ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ebddac7f675e02962dc8a634f10a9343320583da
ServerUserCreate/bin/lock_user.sh
Clemens Schwaighofer ebddac7f67 Rename script names, add lock script 
Add a user lock script to move users from ssh allow/foward group to ssh
reject group.

Rename user_create.sh script to create_user.sh script and add new ssh
allow/foward flag in user_list.txt file after group block and before
password name block

Update check last login script with better add/remove from groups
2022-12-01 18:22:46 +09:00

79 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no creation except ssh keys
INFO=0; # no creation of anything, just print info strings
while getopts ":ti" opt; do
case "${opt}" in
t|test)
TEST=1;
;;
i|info)
INFO=1;
;;
esac;
done;
if [ $# -eq 0 ]; then
echo "Must give at least one user name";
exit;
fi;
# ssh reject group
ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
echo "Missing ssh reject group: ${ssh_reject_group}";
exit;
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshfoward";
delete_accounts="";
user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
echo "--------------------->"
# $1 ... $n
for username in "$@"; do
# check that user exists in passwd
if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
echo "[!] User $username does not exists in /etc/passwd file";
continue;
fi;
# if not check if in reject list
if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
echo "[.] User $username already in the ${ssh_reject} list";
continue;
fi;
# check if user is in sshallow/forward list
ssh_remove_group='';
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
ssh_remove_group="${ssh_allow_group}";
fi;
# if user is in ssh allow group and ALSO in ssh forward group -> bad
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
if [ ! -z "${ssh_remove_group}" ]; then
echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
break;
fi;
ssh_remove_group="${ssh_forward_group}";
fi;
if [ ! -z "${ssh_remove_group}" ]; then
# remove user from ssh group and add to reject groups
echo "[*] User $username will be removed from ${ssh_remove_group}";
delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
else
# skip not ssh user
echo "[?] User $username not in any ssh allow/foward groups";
fi;
done;
if [ ! -z "${delete_accounts}" ]; then
echo "--------------------->"
echo "% Run list below to move users to reject ssh group";
echo "";
echo "${delete_accounts}";
fi;
# __END__
Reference in New Issue View Git Blame Copy Permalink