X-Git-Url: https://git.josue.xyz/?a=blobdiff_plain;f=ssh-utils%2Fssh-adduser.sh;h=99a158636921e4c4e4d0b0779c853f662185fa4d;hb=b4358b80d203d961f0178cb0f49741395b7180d6;hp=47aefae2eeb348aa449d343488d39665d3f39e19;hpb=3203e51feac210773fe8ccec40a268aeb431e93f;p=webi-installers%2F.git

diff --git a/ssh-utils/ssh-adduser.sh b/ssh-utils/ssh-adduser.sh
index 47aefae..99a1586 100644
--- a/ssh-utils/ssh-adduser.sh
+++ b/ssh-utils/ssh-adduser.sh
@@ -1,48 +1,89 @@
 #!/bin/bash
 
-{
+function __run_ssh_adduser() {
     set -e
     set -u
 
-    # TODO: a more complete VPS setup
-
     # TODO would $EUID be better?
-    if [ "root" != "$(whoami)" ]; then
-      echo "webi adduser: running user is already a non-root user"
-      exit 0
+    if [[ "root" != "$(whoami)" ]]; then
+        echo "webi adduser: running user is already a non-root user"
+        exit 0
     fi
 
-    #apt-get -y update
-    #apt-get -y install curl wget rsync git
+    if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then
+        echo ""
+        echo "Error:"
+        echo "    You must add a key to ~/.ssh/authorized_keys before adding a new ssh user."
+        echo ""
+        echo "To fix:"
+        echo "    Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, "
+        echo "    then add that key to ~/.ssh/authorized_keys on this (the remote) system.  "
+        echo ""
+        exit 1
+    fi
 
-    # Add User app
-    # Picking 'app' because that seems to be what the # Docker/Vagrant
-    # crowd is doing. TODO: Other ideas? me, user, tron
-    adduser --disabled-password --gecos "" app
+    # Add User 'app'
+    # Picking 'app' by common convention (what Docker & Vagrant use).
+    my_new_user="${1:-"app"}"
+    #my_existing_user="${2:-"root"}"
+    adduser --disabled-password --gecos '' "$my_new_user"
     my_password=$(openssl rand -hex 16)
-    printf "$my_password"'\n'"$my_password" | passwd app
+    printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}"
 
     # make 'app' a sudo-er (admin)
-    adduser app sudo
-    echo "app ALL=(ALL:ALL) NOPASSWD: ALL" | tee /etc/sudoers.d/app
+    adduser "$my_new_user" sudo
+    echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
 
     # allow users who can already login as 'root' to login as 'app'
-    mkdir -p /home/app/.ssh/
-    chmod 0700 /home/app/.ssh/
-    cp -r "$HOME/.ssh/authorized_keys" /home/app/.ssh/
-    chmod 0600 /home/app/.ssh/authorized_keys
-    touch /home/app/.ssh/config
-    chmod 0644 /home/app/.ssh/config
-    chown -R app:app /home/app/.ssh/
+    mkdir -p "/home/$my_new_user/.ssh/"
+    chmod 0700 "/home/$my_new_user/.ssh/"
+    cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/"
+    chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
+    touch "/home/$my_new_user/.ssh/config"
+    chmod 0644 "/home/$my_new_user/.ssh/config"
+    chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
 
     # ensure that 'app' has an SSH Keypair
-    sudo -i -u app bash -c 'ssh-keygen -b 2048 -t rsa -f /home/app/.ssh/id_rsa -q -N ""'
+    sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
+    chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
 
     # Install webi for the new 'app' user
-    sudo -i -u app bash -c 'curl -fsSL https://webinstall.dev/webi | bash' \
-        || sudo -i -u app bash -c 'wget -q -O - https://webinstall.dev/webi | bash'
+    WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
+    sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" ||
+        sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
 
     # TODO ensure that ssh-password login is off
+    my_user="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
+    if [[ -n ${my_user} ]]; then
+
+        echo "######################################################################"
+        echo "#                                                                    #"
+        echo "#                             WARNING                                #"
+        echo "#                                                                    #"
+        echo "# Found /etc/ssh/sshd_config: PasswordAuthentication yes             #"
+        echo "#                                                                    #"
+        echo "# This is EXTREMELY DANGEROUS and insecure.                          #"
+        echo "# We'll attempt to fix this now...                                   #"
+        echo "#                                                                    #"
+
+        sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
+            /etc/ssh/sshd_config
 
-    echo "Created user 'app' with password '$my_password'"
+        if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
+            echo "# FAILED. Please check /etc/ssh/sshd_config manually.                #"
+        else
+            echo "# Fixed... HOWEVER, you'll need to manually restart ssh:             #"
+            echo "#                                                                    #"
+            echo "#   sudo systemctl restart ssh                                       #"
+            echo "#                                                                    #"
+            echo "# (you may want to make sure you can login as the new user first)    #"
+        fi
+        echo "#                                                                    #"
+        echo "######################################################################"
+    fi
+
+    echo "Created user '${my_new_user}' as sudoer with a random password."
+    echo "(set a new password with 'password ${my_new_user}')"
 }
+
+__run_ssh_adduser app