ssh-adduser/ssh-adduser.sh

   1 #!/bin/bash
   2 set -e
   3 set -u
   4
   5 function main() {
   6
   7     # Add User 'app'
   8     # Picking 'app' by common convention (what Docker & Vagrant use).
   9     my_new_user="${1:-"app"}"
  10     #my_existing_user="${2:-"root"}"
  11
  12     # TODO would $EUID be better?
  13     if [[ "root" != "$(whoami)" ]]; then
  14         echo "webi adduser: running user is already a non-root user"
  15         exit 0
  16     fi
  17
  18     if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then
  19         echo ""
  20         echo "Error:"
  21         echo "    You must add a key to ~/.ssh/authorized_keys before adding a new ssh user."
  22         echo ""
  23         echo "To fix:"
  24         echo "    Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, "
  25         echo "    then add that key to ~/.ssh/authorized_keys on this (the remote) system.  "
  26         echo ""
  27         exit 1
  28     fi
  29
  30     adduser --disabled-password --gecos '' "$my_new_user"
  31     my_password=$(openssl rand -hex 16)
  32     printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}"
  33
  34     # make 'app' a sudo-er (admin)
  35     adduser "$my_new_user" sudo
  36     echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
  37
  38     # allow users who can already login as 'root' to login as 'app'
  39     mkdir -p "/home/$my_new_user/.ssh/"
  40     chmod 0700 "/home/$my_new_user/.ssh/"
  41     cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/"
  42     chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
  43     touch "/home/$my_new_user/.ssh/config"
  44     chmod 0644 "/home/$my_new_user/.ssh/config"
  45     chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
  46
  47     # ensure that 'app' has an SSH Keypair
  48     sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
  49     chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
  50
  51     # Install webi for the new 'app' user
  52     WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
  53     sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" ||
  54         sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
  55
  56     # TODO ensure that ssh-password login is off
  57     my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
  58     my_pam=""
  59     if [[ "Darwin" == "$(uname -s)" ]]; then
  60         # Turn off PAM for macOS or it will allow password login
  61         my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
  62     fi
  63     if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
  64         echo "######################################################################"
  65         echo "#                                                                    #"
  66         echo "#                             WARNING                                #"
  67         echo "#                                                                    #"
  68         echo "# Found /etc/ssh/sshd_config:                                        #"
  69         if [[ -n ${my_pass} ]]; then
  70             echo "#     PasswordAuthentication yes                                     #"
  71         fi
  72         if [[ -n ${my_pam} ]]; then
  73             echo "#     UsePAM yes                                                     #"
  74         fi
  75         echo "#                                                                    #"
  76         echo "# This is EXTREMELY DANGEROUS and insecure.                          #"
  77         echo "# We'll attempt to fix this now...                                   #"
  78         echo "#                                                                    #"
  79
  80         sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
  81             /etc/ssh/sshd_config
  82
  83         sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
  84             /etc/ssh/sshd_config
  85
  86         if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
  87             echo "# FAILED. Please check /etc/ssh/sshd_config manually.                #"
  88         else
  89             echo "# Fixed... HOWEVER, you'll need to manually restart ssh:             #"
  90             echo "#                                                                    #"
  91             echo "#   sudo systemctl restart ssh                                       #"
  92             echo "#                                                                    #"
  93             echo "# (you may want to make sure you can login as the new user first)    #"
  94         fi
  95         echo "#                                                                    #"
  96         echo "######################################################################"
  97     fi
  98
  99     echo "Created user '${my_new_user}' as sudoer with a random password."
 100     echo "(set a new password with 'password ${my_new_user}')"
 101 }
 102
 103 main "${1:-app}"