Menu
▾
▴
Tree [9d0092] default tip / History
| File | Date | Author | Commit |
|---|---|---|---|
| Tests | 2022-01-20 |
ggb
|
[9d0092] Updated testing |
| templates | 2022-01-20 |
ggb
|
[9d0092] Updated testing |
| .hgignore | 2021-12-29 |
ggb
|
[1e8308] Use startup.template & allow adding of groups |
| README.md | 2022-01-19 |
ggb
|
[2d58b4] Added debhistory |
| edit | 2022-01-04 |
ggb
|
[795077] Some debugging and added show-user utility. |
| edit-md | 2022-01-19 |
ggb
|
[4cd06a] Still trying to get README to show as expected. |
| ssh-user-create | 2022-01-20 |
ggb
|
[946fa9] Added debstatus |
| ssh-user-delete | 2022-01-17 |
ggb
|
[85a6c9] Completed README and other minor changes. |
Read Me
Manage user for SSH remote server
The intention is to create (and delete) a user on a remote machine, where that user can be logged on to through ssh (no local user login, although you can still sudo into the user), and the user can only perform a limited set of tasks through ssh.
Context
These are bash shell scripts to run on Linux systems. Because they are intended to be run on remote Linux servers they have the minimum of dependencies and only require the usual core Linux functions (including a bash shell command interpreter).
ssh-user-create
Purpose
This script will create a new user that will be used as the target for an ssh link.
Command arguments
Command is of the format: ssh-user-create arguments
arguments are of the form keyword=value, where in all cases the keyword may be shortened to the first letter of the keyword.
None of the keywords are case sensitive, although the values in most cases are case sensitive.
arguments may be the following:
-
HELPThis will display a help message.
There is no value that should be specified with this keyword.
If
HELPis specified then other arguments will be ignored. -
USER=logon-nameThis is a mandatory argument.
Aliases for this parameter are
UandUSR.logon-name is the logon name of the user which the is to be created or updated.
It is not an error if the logon-name already exists, as it will merely cause the existing logon-name to be updated.
-
KEYFILE=filenameThis is an optional argument.
Aliases for this parameter are
KandKEY.If specified, the filename must be the name of an existing file containing the public ssh key that will be imported into the list of authorised clients that may communicate with the newly created user.
If no
keyfileis specified then it will not be possible for anybody to connect to the new user throughssh. -
GROUPS=list-of-groupsThis is an optional parameter.
Aliases for this parameter are
G,GROUP, andGRP.The list-of-groups is a comma separated list of group names (no spaces are allowed in the list). The newly created user will be added to all of the groups in the list.
It is intended that these groups can be used to give the new user appropriate access to files that are group readable but not globally readable.
All of the groups in the list must pre-exist.
-
ALLOWED=list-of_applicationsThis is an optional argument.
Aliases for this parameter are
A,ALLOW,APPS, andAPPLICATIONS.If specified it must be a comma separated list of applications that will be allowed to be run through ssh by the newly created user. Other applications may also be allowed by manually editing the
startup.allowedfile in the home directory of the newly created user, but the applications specified here will automatically be added to thestartup.allowedfile by thessh-user-createscript.None of the options are case sensitive.
It is an error to mention the same application twice.
The possible applications that may be specified in the list-of-applications are:
-
debhistoryThis application will display history of actions regarding Debian packages.
Alias for this is
debh.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
isallowedThis application will report on whether an application is allowed for the user.
Alias for this is
isandisallow.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
sftpIf specified, then this will allow the newly created user to be the remote end of a
sftpsession.Refer to the Linux man page for further details.
-
showfileThis application simply copies a specified file to
stdoutin the same was that one can use thecatcommand to copy a file tostdout(in fact it actually uses thecatcommand to achieve this end).Alias for this is
fileandreadfile.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
readhashThis application walks down a directory tree listing a summary of all the files encountered in the directory tree.
Alias for this is
hash.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
showb64zThis application will convert data to 7-bit safe (base-64) for transmission.
Alias for this is
b64zandreadb64z.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
showuserThis application will collect and display data pertaining to user logons.
Alias for this is
user.Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
-
sensorsThis will allow the
sensorscommand to be invoked that will display information regarding temperatures on the system.Refer to the Linux man page for further details.
-
dfThis will allow the
dfcommand to be invoked that will display free space on the systems mounted volumes.Refer to the Linux man page for further details.
-
-
TEMPLATES=template-directoryThis is an optional parameter.
Aliases for this parameter are
TandTEMPLATE.If specified it is the name where the script should look for various templates it needs to operate.
