#!/usr/bin/env bash # disable a user by removing them from the sshallow/sshforward group # and move them to the sshreject group # Note that call is ./lock_user.sh -t ... # if the -t is not in the first position it will be ignored # SET TO 1 to TEST [will not move user in groups] TEST=0; # no delete, just print SSH_GROUP_ADD=''; while getopts ":ts:" opt; do case "${opt}" in t) # test TEST=1; ;; s) # sshgroup if [ -z "${SSH_GROUP_ADD}" ]; then SSH_GROUP_ADD=${OPTARG}; fi; ;; \?) echo ""; echo "-t Test only, do not change user lock status"; echo "-s Override ssh group from user_list.txt for this user"; ;; esac; done; shift "$((OPTIND-1))" if [ "$(whoami)" != "root" ]; then if [ ${TEST} -eq 0 ]; then echo "Script must be run as root user"; exit; else echo "!!!! Script must be run as root user !!!!"; fi; fi; if [ $# -eq 0 ]; then echo "Must give at least one user name"; exit; fi; if [ -n "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then echo "sshgroup option can only be 'allow' or 'forward'"; exit; fi; BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/"; root_folder="${BASE_FOLDER}../"; input_file='user_list.txt'; # ignore users (root and admin users) ignore_users=('root' 'ec2-user' 'ubuntu' 'admin'); # ssh reject group ssh_reject_group="sshreject"; if ! grep -q "${ssh_reject_group}:" /etc/group; then echo "Missing ssh reject group: ${ssh_reject_group}"; exit; fi; ssh_allow_group="sshallow"; ssh_forward_group="sshforward"; user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n"; LOG="${BASE_FOLDER}/../log/user_management.log"; function write_log() { text="${1}"; do_echo="${2}"; log_prefix=""; # log prefix if [ ${TEST} -eq 1 ]; then log_prefix="TEST"; fi; if [ -n "${log_prefix}" ]; then log_prefix="[${log_prefix}] "; fi; echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}"; if [ "${do_echo}" = "1" ]; then echo "${text}"; fi; } write_log "START SCRIPT RUN"; echo "--------------------->" # $1 ... $n for username in "$@"; do # skip if there is an option hidden # shellcheck disable=SC2154 if [[ ${_arg:0:1} = "-" ]]; then continue; fi; # skip ignore users, note that if a user is not in the sshallow list anyway # we skip them too, this is just in case check if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then write_log "[ERROR] User ${username} is in the ignore user list" "1"; continue; fi; # check that user exists in passwd if ! id "${username}" &>/dev/null; then write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1"; continue; fi; # check if already in OK groups if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then write_log "[.] User ${username} already in the ${ssh_allow_group} list" "1"; continue; fi; if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then write_log "[.] User ${username} already in the ${ssh_forward_group} list" "1"; continue; fi; # try to find user in user_list.txt and get the allow/forward flag from there, # else try to set from option # if not valid use allow ssh_add_group="${SSH_GROUP_ADD}"; if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr '[:upper]' '[:lower:]' | tr -d ' '); fi; if [ "${ssh_add_group}" != "allow" ] && [ "${ssh_add_group}" != "forward" ]; then ssh_add_group="allow"; fi; ssh_add_group="ssh${ssh_add_group}"; # check if user is in reject group remove if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then # remove user from ssh group and add to reject groups write_log "[*] User ${username} will be added to ${ssh_add_group}" "1"; if [ ${TEST} -eq 1 ]; then # shellcheck disable=SC2059 printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}"; else gpasswd -d "${username}" "${ssh_reject_group}"; gpasswd -a "${username}" "${ssh_add_group}"; fi; else # skip not ssh user write_log "[?] User ${username} not in the ssh reject group" "1"; fi; done; # __END__