File | Date | Author | Commit |
---|---|---|---|
Tests | 2022-01-20 | ggb | [9d0092] Updated testing |
templates | 2022-01-20 | ggb | [9d0092] Updated testing |
.hgignore | 2021-12-29 | ggb | [1e8308] Use startup.template & allow adding of groups |
README.md | 2022-01-19 | ggb | [2d58b4] Added debhistory |
edit | 2022-01-04 | ggb | [795077] Some debugging and added show-user utility. |
edit-md | 2022-01-19 | ggb | [4cd06a] Still trying to get README to show as expected. |
ssh-user-create | 2022-01-20 | ggb | [946fa9] Added debstatus |
ssh-user-delete | 2022-01-17 | ggb | [85a6c9] Completed README and other minor changes. |
The intention is to create (and delete) a user on a remote machine, where that user can be logged on to through ssh
(no local user login, although you can still sudo
into the user), and the user can only perform a limited set of tasks through ssh
.
These are bash
shell scripts to run on Linux systems. Because they are intended to be run on remote Linux servers they have the minimum of dependencies and only require the usual core Linux functions (including a bash
shell command interpreter).
This script will create a new user that will be used as the target for an ssh
link.
Command is of the format: ssh-user-create
arguments
arguments are of the form keyword=value, where in all cases the keyword may be shortened to the first letter of the keyword.
None of the keywords are case sensitive, although the values in most cases are case sensitive.
arguments may be the following:
HELP
This will display a help message.
There is no value that should be specified with this keyword.
If HELP
is specified then other arguments will be ignored.
USER=
logon-name
This is a mandatory argument.
Aliases for this parameter are U
and USR
.
logon-name is the logon name of the user which the is to be created or updated.
It is not an error if the logon-name already exists, as it will merely cause the existing logon-name to be updated.
KEYFILE=
filename
This is an optional argument.
Aliases for this parameter are K
and KEY
.
If specified, the filename must be the name of an existing file containing the public ssh key that will be imported into the list of authorised clients that may communicate with the newly created user.
If no keyfile
is specified then it will not be possible for anybody to connect to the new user through ssh
.
GROUPS=
list-of-groups
This is an optional parameter.
Aliases for this parameter are G
, GROUP
, and GRP
.
The list-of-groups is a comma separated list of group names (no spaces are allowed in the list). The newly created user will be added to all of the groups in the list.
It is intended that these groups can be used to give the new user appropriate access to files that are group readable but not globally readable.
All of the groups in the list must pre-exist.
ALLOWED=
list-of_applications
This is an optional argument.
Aliases for this parameter are A
, ALLOW
, APPS
, and APPLICATIONS
.
If specified it must be a comma separated list of applications that will be allowed to be run through ssh by the newly created user. Other applications may also be allowed by manually editing the startup.allowed
file in the home directory of the newly created user, but the applications specified here will automatically be added to the startup.allowed
file by the ssh-user-create
script.
None of the options are case sensitive.
It is an error to mention the same application twice.
The possible applications that may be specified in the list-of-applications are:
debhistory
This application will display history of actions regarding Debian packages.
Alias for this is debh
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
isallowed
This application will report on whether an application is allowed for the user.
Alias for this is is
and isallow
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
sftp
If specified, then this will allow the newly created user to be the remote end of a sftp
session.
Refer to the Linux man page for further details.
showfile
This application simply copies a specified file to stdout
in the same was that one can use the cat
command to copy a file to stdout
(in fact it actually uses the cat
command to achieve this end).
Alias for this is file
and readfile
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
readhash
This application walks down a directory tree listing a summary of all the files encountered in the directory tree.
Alias for this is hash
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
showb64z
This application will convert data to 7-bit safe (base-64) for transmission.
Alias for this is b64z
and readb64z
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
showuser
This application will collect and display data pertaining to user logons.
Alias for this is user
.
Refer to https://sourceforge.net/p/ssh-simple-scripts/code/ci/default/tree/ for details.
sensors
This will allow the sensors
command to be invoked that will display information regarding temperatures on the system.
Refer to the Linux man page for further details.
df
This will allow the df
command to be invoked that will display free space on the systems mounted volumes.
Refer to the Linux man page for further details.
TEMPLATES=
template-directory
This is an optional parameter.
Aliases for this parameter are T
and TEMPLATE
.
If specified it is the name where the script should look for various templates it needs to operate.
If not specified then the templates will be looked for in a subdirectory called ./template
under the directory where the where the sftp-create
script itself exists, or in the directory where the sftp-create
script actually exists.
