We currently have several users that are using the admin user when logging into a server via SSH. They all have their own users but unfortunately they still occasionally use the admin one. We can lock this down of course and take action to make sure that user is never used, but I'm looking to see if there is a way to force each login to enter a reason why they are using that user, before they can login and access the server whenever they use the admin user.
This way we can have an easy way to compare access log files with employee names and the reason why they are using that user.
Any thoughts?
Here's what I would do.
Register everyone's ssh public key into admin user's authorized_keys. In each entry, set the environment EMPLOYEE to the employeename. This will require that PermitUserEnviroment be set to yes in /etc/ssh/sshd_config. A sample entry should look like below.
environment="EMPLOYEE=employee1" ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8==
Now that we have an environment variable named EMPLOYEE, we can write a simple script to ask for the reason.
Create a file /etc/profile.d/reason.sh. The file does not need to be executable as it will be sourced.
if [[ $(whoami) = "admin" ]]; then
read -p "Please specify the reason for logging in as $USER user: " reason
if [ -z "$reason" ]; then
logout
fi
fi
Now you have $EMPLOYEE and $reason to log.
Here's a thought
#!/bin/bash
# if the user tries Ctrl+C to avoid this check
trap INT no_shell_for_you
no_shell_for_you() { exec /bin/false; }
read -p "Your username please: " username
if getent password "$username" >/dev/null 2>&1; then
echo "Welcome, $username"
# log $username somewhere
exec /bin/bash -l
else
no_shell_for_you
fi
Save that as ~admin_user/bin/get_real_user.sh
Add /full/path/to/admin_user/bin/get_real_user.sh to /etc/shells
Do sudo chsh -s /full/path/to/admin_user/bin/get_real_user.sh admin_user
This is untested. Test thoroughly before step 3.
Related
I am building a bash script for my work to make initial setup and windows-domain join for our Ubuntu machines easy enough for someone who knows nothing about Linux can do it. I have found a lot of people that say that you shouldn't pass passwords through a script but to be efficient, I have to. The script prompts for info and credentials in the beginning and it needs to be able to be left to do it's job without interaction. I can't have it visible through ps when I pass it and I can't have it stored as an unsecured variable. Any suggestions?
If you really must do this, you can read the credentials into variables with read -s early in the script and then pass those values to the prompts. For example:
read -p "Enter your username: " username
read -sp "Enter your password: " password
echo
I included the blank echo because the -s option for read prevents the user's typing from appearing in the terminal, including the new line usually created after a user presses Enter when answering a prompt.
You can then use the $username and $password variables for the rest of your script and the credentials will not have to be stored outside of memory, meaning they will be lost/destroyed after the script completes.
However, note that any programs or utilities which take the credentials as command-line arguments will display those to other users on the machine running the script. For example, if I were to run a MySQL query using this method, I could do:
mysql -u "${username}" -p"${password}" -e "SHOW DATABASES;"
Other users on the machine could see the credentials while that was running with something like ps:
ps -ef | grep mysql
...
watrudoin 29512 29443 0 12:57 pts/4 00:00:00 mysql -u MyUserName -phunter2 -e SHOW DATABASES
You just need to be aware that what you are doing is not necessarily secure, but it seems that you already are.
I had made a script that allows ftp login.But I dont know how to add password for the user
#!/bin/bash
if grep -q $1 "/opt/proftpd.conf"; then
echo "$1 is an ftp user"
HOST='192.168.1.212'
USER=''$1''
FILE=''$2''
ftp -n -v $HOST <<END_SCRIPT
quote USER $USER
put $FILE
quit
END_SCRIPT
ls -la /home/$1
exit 0
else
echo "$1 is not an ftp user"
fi
exit 0
How can I add the user password for ftpuser?...
An example:
#!/bin/bash
ftp_host="192.168.1.212"
ftp_user="$1"
ftp_file="$2"
read -s -p "Enter password for user ${ftp_user}: " ftp_pass
ftp -n -v ${ftp_host} << EOF
quote USER ${ftp_user}
quote pass ${ftp_pass}
bin
put ${ftp_file}
EOF
It depends on the ftp version.
