7 +266,7 @@ If not set it defaults to allow, if a user_list.txt file with this user exist it
There are two scripts that can be user to check if and when the user has logged in the last time. There are two scripts that can be user to check if and when the user has logged in the last time.
Because of users who do not open shells (for example sftp users) we cannot rely on lastlog, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data. Because of users who do not open shells (for example sftp users) we cannot rely on lslogins, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data.
Data is stored in `auth-log/user_auth.log` folder as `user;last login date` Data is stored in `auth-log/user_auth.log` folder as `user;last login date`
@@ -281,7 +278,7 @@ This script should be run every day via crontab as root:
The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too. The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
This script will first check the `auth-log/user_auth.log` file, then lastlog output and finally check for creation time in passwd file or home director for when the user was created. This script will first check the `auth-log/user_auth.log` file, then lslogins output and finally check for creation time in passwd file or home director for when the user was created.
Currently only information is printed out and no action is done itself. Currently only information is printed out and no action is done itself.

32
bin/authorized_key_location_change.sh
View File

@@ -88,6 +88,24 @@ if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
echo "Reading ${IGNORE_USER_FILE}"; echo "Reading ${IGNORE_USER_FILE}";
fi; fi;
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix for testing
if [ ${TEST} -eq 1 ]; then
log_prefix="[TEST] ";
fi;
# write log not in info run
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
# loop over passwd file # loop over passwd file
# if not in no action then check if .ssh/authorized_keys file exists # if not in no action then check if .ssh/authorized_keys file exists
cut -d ":" -f 1,6 /etc/passwd | cut -d ":" -f 1,6 /etc/passwd |
@@ -97,14 +115,17 @@ while read -r user_home; do
# skip admin usernames # skip admin usernames
if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${NO_ACTION[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
write_log "[NO ACT] ${username} in NO ACTION list";
continue; continue;
fi; fi;
if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${SKIP_USERS[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line"; printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
write_log "[SKIP] ${username} skip forced via command line";
continue; continue;
fi; fi;
if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${IGNORE_USER[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file"; printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
write_log "[SKIP] ${username} skip from ignore config file";
continue; continue;
fi; fi;
home_folder=$(echo "${user_home}" | cut -d ":" -f 2); home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
@@ -113,8 +134,10 @@ while read -r user_home; do
# but do we have an auth folder, if yes -> exist skip # but do we have an auth folder, if yes -> exist skip
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved"; printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
write_log "[DONE] ${username} already moved";
else else
printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file"; printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
write_log "[IGNORE] ${username} no authorized_keys file";
fi; fi;
continue; continue;
fi; fi;
@@ -124,6 +147,7 @@ while read -r user_home; do
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}"); ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
if [ -n "${ssh_key_diff}" ]; then if [ -n "${ssh_key_diff}" ]; then
printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file"; printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
write_log "[ABORT] ${username} authorized key is not matching the master key file";
exit; exit;
fi; fi;
fi; fi;
@@ -132,6 +156,7 @@ while read -r user_home; do
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
