ssh-utils/ssh-adduser.sh

   1 #!/bin/bash
   2
   3 function __run_ssh_adduser() {
   4     set -e
   5     set -u
   6
   7     # TODO would $EUID be better?
   8     if [[ "root" != "$(whoami)" ]]; then
   9         echo "webi adduser: running user is already a non-root user"
  10         exit 0
  11     fi
  12
  13     if [[ ! -e ~/.ssh/authorized_keys ]] || ! grep -v '#' ~/.ssh/authorized_keys; then
  14         echo ""
  15         echo "Error:"
  16         echo "    You must add a key to ~/.ssh/authorized_keys before adding a new ssh user."
  17         echo ""
  18         echo "To fix:"
  19         echo "    Run 'curl https://webinstall.dev/ssh-pubkey | bash' on your local system, "
  20         echo "    then add that key to ~/.ssh/authorized_keys on this (the remote) system.  "
  21         echo ""
  22         exit 1
  23     fi
  24
  25     # Add User 'app'
  26     # Picking 'app' by common convention (what Docker & Vagrant use).
  27     my_new_user="${1:-"app"}"
  28     #my_existing_user="${2:-"root"}"
  29     adduser --disabled-password --gecos '' "$my_new_user"
  30     my_password=$(openssl rand -hex 16)
  31     printf '%s\n%s' "${my_password}" "${my_password}" | passwd "${my_new_user}"
  32
  33     # make 'app' a sudo-er (admin)
  34     adduser "$my_new_user" sudo
  35     echo "$my_new_user ALL=(ALL:ALL) NOPASSWD: ALL" | tee "/etc/sudoers.d/$my_new_user"
  36
  37     # allow users who can already login as 'root' to login as 'app'
  38     mkdir -p "/home/$my_new_user/.ssh/"
  39     chmod 0700 "/home/$my_new_user/.ssh/"
  40     cp -r "${HOME}/.ssh/authorized_keys" "/home/$my_new_user/.ssh/"
  41     chmod 0600 "/home/$my_new_user/.ssh/authorized_keys"
  42     touch "/home/$my_new_user/.ssh/config"
  43     chmod 0644 "/home/$my_new_user/.ssh/config"
  44     chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
  45
  46     # ensure that 'app' has an SSH Keypair
  47     sudo -i -u "$my_new_user" bash -c "ssh-keygen -b 2048 -t rsa -f '/home/$my_new_user/.ssh/id_rsa' -q -N ''"
  48     chown -R "$my_new_user":"$my_new_user" "/home/$my_new_user/.ssh/"
  49
  50     # Install webi for the new 'app' user
  51     WEBI_HOST=${WEBI_HOST:-"https://webinstall.dev"}
  52     sudo -i -u "$my_new_user" bash -c "curl -fsSL '$WEBI_HOST/webi' | bash" ||
  53         sudo -i -u "$my_new_user" bash -c "wget -q -O - '$WEBI_HOST/webi' | bash"
  54
  55     # TODO ensure that ssh-password login is off
  56     my_pass="$(grep 'PasswordAuthentication yes' /etc/ssh/sshd_config)"
  57     my_pam=""
  58     if [[ "Darwin" == "$(uname -s)" ]]; then
  59         # Turn off PAM for macOS or it will allow password login
  60         my_pam="$(grep 'UsePAM yes' /etc/ssh/sshd_config)"
  61     fi
  62     if [[ -n ${my_pass} ]] || [[ -n ${my_pam} ]]; then
  63         echo "######################################################################"
  64         echo "#                                                                    #"
  65         echo "#                             WARNING                                #"
  66         echo "#                                                                    #"
  67         echo "# Found /etc/ssh/sshd_config:                                        #"
  68         if [[ -n ${my_pass} ]]; then
  69             echo "#     PasswordAuthentication yes                                     #"
  70         fi
  71         if [[ -n ${my_pam} ]]; then
  72             echo "#     UsePAM yes                                                     #"
  73         fi
  74         echo "#                                                                    #"
  75         echo "# This is EXTREMELY DANGEROUS and insecure.                          #"
  76         echo "# We'll attempt to fix this now...                                   #"
  77         echo "#                                                                    #"
  78
  79         sed -i 's/#\?PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' \
  80             /etc/ssh/sshd_config
  81
  82         sed -i 's/#\?UsePAM \(yes\|no\)/UsePAM no/' \
  83             /etc/ssh/sshd_config
  84
  85         if grep "PasswordAuthentication yes" /etc/ssh/sshd_config; then
  86             echo "# FAILED. Please check /etc/ssh/sshd_config manually.                #"
  87         else
  88             echo "# Fixed... HOWEVER, you'll need to manually restart ssh:             #"
  89             echo "#                                                                    #"
  90             echo "#   sudo systemctl restart ssh                                       #"
  91             echo "#                                                                    #"
  92             echo "# (you may want to make sure you can login as the new user first)    #"
  93         fi
  94         echo "#                                                                    #"
  95         echo "######################################################################"
  96     fi
  97
  98     echo "Created user '${my_new_user}' as sudoer with a random password."
  99     echo "(set a new password with 'password ${my_new_user}')"
 100 }
 101
 102 __run_ssh_adduser app