93224e3768
rename user script added: renames user, home dir and connected files. delete script fix with remove of not needed options (-g) Update all scripts to exit only after all errors are shown, unless it is a critical run error.
183 lines
4.9 KiB
Bash
Executable File
183 lines
4.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# Delete user
|
|
# - Backup
|
|
# - delete user
|
|
# - delete home
|
|
# - remove ssh-keygen-created-pub files
|
|
# - remove ssh central auth data if exits
|
|
# - update user_list.txt and comment (#) line for this user
|
|
# - write delete log
|
|
|
|
# This will permaently remove the user
|
|
|
|
TEST=0; # do not run any actions
|
|
BACKUP=1;
|
|
while getopts ":tb" opt; do
|
|
case "${opt}" in
|
|
t|test)
|
|
TEST=1;
|
|
;;
|
|
b|nobackup)
|
|
BACKUP=0;
|
|
;;
|
|
\?)
|
|
echo -e "\n Option does not exist: ${OPTARG}\n";
|
|
echo "Use -t for test";
|
|
echo "Use -g for actually creation run";
|
|
echo "Use -b to not make a backup of the home folder and public key"
|
|
exit 1;
|
|
;;
|
|
esac;
|
|
done;
|
|
shift "$((OPTIND-1))"
|
|
|
|
if [ $(whoami) != "root" ]; then
|
|
if [ ${TEST} -eq 0 ]; then
|
|
echo "Script must be run as root user";
|
|
exit;
|
|
else
|
|
echo "!!!! Script must be run as root user !!!!";
|
|
fi;
|
|
fi;
|
|
|
|
if [ $# -eq 0 ]; then
|
|
echo "Must give at least one user name";
|
|
exit;
|
|
fi;
|
|
|
|
# check tar, bzip2 is installed if backup = 1
|
|
|
|
host=$(hostname);
|
|
timestamp=$(date +%Y%m%d-%H%M%S);
|
|
# character to set getween info blocks
|
|
separator="#";
|
|
# base folder for all data
|
|
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
|
root_folder="${BASE_FOLDER}../";
|
|
backup_folder="${BASE_FOLDER}../backup/";
|
|
SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
|
|
input_file='user_list.txt';
|
|
user_list_file="${root_folder}${input_file}";
|
|
# log file
|
|
LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S");
|
|
if [ ${TEST} -eq 0 ]; then
|
|
LOG="${LOG}.log";
|
|
else
|
|
LOG="${LOG}.test.log";
|
|
fi;
|
|
# ignore users (root and admin users)
|
|
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
|
# detect ssh authorized_keys setting
|
|
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
|
SSH_AUTHORIZED_FILE='';
|
|
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
|
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
|
|
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
|
|
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
|
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
|
exit;
|
|
fi;
|
|
fi;
|
|
done;
|
|
|
|
if [ ! -f "${user_list_file}" ]; then
|
|
echo "${input_file} is missing";
|
|
exit;
|
|
fi;
|
|
|
|
# $1 ... $n
|
|
for username in "$@"; do
|
|
error=0;
|
|
# skip if there is an option hidden
|
|
if [[ ${_arg:0:1} = "-" ]]; then
|
|
continue;
|
|
fi;
|
|
# skip ignore users, note that if a user is not in the sshallow list anyway
|
|
# we skip them too, this is just in case check
|
|
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
|
|
echo "[!] User ${username} is in the ignore user list";
|
|
continue;
|
|
fi;
|
|
|
|
# user must exist in user_list.txt and /etc/passwd
|
|
# if missing in or another do not continue
|
|
if ! id "${username}" &>/dev/null; then
|
|
# not in passwd
|
|
echo "[!!!] User ${username} does not exist in /etc/passwd";
|
|
error=1;
|
|
fi;
|
|
user_list_entry=$(grep "${username}" "${user_list_file}");
|
|
if [ -z "${user_list_entry}" ]; then
|
|
echo "[!!!] User ${username} does not exist in user_list.txt file";
|
|
error=1;
|
|
elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
|
|
echo "[!!!] User ${username} is flagged as deleted in user_list.txt file";
|
|
error=1;
|
|
fi;
|
|
|
|
if [ $error -eq 1 ]; then
|
|
if [ ${TEST} -eq 0 ]; then
|
|
break;
|
|
fi;
|
|
fi;
|
|
|
|
echo "=> Delete: ${username}";
|
|
# ssh authorized file
|
|
SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
|
|
|
|
# make backup from /home
|
|
if [ ${BACKUP} -eq 1 ]; then
|
|
home_folder=$(getent passwd ${username} | cut -d ":" -f 6);
|
|
backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
|
|
files_list="${home_folder}";
|
|
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
|
|
files_list="${files_list} ${SSH_AUTHORIZED_FILE}";
|
|
fi;
|
|
echo "[0] Backup ${files_list} to ${backup_file}";
|
|
if [ ${TEST} -eq 0 ]; then
|
|
tar cfjp "${backup_file}" ${file_list};
|
|
else
|
|
echo "$> tar cfjp \"${backup_file}\" ${files_list};";
|
|
fi;
|
|
fi;
|
|
|
|
echo "[1] Remove user + home dir";
|
|
if [ ${TEST} -eq 0 ]; then
|
|
userdel -r ${username}
|
|
else
|
|
echo "$> userdel -r ${username}";
|
|
fi;
|
|
|
|
# remove ssh files in pub
|
|
echo "[2] Remove SSH Public key";
|
|
# Note, we keep the public key in the -created-pub folder
|
|
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
|
|
if [ ${TEST} -eq 0 ]; then
|
|
chattr -i "${SSH_AUTHORIZED_FILE}";
|
|
rm "${SSH_AUTHORIZED_FILE}";
|
|
else
|
|
echo "$> chattr -i \"${SSH_AUTHORIZED_FILE}\";";
|
|
echo "$> rm \"${SSH_AUTHORIZED_FILE}\";"
|
|
fi;
|
|
else
|
|
# Not critical error
|
|
echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}";
|
|
fi;
|
|
|
|
# Update user_list.txt file and add # for the line
|
|
echo "[3] Update user_list.txt file";
|
|
# eg n;foo -> #DELETED-YYYYMMDD_HHmmss:n;foo ...
|
|
delete_date=$(date +%Y%m%d_%H%M%S)
|
|
if [ ${TEST} -eq 0 ]; then
|
|
sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
|
|
else
|
|
echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
|
|
fi;
|
|
|
|
echo $(date +"%F %T")";${host};${username}" >> "${LOG}";
|
|
|
|
done;
|
|
|
|
# __END__
|