AwsUserCreate/bin/lock_user.sh

#!/usr/bin/env bash

# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
# if the -t is not in the first position it will be ignored

# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no delete, just print
while getopts ":t" opt; do
	case "${opt}" in
		t) # test
			TEST=1;
			;;
		\?)
			echo "";
			echo "-t test run, do not lock users";
			;;
	esac;
done;
shift "$((OPTIND-1))"

if [ "$(whoami)" != "root" ]; then
	if [ ${TEST} -eq 0 ]; then
		echo "Script must be run as root user";
		exit;
	else
		echo "!!!! Script must be run as root user !!!!";
	fi;
fi;

if [ $# -eq 0 ]; then
	echo "Must give at least one user name";
	exit;
fi;

# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# ssh reject group
ssh_reject_group="sshreject";
if ! grep -q "${ssh_reject_group}:" /etc/group; then
	echo "Missing ssh reject group: ${ssh_reject_group}";
	exit;
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshforward";
user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";

# base folder for all data
BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
LOG="${BASE_FOLDER}/../log/user_management.log";
function write_log()
{
	text="${1}";
	do_echo="${2}";
	log_prefix="";
	# log prefix
	if [ ${TEST} -eq 1 ]; then
		log_prefix="TEST";
	fi;
	if [ -n "${log_prefix}" ]; then
		log_prefix="[${log_prefix}] ";
	fi;
	echo "[$(date +"%F %T")] [$0] ${log_prefix}${text}" >> "${LOG}";
	if [ "${do_echo}" = "1" ]; then
		echo "${text}";
	fi;
}
write_log "START SCRIPT RUN";

echo "--------------------->"
# $1 ... $n
for username in "$@"; do
	# skip if there is an option hidden
	# shellcheck disable=SC2154
	if [[ ${_arg:0:1} = "-" ]]; then
		continue;
	fi;
	# skip ignore users, note that if a user is not in the sshallow list anyway
	# we skip them too, this is just in case check
	if [[ " ${ignore_users[*]} " =~ [[:space:]]${username}[[:space:]] ]]; then
		write_log "[ERROR] User ${username} is in the ignore user list" "1";
		continue;
	fi;
	# check that user exists in passwd
	if ! id "${username}" &>/dev/null; then
		write_log "[ERROR] User ${username} does not exists in /etc/passwd file" "1";
		continue;
	fi;
	# if not check if in reject list
	if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
		write_log "[.] User ${username} already in the ${ssh_reject_group} list";
		continue;
	fi;
	# check if user is in sshallow/forward list
	ssh_remove_group='';
	if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
		ssh_remove_group="${ssh_allow_group}";
	fi;
	# if user is in ssh allow group and ALSO in ssh forward group -> bad
	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
		if [ -n "${ssh_remove_group}" ]; then
			write_log "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again." "1";
			break;
		fi;
		ssh_remove_group="${ssh_forward_group}";
	fi;
	if [ -n "${ssh_remove_group}" ]; then
		# remove user from ssh group and add to reject groups
		write_log "[*] User ${username} will be removed from ${ssh_remove_group}" "1";
		if [ ${TEST} -eq 1 ]; then
			# shellcheck disable=SC2059
			printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
		else
			gpasswd -d "${username}" "${ssh_remove_group}";
			gpasswd -a "${username}" "${ssh_reject_group}";
		fi;
	else
		# skip not ssh user
		write_log "[?] User ${username} not in any ssh allow/foward groups" "1";
	fi;
done;

# __END__