ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
ServerUserCreate/bin/unlock_user.sh
Clemens Schwaighofer fa47178ed1 Add central logging for all actions done 
log file "user_management.log"

Each line is
[YYYY-MM-DD HH:mm:ss] [script name] [TEST] ...

[TEST] is only set if we are in a test run

for create user, if info flag is set, we do not write a log
2024-12-09 11:37:37 +09:00

142 lines
4.1 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
# if the -t is not in the first position it will be ignored
# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no delete, just print
SSH_GROUP_ADD='';
while getopts ":ts:" opt; do
case "${opt}" in
t) # test
TEST=1;
;;
s) # sshgroup
if [ -z "${SSH_GROUP_ADD}" ]; then
SSH_GROUP_ADD=${OPTARG};
fi;
;;
\?)
echo "";
echo "-t Test only, do not change user lock status";
echo "-s <group> Override ssh group from user_list.txt for this user";
;;
esac;
done;
shift "$((OPTIND-1))"
if [ "$(whoami)" != "root" ]; then
if [ ${TEST} -eq 0 ]; then
echo "Script must be run as root user";
exit;
else
echo "!!!! Script must be run as root user !!!!";
fi;
fi;
if [ $# -eq 0 ]; then
echo "Must give at least one user name";
exit;
fi;
if [ -n "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
echo "sshgroup option can only be 'allow' or 'forward'";
exit;
fi;
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
root_folder="${BASE_FOLDER}../";
input_file='user_list.txt';
# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group
ssh_reject_group="sshreject";
if ! grep -q "${ssh_reject_group}:" /etc/group; then
echo "Missing ssh reject group: ${ssh_reject_group}";
exit;
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshforward";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
text="${1}";
do_echo="${2}";
log_prefix="";
# log prefix
if [ ${TEST} -eq 1 ]; then
log_prefix="TEST";
fi;
if [ -n "${log_prefix}" ]; then
log_prefix="[${log_prefix}] ";
fi;
echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
if [ "${do_echo}" = "1" ]; then
echo "${text}";
fi;
}
write_log "START SCRIPT RUN";
echo "--------------------->"
# $1 ... $n
for username in "$@"; do
# skip if there is an option hidden
# shellcheck disable=SC2154
if [[ ${_arg:0:1} = "-" ]]; then
continue;
fi;
# skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check
if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
write_log "[ERROR] User ${username} is in the ignore user list" "1";
continue;
fi;
# check that user exists in passwd
if ! id "${username}" &>/dev/null; then
write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
continue;
fi;
# check if already in OK groups
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
write_log "[.] User ${username} already in the ${ssh_allow_group} list" "1";
continue;
fi;
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
write_log "[.] User ${username} already in the ${ssh_forward_group} list" "1";
continue;
fi;
# try to find user in user_list.txt and get the allow/forward flag from there,
# else try to set from option
# if not valid use allow
ssh_add_group="${SSH_GROUP_ADD}";
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr '[:upper]' '[:lower:]' | tr -d ' ');
fi;
if [ "${ssh_add_group}" != "allow" ] && [ "${ssh_add_group}" != "forward" ]; then
ssh_add_group="allow";
fi;
ssh_add_group="ssh${ssh_add_group}";
# check if user is in reject group remove
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
# remove user from ssh group and add to reject groups
write_log "[*] User ${username} will be added to ${ssh_add_group}" "1";
if [ ${TEST} -eq 1 ]; then
# shellcheck disable=SC2059
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
else
gpasswd -d "${username}" "${ssh_reject_group}";
gpasswd -a "${username}" "${ssh_add_group}";
fi;
else
# skip not ssh user
write_log "[?] User ${username} not in the ssh reject group" "1";
fi;
done;
# __END__
Reference in New Issue View Git Blame Copy Permalink