2022-12-01 18:22:46 +09:00
#!/usr/bin/env bash
# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group
2022-12-02 09:23:35 +09:00
# Note that call is ./lock_user.sh -t <user 1> <user 2> ...
# if the -t is not in the first position it will be ignored
2022-12-01 18:22:46 +09:00
# SET TO 1 to TEST [will not move user in groups]
2022-12-02 09:23:35 +09:00
TEST = 0; # no delete, just print
while getopts ":t" opt; do
2022-12-01 18:22:46 +09:00
case " ${ opt } " in
t| test )
TEST = 1;
; ;
esac ;
done ;
2022-12-02 09:23:35 +09:00
shift " $(( OPTIND-1)) "
if [ $( whoami) != "root" ] ; then
if [ ${ TEST } -eq 0 ] ; then
echo "Script must be run as root user" ;
exit;
else
echo "!!!! Script must be run as root user !!!!" ;
fi ;
fi ;
2022-12-01 18:22:46 +09:00
if [ $# -eq 0 ] ; then
echo "Must give at least one user name" ;
exit;
fi ;
2022-12-02 09:23:35 +09:00
# ignore users (root and admin users)
ignore_users = ( 'root' 'ec2-user' 'ubuntu' 'admin' ) ;
2022-12-01 18:22:46 +09:00
# ssh reject group
ssh_reject_group = "sshreject" ;
if [ -z $( cat /etc/group | grep " ${ ssh_reject_group } : " ) ] ; then
echo " Missing ssh reject group: ${ ssh_reject_group } " ;
exit;
fi ;
ssh_allow_group = "sshallow" ;
ssh_forward_group = "sshfoward" ;
2022-12-02 09:23:35 +09:00
user_group_tpl = "gpasswd -d %s %s\ngpasswd -a %s %s\n" ;
2022-12-01 18:22:46 +09:00
echo "--------------------->"
# $1 ... $n
for username in " $@ " ; do
2022-12-02 09:23:35 +09:00
# skip if there is an option hidden
if [ [ ${ _arg : 0 : 1 } = "-" ] ] ; then
continue ;
fi ;
# skip ignore users, note that if a user is not in the sshallow list anyway
# we skip them too, this is just in case check
if [ [ " ${ ignore_users [*] } " = ~ " ${ username } " ] ] ; then
2023-08-07 07:29:24 +09:00
echo " [!] User ${ username } is in the ignore user list " ;
2022-12-02 09:23:35 +09:00
continue ;
fi ;
2022-12-01 18:22:46 +09:00
# check that user exists in passwd
2022-12-02 09:23:35 +09:00
if ! id " ${ username } " & >/dev/null; then
2023-08-07 07:29:24 +09:00
echo " [!] User ${ username } does not exists in /etc/passwd file " ;
2022-12-01 18:22:46 +09:00
continue ;
fi ;
# if not check if in reject list
2022-12-02 09:23:35 +09:00
if id -nGz " ${ username } " | grep -qzxF " ${ ssh_reject_group } " ; then
2023-08-07 07:29:24 +09:00
echo " [.] User ${ username } already in the ${ ssh_reject_group } list " ;
2022-12-01 18:22:46 +09:00
continue ;
fi ;
# check if user is in sshallow/forward list
ssh_remove_group = '' ;
if id -nGz " ${ username } " | grep -qzxF " ${ ssh_allow_group } " ; then
ssh_remove_group = " ${ ssh_allow_group } " ;
fi ;
# if user is in ssh allow group and ALSO in ssh forward group -> bad
if id -nGz " ${ username } " | grep -qzxF " ${ ssh_forward_group } " ; then
if [ ! -z " ${ ssh_remove_group } " ] ; then
2023-08-07 07:29:24 +09:00
echo " [!!!! ERROR !!!!] User ${ username } exists in both ${ ssh_allow_group } and ${ ssh_forward_group } group which should not be allowed. Remove user from one group and run script again. " ;
2022-12-01 18:22:46 +09:00
break;
fi ;
ssh_remove_group = " ${ ssh_forward_group } " ;
fi ;
if [ ! -z " ${ ssh_remove_group } " ] ; then
# remove user from ssh group and add to reject groups
2023-08-07 07:29:24 +09:00
echo " [*] User ${ username } will be removed from ${ ssh_remove_group } " ;
2022-12-02 09:23:35 +09:00
if [ ${ TEST } -eq 1 ] ; then
printf " ${ user_group_tpl } " " ${ username } " " ${ ssh_remove_group } " " ${ username } " " ${ ssh_reject_group } " ;
else
gpasswd -d " ${ username } " " ${ ssh_remove_group } " ;
gpasswd -a " ${ username } " " ${ ssh_reject_group } " ;
fi ;
2022-12-01 18:22:46 +09:00
else
# skip not ssh user
2023-08-07 07:29:24 +09:00
echo " [?] User ${ username } not in any ssh allow/foward groups " ;
2022-12-01 18:22:46 +09:00
fi ;
done ;
# __END__