if [ -z "${ssh_key_diff}" ]; then if [ -z "${ssh_key_diff}" ]; then
printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys"; printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
write_log "[REMOVE] ${username} .ssh/authorized_keys";
if [ ${master_user} -eq 0 ]; then if [ ${master_user} -eq 0 ]; then
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
rm "${home_folder}/.ssh/authorized_keys"; rm "${home_folder}/.ssh/authorized_keys";
@@ -139,15 +164,17 @@ while read -r user_home; do
echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
fi; fi;
else else
echo "[!] No delete for master user, must be done manually"; write_log "[!] No delete for master user, must be done manually" "1";
fi; fi;
continue; continue;
fi; fi;
# No update, alert # No update, alert
printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED"; printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
write_log "[DIFF] ${username} Different authorized keys in home dir, SKIPPED";
continue; continue;
fi; fi;
printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location"; printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
write_log "[MOVE] ${username} Move SSH Key to central location";
# move public keys over # move public keys over
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
@@ -159,13 +186,14 @@ while read -r user_home; do
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
if [ -n "${ssh_key_diff}" ]; then if [ -n "${ssh_key_diff}" ]; then
printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}"; printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
write_log "[ERROR] ${username} Move problem ${ssh_key_diff}";
break; break;
fi; fi;
# remove home .ssh/authorized_keys (do not remove folder) # remove home .ssh/authorized_keys (do not remove folder)
if [ ${master_user} -eq 0 ]; then if [ ${master_user} -eq 0 ]; then
rm "${home_folder}/.ssh/authorized_keys"; rm "${home_folder}/.ssh/authorized_keys";
else else
echo "=> No delete for master user, must be done manually"; write_log "=> No delete for master user, must be done manually" "1";
fi; fi;
else else
echo "[START] ====>"; echo "[START] ====>";

39
bin/check_last_login.sh
View File

@@ -44,6 +44,11 @@ if [ -z "$(command -v jq)" ]; then
echo "Missing jq application, aborting"; echo "Missing jq application, aborting";
error=1; error=1;
fi; fi;
# use lslogins instead of last log
if [ -z "$(command -v lslogins)" ]; then
echo "Missing lslogins application, aborting";
error=1;
fi;
if [ $error -eq 1 ]; then if [ $error -eq 1 ]; then
exit; exit;
fi; fi;
@@ -76,7 +81,7 @@ account_id=$(echo "${instance_data}" | jq .accountId)
region=$(echo "${instance_data}" | jq .region) region=$(echo "${instance_data}" | jq .region)
if [ "${OUTPUT_TARGET}" = "text" ]; then if [ "${OUTPUT_TARGET}" = "text" ]; then
LOG="${LOG}/check_ssh_user.$(date +"%F_%H%m%S").log"; LOG="${LOG}/check_ssh_user.$(date +"%F_%H%M%S").log";
exec &> >(tee -a "${LOG}"); exec &> >(tee -a "${LOG}");
echo "[START] =============>"; echo "[START] =============>";
echo "AWS ID : ${account_id}"; echo "AWS ID : ${account_id}";
@@ -111,6 +116,10 @@ for ssh_group in "${ssh_groups[@]}"; do
fi; fi;
fi; fi;
while read -r username; do while read -r username; do
# skip empty, if group exists but has no users
if [ "${username}" = "" ]; then
continue;
fi;
# check that user exists in passwd # check that user exists in passwd
if ! id "${username}" &>/dev/null; then if ! id "${username}" &>/dev/null; then
out_string="[!] User $username does not exists in /etc/passwd file"; out_string="[!] User $username does not exists in /etc/passwd file";
@@ -183,10 +192,18 @@ for ssh_group in "${ssh_groups[@]}"; do
# below only works if the user logged in, a lot of them are just file upload # below only works if the user logged in, a lot of them are just file upload
# users. Use the collect script from systemd-logind or /var/log/secure # users. Use the collect script from systemd-logind or /var/log/secure
# Username Port From Latest # for the rest use lslogin, returns ":" separted list, not set is never logged in
# user pts/35 10.110.160.230 Wed Nov 2 09:40:35 +0900 2022 # LAST LOGIN :FAILED LOGIN
last_login_string=$(lastlog -u "${username}" | sed 1d); # 2025-09-12T09:56:22+09:00:
