#!/usr/bin/env bash # disable a user by removing them from the sshallow/sshforward group # and move them to the sshreject group # Note that call is ./lock_user.sh -t ... # if the -t is not in the first position it will be ignored # SET TO 1 to TEST [will not move user in groups] TEST=0; # no delete, just print while getopts ":t" opt; do case "${opt}" in t) # test TEST=1; ;; \?) echo ""; echo "-t test run, do not lock users"; ;; esac; done; shift "$((OPTIND-1))" if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; else echo "!!!! Script must be run as root user !!!!"; fi; fi; if [ $# -eq 0 ]; then echo "Must give at least one user name"; exit; fi; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; if ! grep -q "${ssh_reject_group}:" /etc/group; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; ssh_allow_group="sshallow"; ssh_forward_group="sshforward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; # base folder for all data BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; LOG="${BASE_FOLDER}/../log/user_management.log"; function write_log() { text="${1}"; do_echo="${2}"; log_prefix=""; # log prefix if [ ${TEST} -eq 1 ]; then log_prefix="TEST"; fi; if [ -n "${log_prefix}" ]; then log_prefix="[${log_prefix}] "; fi; echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; if [ "${do_echo}" = "1" ]; then echo "${text}"; fi; } write_log "START SCRIPT RUN"; echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then write_log "[ERROR] User ${username} is in the ignore user list" "1"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1"; continue; fi; # if not check if in reject list if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then write_log "[.] User ${username} already in the ${ssh_reject_group} list"; continue; fi; # check if user is in sshallow/forward list ssh_remove_group=''; if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then ssh_remove_group="${ssh_allow_group}"; fi; # if user is in ssh allow group and ALSO in ssh forward group -> bad if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if [ -n "${ssh_remove_group}" ]; then write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1"; break; fi; ssh_remove_group="${ssh_forward_group}"; fi; if [ -n "${ssh_remove_group}" ]; then # remove user from ssh group and add to reject groups write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1"; if [ ${TEST} -eq 1 ]; then # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; else gpasswd -d "${username}" "${ssh_remove_group}"; gpasswd -a "${username}" "${ssh_reject_group}"; fi; else # skip not ssh user write_log "[?] User ${username} not in any ssh allow/foward groups" "1"; fi; done; # __END__