If not specified then the templates will be looked for in a subdirectory called
./templateunder the directory where the where thesftp-createscript itself exists, or in the directory where thesftp-createscript actually exists.The following template files are expected to exist in the template-directory:
startup- this file must exist.showfile- this must exist if theshowfileapplication is allowed.readhash- this must exist if thereadhashapplication is allowed.showb64z- this must exist if theshowb64zapplication is allowed.showuser- this must exist if theshowuserapplication is allowed.isallowed- this must exist if theisallowedapplication is allowed.
-
NOACTIONThis is an optional parameter and takes no value.
Aliases for this parameter are N and NOACT.
If this is specified then the command parameters will be verified to be correct but no user will be created or updated.
If a user with the specified logon-name does not exist then it will be created. If such a user already exists then it will, if reasonable to do so, be updated.
If a .ssh directory does not exist in the home directory for the user then it will be created.
Files in home directory
The following files will be created in the home directory of the newly created user:
-
isallowed
This file executes the
isallowedcommand, and is included only if theisallowewdcommand is allowed.This file must be owned by root and have access permissions set to 0755 or 0555.
-
readhash
This file executes the
readhashcommand, and is included only if thereadhashcommand is allowed.This file must be owned by root and have access permissions set to 0755 or 0555.
-
showb64z
This file executes the
showb64zcommand, and is included only if theshowb64zcommand is allowed.This file must be owned by root and have access permissions set to 0755 or 0555.
-
showfile
This file executes the
showfilecommand, and is included only if theshowfilecommand is allowed.This file must be owned by root and have access permissions set to 0755 or 0555.
-
showuser
This file executes the
showusercommand, and is included only if theshowusercommand is allowed.This file must be owned by root and have access permissions set to 0755 or 0555.
-
startup
This is the script that is executed when an
sshclient connects to this user. It is responsible for managing application permissions for thesshconnection.This file must be owned by root and have access permissions set to 0755 or 0555.
-
startup.allow
This is the file that determines which application the user is allowed to execute. If new applications are desired to be permitted for the user, or old permissions removed, then this file must be edited.
This file must be owned by root and have access permissions set to 0755.
-
startup.log
This is a log that is written to by the
startupscript.In many situations the
startupscript will fail without displaying any message to the screen, and in that case you should look at this file to investigate the error.Messages written to this file are often also sent to syslog.
If a lot of messages are being sent to this file you might wish to do regular housekeeping to ensure this file does not get too large.
-
startup.msg
When
startupinvokes a command it redirectsSTDERRto this file. That means that often when commands fail they will not display any error messages and you should look into this file to further investigate the cause of the failure.If a lot of messages are being sent to this file you might wish to do regular housekeeping to ensure this file does not get too large.
Example
echo ============================
echo "Setting up new user"
echo ----------
sudo ssh-user-create u=test1 k="$HOME/.ssh/id_ed25519.pub" g=adm,root a=hash,b64z,file,sftp,user,sensors,df
echo ============================
echo "Reporting status of user"
echo ----------
ssh test1@localhost "showuser -me"
Output
============================
Setting up new user
----------
Adding user `test1' ...
Adding new group `test1' (1001) ...
Adding new user `test1' (1001) with group `test1' ...
Creating home directory `/home/test1' ...
Copying files from `/etc/skel' ...
ssh-user-create: Keyfile '/home/ggb/.ssh/id_ed25519.pub' imported to '/home/test1/.ssh/authorized_keys'
ssh-user-create: Startup script created.
ssh-user-create: Startup allow created.
ssh-user-create: '/home/test1/startup.log' created.
ssh-user-create: '/home/test1/startup.msg' created.
ssh-user-create: Application key 'readhash' added for user.
ssh-user-create: Application key 'showb64z' added for user.
ssh-user-create: Application key 'showfile' added for user.
ssh-user-create: Application key '/usr/lib/openssh/sftp-server' added for user.
ssh-user-create: Application key 'showuser' added for user.
ssh-user-create: Application key 'sensors' added for user.
ssh-user-create: Application key 'df' added for user.
============================
Reporting status of user
----------
# User details for test1
- name: test1
id: 1001
comment: Created by ssh-user-create for ggb,,,
logon-status: Unknown
primary-group: test1
groups:
- test1
- root
- adm
running-processes: 25
ssh-authorized-keys: 1
home: /home/test1
shell: /home/test1/startup
allowed-apps:
- "readhash"
- "showb64z"
- "showfile"
- "/usr/lib/openssh/sftp-server"
- "showuser"
- "sensors"
- "df"
ssh-user-delete
Purpose
This script will delete users created by ssh-user-create. It will not attempt to delete users that were not created by ssh-user-create.
Command arguments
Command is of the format: ssh-user-delete logon-name
Where logon-name is the name specified in the USER argument when running ssh-user-create.
Example
sudo ssh-user-delete test1
Output
Looking for files to backup/remove ...
Removing files ...
Removing user `test1' ...
Warning: group `test1' has no more members.
Done.