search="Never logged in"; last_login_string=$(
lslogins \
-c --noheadings --notruncate \
--time-format=iso \
-o LAST-LOGIN,FAILED-LOGIN \
-l "${username}"
);
last_login_date=$(echo "${last_login_string}" | cut -d ":" -f 1);
# search="Never logged in";
never_logged_in="false"; never_logged_in="false";
found=""; found="";
login_source=""; login_source="";
@@ -223,12 +240,10 @@ for ssh_group in "${ssh_groups[@]}"; do
login_source="ssh"; login_source="ssh";
# rewrite to Y-M-D, aka # rewrite to Y-M-D, aka
last_login_date="${last_login_date_string}" last_login_date="${last_login_date_string}"
elif [ -n "${last_login_string##*"$search"*}" ]; then elif [ -n "${last_login_date}" ]; then
# if we have "** Never logged in**" the user never logged in # if we have "** Never logged in**" the user never logged in
# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4} # we get an ISO DATE with timezone
# awk '{for(i=4;i<=NF;++i)printf $i FS}' last_login_date=$(echo "${last_login_string}" | date +"%s" -f -);
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
# date -d "Wed Nov 2 09:40:35 +0900 2022" +%s
last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}"); last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
if [ "${last_login}" -gt ${max_age_login} ]; then if [ "${last_login}" -gt ${max_age_login} ]; then
out_string="[!] Last terminal log in ${last_login} days ago"; out_string="[!] Last terminal log in ${last_login} days ago";
@@ -241,7 +256,7 @@ for ssh_group in "${ssh_groups[@]}"; do
out_string="OK [lastlog, ${last_login} days ago]"; out_string="OK [lastlog, ${last_login} days ago]";
fi; fi;
login_source="lastlog"; login_source="lastlog";
last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%F %T" -f -) last_login_date=$(echo "${last_login_string}" | date +"%F %T" -f -)
elif [ -n "${user_create_date}" ]; then elif [ -n "${user_create_date}" ]; then
if [ "${account_age}" -gt ${max_age_create} ]; then if [ "${account_age}" -gt ${max_age_create} ]; then
out_string="[!] Never logged in: account created ${account_age} days ago"; out_string="[!] Never logged in: account created ${account_age} days ago";
@@ -294,7 +309,7 @@ for ssh_group in "${ssh_groups[@]}"; do
printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}" printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}"
;; ;;
esac; esac;
done <<< "$(grep "${ssh_group}:" /etc/group | cut -d ":" -f 4 | sed -e 's/,/ /g')"; done <<< "$(grep "${ssh_group}:" /etc/group | cut -d ":" -f 4 | sed -e 's/,/\n/g')";
done; done;
if [ "${OUTPUT_TARGET}" = "text" ]; then if [ "${OUTPUT_TARGET}" = "text" ]; then
if [ -n "${lock_accounts}" ]; then if [ -n "${lock_accounts}" ]; then

111
bin/create_user.sh
View File

@@ -176,6 +176,12 @@ if [ "$(whoami)" != "root" ]; then
fi; fi;
fi; fi;
# do not allow test and info at the same
if [ ${TEST} -eq 1 ] && [ ${INFO} -eq 1 ]; then
echo "Cannot have --test and --info option at the same time";
error=1;
fi;
# exit if not -g parameter set # exit if not -g parameter set
if [ $GO -eq 0 ]; then if [ $GO -eq 0 ]; then
echo "Script has to be run with -g option for actual user creation."; echo "Script has to be run with -g option for actual user creation.";
@@ -187,20 +193,51 @@ if [ $error -eq 1 ]; then
exit; exit;
fi; fi;
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix for testing
if [ ${TEST} -eq 1 ]; then
log_prefix="[TEST] ";
fi;
# write log not in info run
if [ ${INFO} -eq 0 ]; then
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
fi;
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
# used for test run only
overall_run_error=0;
# MARK: LOOP START
# create users # create users
while read -r i; do while read -r i; do
# run error for one row
run_error=0;
# skip rows start with # (comment) # skip rows start with # (comment)
if [[ "${i}" =~ ^\# ]]; then if [[ "${i}" =~ ^\# ]]; then
continue; continue;
fi; fi;
# log create inly on not info
if [ ${INFO} -eq 0 ]; then
write_log "[CREATE] ROW: $i";
fi;
# MARK: VALUES CHECK
# POS 2: make lower case, remove spaces # POS 2: make lower case, remove spaces
username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' '); username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
