X-Git-Url: https://git.josue.xyz/?a=blobdiff_plain;f=ssh-utils%2Fssh-adduser.sh;h=17794a37f3548516acebd3f118874ee152508548;hb=14f590f5a5ba9f614843441a0f752c2754b47f84;hp=250cc7e737608bd358baa7c3676b454b3c98a86c;hpb=19b83dd6fccb1db44426e6e2acfc58da6e3ba9ac;p=webi-installers%2F.git diff --git a/ssh-utils/ssh-adduser.sh b/ssh-utils/ssh-adduser.sh index 250cc7e..17794a3 100644 --- a/ssh-utils/ssh-adduser.sh +++ b/ssh-utils/ssh-adduser.sh @@ -1,39 +1,102 @@ #!/bin/bash -{ +function __run_ssh_adduser() { set -e set -u - # TODO: a more complete VPS setup - # TODO would $EUID be better? - if [ "root" != "$(whoami)" ]; then - echo "webi adduser: running user is already a non-root user" - exit 0 + if [[ "root" != "$(whoami)" ]]; then + echo "webi adduser: running user is already a non-root user" + exit 0 fi - #apt-get -y update - #apt-get -y install curl wget rsync git + if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then + echo "" + echo "Error:" + echo " You must add a key to ~/.ssh/authorized_keys before adding a new ssh user." + echo "" + echo "To fix:" + echo " Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, " + echo " then add that key to ~/.ssh/authorized_keys on this (the remote) system. " + echo "" + exit 1 + fi - # Add User - # TODO: might there be a better name? - # me, this, user, self, person, i, who, do, tron - adduser --disabled-password --gecos "" me + # Add User 'app' + # Picking 'app' by common convention (what Docker & Vagrant use). + my_new_user="${1:-"app"}" + #my_existing_user="${2:-"root"}" + adduser --disabled-password --gecos '' "$my_new_user" my_password=$(openssl rand -hex 16) - printf "$my_password"'\n'"$my_password" | passwd me - adduser me sudo - echo "me ALL=(ALL:ALL) NOPASSWD: ALL" | tee /etc/sudoers.d/me - sudo -i -u me bash -c 'ssh-keygen -b 2048 -t rsa -f /home/me/.ssh/id_rsa -q -N ""' - mkdir -p /home/me/.ssh/ - cp -r $HOME/.ssh/authorized_keys /home/me/.ssh/ - chmod 0600 /home/me/.ssh/authorized_keys - chown -R me:me /home/me/.ssh/ - - # Install webi for the new user - sudo -i -u me bash -c 'curl -fsSL https://webinstall.dev/webi | bash' \ - || sudo -i -u me bash -c 'wget -q -O - https://webinstall.dev/webi | bash' + printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}" + + # make 'app' a sudo-er (admin) + adduser "$my_new_user" sudo + echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user" + + # allow users who can already login as 'root' to login as 'app' + mkdir -p "/home/$my_new_user/.ssh/" + chmod 0700 "/home/$my_new_user/.ssh/" + cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/" + chmod 0600 "/home/$my_new_user/.ssh/authorized_keys" + touch "/home/$my_new_user/.ssh/config" + chmod 0644 "/home/$my_new_user/.ssh/config" + chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/" + + # ensure that 'app' has an SSH Keypair + sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''" + chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/" + + # Install webi for the new 'app' user + WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"} + sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" || + sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash" # TODO ensure that ssh-password login is off + my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)" + my_pam="" + if [[ "Darwin" == "$(uname -s)" ]]; then + # Turn off PAM for macOS or it will allow password login + my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)" + fi + if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then + echo "######################################################################" + echo "# #" + echo "# WARNING #" + echo "# #" + echo "# Found /etc/ssh/sshd_config: #" + if [[ -n ${my_pass} ]]; then + echo "# PasswordAuthentication yes #" + fi + if [[ -n ${my_pam} ]]; then + echo "# UsePAM yes #" + fi + echo "# #" + echo "# This is EXTREMELY DANGEROUS and insecure. #" + echo "# We'll attempt to fix this now... #" + echo "# #" + + sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \ + /etc/ssh/sshd_config + + sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \ + /etc/ssh/sshd_config - echo "Created user 'me' with password '$my_password'" + if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then + echo "# FAILED. Please check /etc/ssh/sshd_config manually. #" + else + echo "# Fixed... HOWEVER, you'll need to manually restart ssh: #" + echo "# #" + echo "# sudo systemctl restart ssh #" + echo "# #" + echo "# (you may want to make sure you can login as the new user first) #" + fi + echo "# #" + echo "######################################################################" + fi + + echo "Created user '${my_new_user}' as sudoer with a random password." + echo "(set a new password with 'password ${my_new_user}')" } + +__run_ssh_adduser app