76 lines
2.5 KiB
Bash
76 lines
2.5 KiB
Bash
#!/bin/bash
|
|
# Determined Create User Script v2.0.3
|
|
# Written by AJ Oneal -- edited by Joshua Mudge
|
|
|
|
# Exit on any error
|
|
set -e
|
|
|
|
if [ -z "$(which openssl)" ]; then
|
|
echo "ERROR: 'openssl' is not found.";
|
|
echo "Please install openssl. It is used to generate a random password."
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep '^PermitRootLogin prohibit-password$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin no$' /etc/ssh/sshd_config)" ] && [ -z "$(grep '^PermitRootLogin without-password$' /etc/ssh/sshd_config)" ]; then
|
|
echo "SECURITY ERROR: 'PermitRootLogin prohibit-password' is not set in /etc/ssh/sshd_config";
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep '^PasswordAuthentication no$' /etc/ssh/sshd_config)" ]; then
|
|
echo "SECURITY ERROR: 'PasswordAuthentication no' is not set in /etc/ssh/sshd_config";
|
|
exit 1
|
|
fi
|
|
# http://stackoverflow.com/questions/43481923/security-audit-how-to-check-if-ssh-server-asks-for-a-password/43482975#43482975
|
|
if [ -n "$(ssh -v -o Batchmode=yes DOES_NOT_EXIST@localhost 2>/dev/null | grep password)" ]; then
|
|
echo "SECURITY ERROR: 'PasswordAuthentication no' has not taken affect. Try 'sudo service ssh restart'";
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# exit if there are any unbound variables
|
|
set -u
|
|
|
|
USER=$1
|
|
USER=$(basename $USER .pub)
|
|
|
|
# If they try to create root, exit.
|
|
|
|
if test $USER = "root"
|
|
then
|
|
echo "You cannot create the root user, it already exists."
|
|
exit
|
|
fi
|
|
|
|
# TODO allow optional gecos i.e. create-user.bash bobs.pub 'Bob Smith'
|
|
|
|
# password will be set later in the script
|
|
#adduser --disabled-password --gecos '' $USER
|
|
sudo adduser --disabled-login --gecos '' $USER
|
|
sudo adduser $USER sudo # if sudo is needed
|
|
|
|
# FAIL before getting here via set -e
|
|
sudo mkdir -p /home/$USER/.ssh
|
|
sudo chmod 700 /home/$USER/.ssh
|
|
sudo touch /home/$USER/.ssh/authorized_keys
|
|
sudo chmod 600 /home/$USER/.ssh/authorized_keys
|
|
|
|
# PRE-REQ: get the user's ssh public key and store it in whoever.pub
|
|
sudo bash -c "cat $USER.pub >> /home/$USER/.ssh/authorized_keys"
|
|
|
|
sudo chown $USER:$USER /home/$USER
|
|
sudo chown $USER:$USER -R /home/$USER/.ssh/
|
|
|
|
PASSWD=$(openssl rand -hex 20)
|
|
#echo "$PASSWD" | passwd "$USER" --stdin
|
|
echo "$USER:$PASSWD" | sudo chpasswd
|
|
#echo "The temporary password for '"$USER"' is '"$PASSWD"'"
|
|
sudo passwd -d $USER
|
|
echo "'$USER'" has been added with key-only authentication and a password must be set on first login
|
|
sudo chage -d 0 $USER
|
|
|
|
# Other Methods as per https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
|
|
#
|
|
# Linux
|
|
# date "+%s.%N" | md5sum
|
|
#
|
|
# macOS
|
|
# date "+%s.%N" | md5
|