Determined Server Setup
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

create-user.bash 2.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
  1. #!/bin/bash
  2. # Determined Create User Script v2.0.3
  3. # Written by AJ Oneal -- edited by Joshua Mudge
  4. # Exit on any error
  5. set -e
  6. if [ -z "$(which openssl)" ]; then
  7. echo "ERROR: 'openssl' is not found.";
  8. echo "Please install openssl. It is used to generate a random password."
  9. exit 1
  10. fi
  11. if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
  12. echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
  13. exit 1
  14. fi
  15. if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
  16. echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
  17. exit 1
  18. fi
  19. # http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
  20. if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
  21. echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
  22. exit 1
  23. fi
  24. # exit if there are any unbound variables
  25. set -u
  26. USER=$1
  27. USER=$(basename $USER .pub)
  28. # If they try to create root, exit.
  29. if test $USER = "root"
  30. then
  31. echo "You cannot create the root user, it already exists."
  32. exit
  33. fi
  34. # TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'
  35. # password will be set later in the script
  36. #adduser --disabled-password --gecos '' $USER
  37. sudo adduser --disabled-login --gecos '' $USER
  38. sudo adduser $USER sudo # if sudo is needed
  39. # FAIL before getting here via set -e
  40. sudo mkdir -p /home/$USER/.ssh
  41. sudo chmod 700 /home/$USER/.ssh
  42. sudo touch /home/$USER/.ssh/authorized_keys
  43. sudo chmod 600 /home/$USER/.ssh/authorized_keys
  44. # PRE-REQ: get the user's ssh public key and store it in whoever.pub
  45. sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"
  46. sudo chown $USER:$USER /home/$USER
  47. sudo chown $USER:$USER -R /home/$USER/.ssh/
  48. PASSWD=$(openssl rand -hex 20)
  49. #echo "$PASSWD" | passwd "$USER" --stdin
  50. echo "$USER:$PASSWD" | sudo chpasswd
  51. #echo "The temporary password for '"$USER"' is '"$PASSWD"'"
  52. sudo passwd -d $USER
  53. echo "'$USER'" has been added with key-only authentication and a password must be set on first login
  54. sudo chage -d 0 $USER
  55. # Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
  56. #
  57. # Linux
  58. # date "+%s.%N" | md5sum
  59. #
  60. # macOS
  61. # date "+%s.%N" | md5