# check username is alphanumeric with . # check username is alphanumeric with .
if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}"; run_error=1;
if [ ${TEST} -eq 0 ]; then write_log "[ERROR] User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}" "1";
break;
fi;
fi; fi;
# POS 3: groups # POS 3: groups
_group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' '); _group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
@@ -223,14 +260,12 @@ while read -r i; do
ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' '); ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
# if not allow or forward, set to access # if not allow or forward, set to access
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow"; run_error=1;
ssh_access_type="allow"; write_log "[ERROR] Not valid ssh access type ${ssh_access_type}" "1";
fi; fi;
if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
echo "[!!!] sshforward group does not exsts, cannot set user ${username}"; write_log "[ERROR] sshforward group does not exsts, cannot set user ${username}" "1";
if [ ${TEST} -eq 0 ]; then run_error=1;
break;
fi;
fi; fi;
ssh_group="ssh${ssh_access_type}"; ssh_group="ssh${ssh_access_type}";
# sshallow group is always added # sshallow group is always added
@@ -259,24 +294,35 @@ while read -r i; do
fi; fi;
# user & group not set # user & group not set
if [ -z "${username}" ] || [ -z "${_group}" ]; then if [ -z "${username}" ] || [ -z "${_group}" ]; then
echo "[!!!!!] Missing user or group entry for ${username}/${_group}"; run_error=1;
echo "[*** ABORT RUN ***]" write_log "[ERROR] Missing user or group entry for ${username}/${_group}" "1";
if [ ${TEST} -eq 0 ]; then
break;
fi;
else else
group_error=0; group_error=0;
# check group names valid # check group names valid
for create_group in ${_group//,/ }; do for create_group in ${_group//,/ }; do
if ! [[ "${create_group}" =~ ^[a-z0-9]+([a-z0-9_-]+[a-z0-9])?$ ]]; then if ! [[ "${create_group}" =~ ^[a-z0-9]+([a-z0-9_-]+[a-z0-9])?$ ]]; then
echo "Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}"; write_log "[ERROR] Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}" "1";
group_error=1; group_error=1;
fi; fi;
done; done;
if [ $group_error -eq 1 ] && [ ${TEST} -eq 0 ]; then if [ $group_error -eq 1 ]; then
break; run_error=1;
fi; fi;
fi; fi;
# error & test -> break
if [ ${run_error} -eq 1 ]; then
overall_run_error=1;
write_log "[*** ABORT RUN ***]" "1";
# end if not test and not info
if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then
break;
else
continue;
fi;
fi;
# MARK: SSH NAMES SET
# SSH file name part without folder # SSH file name part without folder
ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem"; ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
# the full file including folder name # the full file including folder name
@@ -286,20 +332,21 @@ while read -r i; do
# check existing pub file # check existing pub file
ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub"; ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub";
# MARK: INFO
if [ ${INFO} -eq 1 ]; then if [ ${INFO} -eq 1 ]; then
info_string="User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
# test if pub file exists or not, test if user exists # test if pub file exists or not, test if user exists
echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
if getent passwd "${username}" > /dev/null 2>&1; then if getent passwd "${username}" > /dev/null 2>&1; then
echo -n ", User exists"; info_string="${info_string}, User exists";
fi; fi;
if [ -f "${ssh_keyfile_check_pub}" ]; then if [ -f "${ssh_keyfile_check_pub}" ]; then
echo -n ", SSH Pub key OK"; info_string="${info_string}, SSH Pub key OK";
fi; fi;
# line break echo "${info_string}";
echo "";
continue; continue;
fi; fi;
# MARK: CREATE
# add group for each entry in _group # add group for each entry in _group
for create_group in ${_group//,/ }; do for create_group in ${_group//,/ }; do
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
@@ -311,9 +358,9 @@ while read -r i; do
# check if user is not already created # check if user is not already created
# if getent passwd ${username} > /dev/null 2>&1; then # if getent passwd ${username} > /dev/null 2>&1; then
if id "${username}" &>/dev/null; then if id "${username}" &>/dev/null; then