The following template files are expected to exist in the template-directory:
startup
- this file must exist.showfile
- this must exist if the showfile
application is allowed.readhash
- this must exist if the readhash
application is allowed.showb64z
- this must exist if the showb64z
application is allowed.showuser
- this must exist if the showuser
application is allowed.isallowed
- this must exist if the isallowed
application is allowed.NOACTION
This is an optional parameter and takes no value.
Aliases for this parameter are N and NOACT.
If this is specified then the command parameters will be verified to be correct but no user will be created or updated.
If a user with the specified logon-name does not exist then it will be created. If such a user already exists then it will, if reasonable to do so, be updated.
If a .ssh directory does not exist in the home directory for the user then it will be created.
The following files will be created in the home directory of the newly created user:
isallowed
This file executes the isallowed
command, and is included only if the isallowewd
command is allowed.
This file must be owned by root and have access permissions set to 0755 or 0555.
readhash
This file executes the readhash
command, and is included only if the readhash
command is allowed.
This file must be owned by root and have access permissions set to 0755 or 0555.
showb64z
This file executes the showb64z
command, and is included only if the showb64z
command is allowed.
This file must be owned by root and have access permissions set to 0755 or 0555.
showfile
This file executes the showfile
command, and is included only if the showfile
command is allowed.
This file must be owned by root and have access permissions set to 0755 or 0555.
showuser
This file executes the showuser
command, and is included only if the showuser
command is allowed.
This file must be owned by root and have access permissions set to 0755 or 0555.
startup
This is the script that is executed when an ssh
client connects to this user. It is responsible for managing application permissions for the ssh
connection.
This file must be owned by root and have access permissions set to 0755 or 0555.
startup.allow
This is the file that determines which application the user is allowed to execute. If new applications are desired to be permitted for the user, or old permissions removed, then this file must be edited.
This file must be owned by root and have access permissions set to 0755.
startup.log
This is a log that is written to by the startup
script.
In many situations the startup
script will fail without displaying any message to the screen, and in that case you should look at this file to investigate the error.
Messages written to this file are often also sent to syslog.
If a lot of messages are being sent to this file you might wish to do regular housekeeping to ensure this file does not get too large.
startup.msg
When startup
invokes a command it redirects STDERR
to this file. That means that often when commands fail they will not display any error messages and you should look into this file to further investigate the cause of the failure.
If a lot of messages are being sent to this file you might wish to do regular housekeeping to ensure this file does not get too large.
echo ============================
echo "Setting up new user"
echo ----------
sudo ssh-user-create u=test1 k="$HOME/.ssh/id_ed25519.pub" g=adm,root a=hash,b64z,file,sftp,user,sensors,df
echo ============================
echo "Reporting status of user"
echo ----------
ssh test1@localhost "showuser -me"
============================
Setting up new user
----------
Adding user `test1' ...
Adding new group `test1' (1001) ...
Adding new user `test1' (1001) with group `test1' ...
Creating home directory `/home/test1' ...
Copying files from `/etc/skel' ...
ssh-user-create: Keyfile '/home/ggb/.ssh/id_ed25519.pub' imported to '/home/test1/.ssh/authorized_keys'
ssh-user-create: Startup script created.
ssh-user-create: Startup allow created.
ssh-user-create: '/home/test1/startup.log' created.
ssh-user-create: '/home/test1/startup.msg' created.
ssh-user-create: Application key 'readhash' added for user.
ssh-user-create: Application key 'showb64z' added for user.
ssh-user-create: Application key 'showfile' added for user.
ssh-user-create: Application key '/usr/lib/openssh/sftp-server' added for user.
ssh-user-create: Application key 'showuser' added for user.
ssh-user-create: Application key 'sensors' added for user.
ssh-user-create: Application key 'df' added for user.
============================
Reporting status of user
----------
# User details for test1
- name: test1
id: 1001
comment: Created by ssh-user-create for ggb,,,
logon-status: Unknown
primary-group: test1
groups:
- test1
- root
- adm
running-processes: 25
ssh-authorized-keys: 1
home: /home/test1
shell: /home/test1/startup
allowed-apps:
- "readhash"
- "showb64z"
- "showfile"
- "/usr/lib/openssh/sftp-server"
- "showuser"
- "sensors"
- "df"
This script will delete users created by ssh-user-create
. It will not attempt to delete users that were not created by ssh-user-create
.
Command is of the format: ssh-user-delete
logon-name
Where logon-name is the name specified in the USER
argument when running ssh-user-create
.
sudo ssh-user-delete test1
Looking for files to backup/remove ...
Removing files ...
Removing user `test1' ...
Warning: group `test1' has no more members.
Done.