#!/usr/bin/env bash # disable a user by removing them from the sshallow/sshforward group # and move them to the sshreject group # Note that call is ./lock_user.sh -t ... # if the -t is not in the first position it will be ignored # SET TO 1 to TEST [will not move user in groups] TEST=0; # no delete, just print while getopts ":t" opt; do case "${opt}" in t|test) TEST=1; ;; esac; done; shift "$((OPTIND-1))" if [ $(whoami) != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; else echo "!!!! Script must be run as root user !!!!"; fi; fi; if [ $# -eq 0 ]; then echo "Must give at least one user name"; exit; fi; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; ssh_allow_group="sshallow"; ssh_forward_group="sshfoward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then echo "[!] User $username is in the ignore user list"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then echo "[!] User $username does not exists in /etc/passwd file"; continue; fi; # if not check if in reject list if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then echo "[.] User $username already in the ${ssh_reject_group} list"; continue; fi; # check if user is in sshallow/forward list ssh_remove_group=''; if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then ssh_remove_group="${ssh_allow_group}"; fi; # if user is in ssh allow group and ALSO in ssh forward group -> bad if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then if [ ! -z "${ssh_remove_group}" ]; then echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again."; break; fi; ssh_remove_group="${ssh_forward_group}"; fi; if [ ! -z "${ssh_remove_group}" ]; then # remove user from ssh group and add to reject groups echo "[*] User $username will be removed from ${ssh_remove_group}"; if [ ${TEST} -eq 1 ]; then printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}"; else gpasswd -d "${username}" "${ssh_remove_group}"; gpasswd -a "${username}" "${ssh_reject_group}"; fi; else # skip not ssh user echo "[?] User $username not in any ssh allow/foward groups"; fi; done; # __END__