115 lines
3.4 KiB
Bash
Executable File
115 lines
3.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# disable a user by removing them from the sshallow/sshforward group
|
|
# and move them to the sshreject group
|
|
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
|
|
# if the -t is not in the first position it will be ignored
|
|
|
|
# SET TO 1 to TEST [will not move user in groups]
|
|
TEST=0; # no delete, just print
|
|
SSH_GROUP_ADD='';
|
|
while getopts ":ts:" opt; do
|
|
case "${opt}" in
|
|
t|test)
|
|
TEST=1;
|
|
;;
|
|
s|sshgroup)
|
|
if [ -z "${SSH_GROUP_ADD}" ]; then
|
|
SSH_GROUP_ADD=${OPTARG};
|
|
fi;
|
|
;;
|
|
esac;
|
|
done;
|
|
shift "$((OPTIND-1))"
|
|
|
|
if [ $(whoami) != "root" ]; then
|
|
if [ ${TEST} -eq 0 ]; then
|
|
echo "Script must be run as root user";
|
|
exit;
|
|
else
|
|
echo "!!!! Script must be run as root user !!!!";
|
|
fi;
|
|
fi;
|
|
|
|
if [ $# -eq 0 ]; then
|
|
echo "Must give at least one user name";
|
|
exit;
|
|
fi;
|
|
|
|
if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_GROUP_ADD}" != "forward" ]; then
|
|
echo "sshgroup option can only be 'allow' or 'forward'";
|
|
exit;
|
|
fi;
|
|
|
|
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
|
root_folder="${BASE_FOLDER}../";
|
|
input_file='user_list.txt';
|
|
# ignore users (root and admin users)
|
|
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
|
# ssh reject group
|
|
ssh_reject_group="sshreject";
|
|
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
|
|
echo "Missing ssh reject group: ${ssh_reject_group}";
|
|
exit;
|
|
fi;
|
|
ssh_allow_group="sshallow";
|
|
ssh_forward_group="sshforward";
|
|
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
|
|
|
|
echo "--------------------->"
|
|
# $1 ... $n
|
|
for username in "$@"; do
|
|
# skip if there is an option hidden
|
|
if [[ ${_arg:0:1} = "-" ]]; then
|
|
continue;
|
|
fi;
|
|
# skip ignore users, note that if a user is not in the sshallow list anyway
|
|
# we skip them too, this is just in case check
|
|
if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
|
|
echo "[!] User ${username} is in the ignore user list";
|
|
continue;
|
|
fi;
|
|
# check that user exists in passwd
|
|
if ! id "${username}" &>/dev/null; then
|
|
echo "[!] User ${username} does not exists in /etc/passwd file";
|
|
continue;
|
|
fi;
|
|
# check if already in OK groups
|
|
if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
|
|
echo "[.] User ${username} already in the ${ssh_allow_group} list";
|
|
continue;
|
|
fi;
|
|
if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
|
|
echo "[.] User ${username} already in the ${ssh_forward_group} list";
|
|
continue;
|
|
fi;
|
|
# try to find user in user_list.txt and get the allow/forward flag from there,
|
|
# else try to set from option
|
|
# if not valid use allow
|
|
ssh_add_group="${SSH_GROUP_ADD}";
|
|
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
|
|
ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
|
|
fi;
|
|
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
|
|
ssh_add_group="allow";
|
|
fi;
|
|
ssh_add_group="ssh${ssh_add_group}";
|
|
|
|
# check if user is in reject group remove
|
|
if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
|
|
# remove user from ssh group and add to reject groups
|
|
echo "[*] User ${username} will be added to ${ssh_add_group}";
|
|
if [ ${TEST} -eq 1 ]; then
|
|
printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
|
|
else
|
|
gpasswd -d "${username}" "${ssh_reject_group}";
|
|
gpasswd -a "${username}" "${ssh_add_group}";
|
|
fi;
|
|
else
|
|
# skip not ssh user
|
|
echo "[?] User ${username} not in the ssh reject group";
|
|
fi;
|
|
done;
|
|
|
|
# __END__
|