echo "-- Skip '${username}:${group}(${sub_group})'"; write_log "-- Skip '${username}:${group}(${sub_group})'" "1";
else else
echo "++ Create '${username}:${group}(${sub_group})'"; write_log "++ Create '${username}:${group}(${sub_group})'" "1";
params=( params=(
"-c" "$(date +"%F")" "-s" "${user_login_shell}" "-c" "$(date +"%F")" "-s" "${user_login_shell}"
"-g" "${group}" "-G" "$(IFS=, ; echo "${sub_group_opt[*]}")" "-g" "${group}" "-G" "$(IFS=, ; echo "${sub_group_opt[*]}")"
@@ -349,7 +396,7 @@ while read -r i; do
password=${_password}; password=${_password};
fi; fi;
# create SSH key # create SSH key
echo " > Create ssh key-pair '${ssh_keyfile}'"; write_log " > Create ssh key-pair: ${ssh_keyfile}" "1";
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
ssh-keygen \ ssh-keygen \
-t "${ssh_keytype}" \ -t "${ssh_keytype}" \
@@ -366,16 +413,17 @@ while read -r i; do
fi; fi;
if [ -n "${found}" ]; then if [ -n "${found}" ]; then
skip_ssh=1; skip_ssh=1;
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub"; write_log "-- Skip SSH Key creation: ${ssh_keygen_id}.pub" "1";
else else
# override previously set with stored one # override previously set with stored one
ssh_keyfile_pub=${ssh_keyfile_check_pub}; ssh_keyfile_pub=${ssh_keyfile_check_pub};
echo " < Use existing public ssh key '${ssh_keygen_id}.pub'"; write_log " < Use existing public ssh key: ${ssh_keygen_id}.pub" "1";
# Password already set notification # Password already set notification
fi; fi;
password="[ALREADY SET]"; password="[ALREADY SET]";
fi; fi;
if [ ${skip_ssh} -eq 0 ]; then if [ ${skip_ssh} -eq 0 ]; then
# MARK: SSH CREATE
# write login info to output file # write login info to output file
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
create_output_file="${ROOT_FOLDER}${output_file}"; create_output_file="${ROOT_FOLDER}${output_file}";
@@ -444,6 +492,8 @@ done <<< "$(cat "${ROOT_FOLDER}${input_file}")";
if [ ${INFO} -eq 1 ]; then if [ ${INFO} -eq 1 ]; then
exit; exit;
fi; fi;
# MARK: ZIP FILE CREATE
# check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move # check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move
has_pem_files=0; has_pem_files=0;
if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then
@@ -488,4 +538,9 @@ else
echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*"; echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*";
fi; fi;
# MARK: TEST ERROR INFO
if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then
echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script";
fi;
# __END__ # __END__

70
bin/delete_user.sh
View File

@@ -60,20 +60,16 @@ backup_folder="${BASE_FOLDER}../backup/";
input_file='user_list.txt'; input_file='user_list.txt';
user_list_file="${root_folder}${input_file}"; user_list_file="${root_folder}${input_file}";
# log file # log file
LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S"); HISTORY="${BASE_FOLDER}/../log/delete_user.log";
if [ ${TEST} -eq 0 ]; then
LOG="${LOG}.log";
else
LOG="${LOG}.test.log";
fi;
# ignore users (root and admin users) # ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# detect ssh authorized_keys setting # detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE=''; SSH_AUTHORIZED_FILE='';
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do # shellcheck disable=SC2013
if [ -n "$(echo "${cf}" | grep "%u")" ]; then for cf in $(grep "^AuthorizedKeysFile" "/etc/ssh/sshd_config" | grep "%u"); do
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); if echo "$cf" | grep -q "%u"; then
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
exit; exit;
@@ -86,17 +82,39 @@ if [ ! -f "${user_list_file}" ]; then
exit; exit;
fi; fi;
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix for testing
if [ ${TEST} -eq 1 ]; then
log_prefix="[TEST] ";
fi;
# write log not in info run
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
# used for test run only
overall_run_error=0;
# $1 ... $n # $1 ... $n
for username in "$@"; do for username in "$@"; do
error=0; error=0;
# skip if there is an option hidden # skip if there is an option hidden
# shellcheck disable=SC2154
if [[ ${_arg:0:1} = "-" ]]; then if [[ ${_arg:0:1} = "-" ]]; then
continue; continue;
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; write_log "[!] User ${username} is in the ignore user list" "1";
continue; continue;
fi; fi;
