#!/usr/bin/env bash # disable a user by removing them from the sshallow/sshforward group # and move them to the sshreject group # Note that call is ./lock_user.sh -t ... # if the -t is not in the first position it will be ignored # SET TO 1 to TEST [will not move user in groups] TEST=0; # no delete, just print SSH_GROUP_ADD=''; while getopts ":ts:" opt; do case "${opt}" in t|test) TEST=1; ;; s|sshgroup) if [ -z "${SSH_GROUP_ADD}" ]; then SSH_GROUP_ADD=${OPTARG}; fi; ;; esac; done; shift "$((OPTIND-1))" if [ $(whoami) != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; else echo "!!!! Script must be run as root user !!!!"; fi; fi; if [ $# -eq 0 ]; then echo "Must give at least one user name"; exit; fi; if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then echo "sshgroup option can only be 'allow' or 'forward'"; exit; fi; BASE_FOLDER=$(dirname $(readlink -f $0))"/"; root_folder="${BASE_FOLDER}../"; input_file='user_list.txt'; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; ssh_allow_group="sshallow"; ssh_forward_group="sshfoward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then echo "[!] User $username is in the ignore user list"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then echo "[!] User $username does not exists in /etc/passwd file"; continue; fi; # check if already in OK groups if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then echo "[.] User $username already in the ${ssh_allow_group} list"; continue; fi; if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then echo "[.] User $username already in the ${ssh_forward_group} list"; continue; fi; # try to find user in user_list.txt and get the allow/forward flag from there, # else try to set from option # if not valid use allow ssh_add_group="${SSH_GROUP_ADD}"; if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' '); fi; if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then ssh_add_group="allow"; fi; ssh_add_group="ssh${ssh_add_group}"; # check if user is in reject group remove if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then # remove user from ssh group and add to reject groups echo "[*] User $username will be added to ${ssh_add_group}"; if [ ${TEST} -eq 1 ]; then printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; else gpasswd -d "${username}" "${ssh_reject_group}"; gpasswd -a "${username}" "${ssh_add_group}"; fi; else # skip not ssh user echo "[?] User $username not in the ssh reject group"; fi; done; # __END__