@@ -104,31 +122,33 @@ for username in "$@"; do
# if missing in or another do not continue # if missing in or another do not continue
if ! id "${username}" &>/dev/null; then if ! id "${username}" &>/dev/null; then
# not in passwd # not in passwd
echo "[!!!] User ${username} does not exist in /etc/passwd"; write_log "[ERRPR] User ${username} does not exist in /etc/passwd" "1";
error=1; error=1;
fi; fi;
user_list_entry=$(grep "${username}" "${user_list_file}"); user_list_entry=$(grep "${username}" "${user_list_file}");
if [ -z "${user_list_entry}" ]; then if [ -z "${user_list_entry}" ]; then
echo "[!!!] User ${username} does not exist in user_list.txt file"; write_log "[ERROR] User ${username} does not exist in user_list.txt file" "1";
error=1; error=1;
elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
echo "[!!!] User ${username} is flagged as deleted in user_list.txt file"; write_log "[ERROR] User ${username} is flagged as deleted in user_list.txt file" "1";
error=1; error=1;
fi; fi;
if [ $error -eq 1 ]; then if [ $error -eq 1 ]; then
overall_run_error=1;
write_log "[*** ABORT RUN ***]" "1";
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
break; break;
fi; fi;
fi; fi;
echo "=> Delete: ${username}"; write_log "=> Delete: ${username}" "1";
# ssh authorized file # ssh authorized file
SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}"; SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
# make backup from /home # make backup from /home
if [ ${BACKUP} -eq 1 ]; then if [ ${BACKUP} -eq 1 ]; then
home_folder=$(getent passwd ${username} | cut -d ":" -f 6); home_folder=$(getent passwd "${username}" | cut -d ":" -f 6);
backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2"; backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
files_list="${home_folder}"; files_list="${home_folder}";
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
@@ -136,7 +156,7 @@ for username in "$@"; do
fi; fi;
echo "[0] Backup ${files_list} to ${backup_file}"; echo "[0] Backup ${files_list} to ${backup_file}";
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
tar cfjp "${backup_file}" ${file_list}; tar cfjp "${backup_file}" "${files_list}";
else else
echo "$> tar cfjp \"${backup_file}\" ${files_list};"; echo "$> tar cfjp \"${backup_file}\" ${files_list};";
fi; fi;
@@ -144,9 +164,13 @@ for username in "$@"; do
echo "[1] Remove user + home dir"; echo "[1] Remove user + home dir";
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
userdel -r ${username} # remove all secondary group entries first before we delete the user
# there might be cases where they are left
usermod -G "" "${username}";
userdel -r "${username}";
else else
echo "$> userdel -r ${username}"; echo "$> usermod -G \"\" \"${username}\"";
echo "$> userdel -r \"${username}\"";
fi; fi;
# remove ssh files in pub # remove ssh files in pub
@@ -162,7 +186,7 @@ for username in "$@"; do
fi; fi;
else else
# Not critical error # Not critical error
echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}"; write_log "[?] Cannot find ${SSH_AUTHORIZED_FILE}" "1";
fi; fi;
# Update user_list.txt file and add # for the line # Update user_list.txt file and add # for the line
@@ -172,11 +196,17 @@ for username in "$@"; do
if [ ${TEST} -eq 0 ]; then if [ ${TEST} -eq 0 ]; then
sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}"; sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
else else
# shellcheck disable=SC2028
echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";"; echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
fi; fi;
echo $(date +"%F %T")";${host};${username}" >> "${LOG}"; echo "$(date +"%F %T");${host};${username};${TEST}" >> "${HISTORY}";
done; done;
# MARK: TEST ERROR INFO
if [ ${TEST} -eq 1 ] && [ ${overall_run_error} -eq 1 ]; then
echo "[ERROR] Some errors occoured during the run, they will prohibit the live run of this script";
fi;
# __END__ # __END__

35
bin/lock_user.sh
View File

@@ -46,27 +46,50 @@ ssh_allow_group="sshallow";
ssh_forward_group="sshforward"; ssh_forward_group="sshforward";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
# base folder for all data
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix
if [ ${TEST} -eq 1 ]; then
log_prefix="TEST";
fi;
if [ -n "${log_prefix}" ]; then
log_prefix="[${log_prefix}] ";
fi;
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
echo "--------------------->" echo "--------------------->"
# $1 ... $n # $1 ... $n
for username in "$@"; do for username in "$@"; do
# skip if there is an option hidden # skip if there is an option hidden
# shellcheck disable=SC2154
if [[ ${_arg:0:1} = "-" ]]; then if [[ ${_arg:0:1} = "-" ]]; then
continue; continue;
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; write_log "[ERROR] User ${username} is in the ignore user list" "1";
continue; continue;
fi; fi;
# check that user exists in passwd # check that user exists in passwd
if ! id "${username}" &>/dev/null; then if ! id "${username}" &>/dev/null; then
echo "[!] User ${username} does not exists in /etc/passwd file"; write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
continue; continue;
fi; fi;
# if not check if in reject list # if not check if in reject list
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
echo "[.] User ${username} already in the ${ssh_reject_group} list"; write_log "[.] User ${username} already in the ${ssh_reject_group} list";
continue; continue;
fi; fi;
# check if user is in sshallow/forward list # check if user is in sshallow/forward list
@@ -77,14 +100,14 @@ for username in "$@"; do
# if user is in ssh allow group and ALSO in ssh forward group -> bad # if user is in ssh allow group and ALSO in ssh forward group -> bad
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
if [ -n "${ssh_remove_group}" ]; then if [ -n "${ssh_remove_group}" ]; then
echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1";
break; break;
fi; fi;
ssh_remove_group="${ssh_forward_group}"; ssh_remove_group="${ssh_forward_group}";
fi; fi;
if [ -n "${ssh_remove_group}" ]; then if [ -n "${ssh_remove_group}" ]; then
# remove user from ssh group and add to reject groups # remove user from ssh group and add to reject groups
echo "[*] User ${username} will be removed from ${ssh_remove_group}"; write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1";
if [ ${TEST} -eq 1 ]; then if [ ${TEST} -eq 1 ]; then
# shellcheck disable=SC2059 # shellcheck disable=SC2059
printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
@@ -94,7 +117,7 @@ for username in "$@"; do
fi; fi;
else else
# skip not ssh user # skip not ssh user
echo "[?] User ${username} not in any ssh allow/foward groups"; write_log "[?] User ${username} not in any ssh allow/foward groups" "1";
fi; fi;
done; done;

38
bin/rename_user.sh
View File

@@ -58,13 +58,6 @@ input_file='user_list.txt';
user_list_file="${ROOT_FOLDER}${input_file}"; user_list_file="${ROOT_FOLDER}${input_file}";
default_ssh_keytype='ed25519'; default_ssh_keytype='ed25519';
ssh_keytype=''; ssh_keytype='';
# log file
LOG="${BASE_FOLDER}/../log/rename_user."$(date +"%F_%H%m%S");
if [ ${TEST} -eq 0 ]; then
LOG="${LOG}.log";
else
LOG="${LOG}.test.log";
fi;
# ignore users (root and admin users) # ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# detect ssh authorized_keys setting # detect ssh authorized_keys setting
@@ -144,6 +137,27 @@ if [ $error -eq 1 ]; then
exit; exit;
fi; fi;
# log file
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix
if [ ${TEST} -eq 1 ]; then
log_prefix="TEST";
fi;
if [ -n "${log_prefix}" ]; then
log_prefix="[${log_prefix}] ";
fi;
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
# parse user list entry for group/hostname/ssh type key to build ssh key list # parse user list entry for group/hostname/ssh type key to build ssh key list
# POS 3: groups # POS 3: groups
@@ -164,7 +178,7 @@ else
ssh_keytype=${default_ssh_keytype}; ssh_keytype=${default_ssh_keytype};
fi; fi;
echo "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}"; write_log "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}" "1";
old_home_dir=$(getent passwd "${OLD_USERNAME}" | cut -d: -f6); old_home_dir=$(getent passwd "${OLD_USERNAME}" | cut -d: -f6);
new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USERNAME}/"); new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USERNAME}/");
@@ -202,7 +216,7 @@ NEW_SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${NEW_USERNAME}";
if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then
if [ $TEST -eq 0 ]; then if [ $TEST -eq 0 ]; then
echo "rename to ${NEW_SSH_AUTHORIZED_FILE}"; write_log "rename to ${NEW_SSH_AUTHORIZED_FILE}" "1";
chattr -i "${OLD_SSH_AUTHORIZED_FILE}"; chattr -i "${OLD_SSH_AUTHORIZED_FILE}";
mv "${OLD_SSH_AUTHORIZED_FILE}" "${NEW_SSH_AUTHORIZED_FILE}"; mv "${OLD_SSH_AUTHORIZED_FILE}" "${NEW_SSH_AUTHORIZED_FILE}";
chattr +i "${NEW_SSH_AUTHORIZED_FILE}"; chattr +i "${NEW_SSH_AUTHORIZED_FILE}";
@@ -212,7 +226,7 @@ if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then
echo "$> chattr +i \"${NEW_SSH_AUTHORIZED_FILE}\";"; echo "$> chattr +i \"${NEW_SSH_AUTHORIZED_FILE}\";";
fi; fi;
else else
echo "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing"; write_log "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing" "1";
fi; fi;
# rename keygen public file # rename keygen public file
@@ -221,13 +235,13 @@ NEW_ssh_keygen_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${hostname}${s
if [ -f "${OLD_ssh_keygen_pub}" ]; then if [ -f "${OLD_ssh_keygen_pub}" ]; then
if [ $TEST -eq 0 ]; then if [ $TEST -eq 0 ]; then
echo "rename to ${NEW_ssh_keygen_pub}"; write_log "rename to ${NEW_ssh_keygen_pub}" "1";
mv "${OLD_ssh_keygen_pub}" "${NEW_ssh_keygen_pub}"; mv "${OLD_ssh_keygen_pub}" "${NEW_ssh_keygen_pub}";
else else
echo "$> mv \"${OLD_ssh_keygen_pub}\" \"${NEW_ssh_keygen_pub}\";"; echo "$> mv \"${OLD_ssh_keygen_pub}\" \"${NEW_ssh_keygen_pub}\";";
fi; fi;
else else
echo "[?] ${OLD_ssh_keygen_pub} is missing"; write_log "[?] ${OLD_ssh_keygen_pub} is missing" "1";
fi; fi;
# rename entry in user list txt file # rename entry in user list txt file

33
bin/unlock_user.sh
View File

@@ -61,31 +61,52 @@ ssh_allow_group="sshallow";
ssh_forward_group="sshforward"; ssh_forward_group="sshforward";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix
if [ ${TEST} -eq 1 ]; then
log_prefix="TEST";
fi;
if [ -n "${log_prefix}" ]; then
log_prefix="[${log_prefix}] ";
fi;
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
echo "--------------------->" echo "--------------------->"
# $1 ... $n # $1 ... $n
for username in "$@"; do for username in "$@"; do
# skip if there is an option hidden # skip if there is an option hidden
# shellcheck disable=SC2154
if [[ ${_arg:0:1} = "-" ]]; then if [[ ${_arg:0:1} = "-" ]]; then
continue; continue;
fi; fi;
# skip ignore users, note that if a user is not in the sshallow list anyway # skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check # we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
echo "[!] User ${username} is in the ignore user list"; write_log "[ERROR] User ${username} is in the ignore user list" "1";
continue; continue;
fi; fi;
# check that user exists in passwd # check that user exists in passwd
if ! id "${username}" &>/dev/null; then if ! id "${username}" &>/dev/null; then
echo "[!] User ${username} does not exists in /etc/passwd file"; write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
continue; continue;
fi; fi;
# check if already in OK groups # check if already in OK groups
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
echo "[.] User ${username} already in the ${ssh_allow_group} list"; write_log "[.] User ${username} already in the ${ssh_allow_group} list" "1";
continue; continue;
fi; fi;
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
echo "[.] User ${username} already in the ${ssh_forward_group} list"; write_log "[.] User ${username} already in the ${ssh_forward_group} list" "1";
continue; continue;
fi; fi;
# try to find user in user_list.txt and get the allow/forward flag from there, # try to find user in user_list.txt and get the allow/forward flag from there,
@@ -103,7 +124,7 @@ for username in "$@"; do
# check if user is in reject group remove # check if user is in reject group remove
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
# remove user from ssh group and add to reject groups # remove user from ssh group and add to reject groups
echo "[*] User ${username} will be added to ${ssh_add_group}"; write_log "[*] User ${username} will be added to ${ssh_add_group}" "1";
if [ ${TEST} -eq 1 ]; then if [ ${TEST} -eq 1 ]; then
# shellcheck disable=SC2059 # shellcheck disable=SC2059
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
@@ -113,7 +134,7 @@ for username in "$@"; do
fi; fi;
else else
# skip not ssh user # skip not ssh user
echo "[?] User ${username} not in the ssh reject group"; write_log "[?] User ${username} not in the ssh reject group" "1";
fi; fi;
done; done;