Sometime versions allow to give user and password together with host name:
ftp://[user[:password]#]host[:port]/path
There are also two ftp commands that allow to pass credentials (man ftp):
account [passwd]
Supply a supplemental password required by a remote system
for access to resources once a login has been successfully
completed. If no argument is included, the user will be
prompted for an account password in a non-echoing input mode.
user user-name [password] [account]
Identify yourself to the remote FTP server. If the password
is not specified and the server requires it, ftp will prompt
the user for it (after disabling local echo). If an account
field is not specified, and the FTP server requires it, the
user will be prompted for it. If an account field is speci-
fied, an account command will be relayed to the remote server
after the login sequence is completed if the remote server
did not require it for logging in. Unless ftp is invoked
with "auto-login" disabled, this process is done automati-
cally on initial connection to the FTP server.
I am very new to bash scripting, so I apologize in advance for being vague. I have a varied number of OpenVPN configuration profiles I need to connect too on a daily basis, and would like to make this a little easier by introducing automation.
So I am able to get to the authorization part of the process and that's where I get stuck:
Your IP is xx.xx.xx.xx
Mon Oct 13 09:57:14 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Enter Auth Username:
I would like to know how I can use bash to automatically log on using my username and password. So the script would populate and confirm the 2 authorization fields.
Enter Auth Username: username
Enter Auth Password: password
Then once populated and confirmed, I will be connected to the VPN.
I appreciate any help, and please let me know if more information is required.
My current script I am working with is this:
#!/bin/sh
expect_path="$(which expect)"
"$expect_path" "$0" "$#"
#!/bin/usr/expect -f
spawn sudo openvpn /root/Desktop/my.conf #Path to Openvpn config file (.ovpn)
expect -r "\[sudo\] .*\: " {
send "my_ownpassword\n"
}
expect "Enter Auth Username:" {
send "my_user\n"
}
expect "Enter Auth Password:" {
send "my_vpnpassword\n"
}
interact
Current error I am getting:
can't read "(which expect)": no such variable
while executing
"expect_path="$(which expect)""
(file "./vpn.sh" line 2)
./vpn.sh: 7: ./vpn.sh: spawn: not found
expect: invalid option -- 'r'
usage: expect [-div] [-c cmds] [[-f] cmdfile] [args]
./vpn.sh: 9: ./vpn.sh: send: not found
./vpn.sh: 10: ./vpn.sh: Syntax error: "}" unexpected
See https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html for documentation on the TCP protocol intended for use in programmatically controlling an OpenVPN instance.
Use from bash might look something like the following:
#!/bin/bash
# the above shebang is necessary; much of this will not work with /bin/sh
# also, /dev/tcp support is optional functionality at compile time; be sure your bash
# supports it, or you might need to rewrite using netcat.
# Assuming you start OpenVPN with at least the options:
# --management 127.0.0.1 3030
# --management-query-passwords
# connect to OpenVPN management socket on FD 3
exec 3<>/dev/tcp/127.0.0.1/3030
pk_password=secret1 # private key password
username=squirrel # username
password=secret2 # auth password paired with username
# read anything it sends
while read -r -u 3; do
# if it asks for a password, then give it one
if [[ $REPLY = ">PASSWORD: Need 'Private Key' password" ]]; then
echo 'password "Private Key" '"$pk_password" >&3
elif [[ $REPLY = ">PASSWORD: Need 'Auth' username/password" ]]; then
echo 'username "Auth" '"$username" >&3
echo 'password "Auth" '"$password" >&3
else
echo "Ignoring message: $REPLY" >&2
fi
done
All that said -- storing usernames and passwords in plaintext is a horrible, horrible idea. If you actually want your VPN to be secure, and you don't have a user available to enter a password that's something they know (vs something they have stored on the computer), you should be using strong private key auth -- ideally, with that key stored on a hardware token that doesn't allow it to be read out, not a (weak, trivially stolen) password.
Of course, given as this question presupposes that you're willing to do silly, insecure things, you can also make this easier on yourself:
Recompile OpenVPN with the ENABLE_PASSWORD_SAVE flag set (configure --enable-password-save on UNIX), and then --auth-user-pass in your config file will accept a filename as an optional argument giving the location on disk where username and password are stored.
That's actually more secure than the management-interface approach, since it means you aren't giving out your password to any other user who sets up a service on port 3030 pretending to be OpenVPN's management interface.
working for me on Kali 2020.2 simple and easy.
#!/usr/bin/expect -f
# automatic openvpn login
spawn sudo openvpn FILE.ovpn
# script will enter username/password automatic.
expect "Enter Auth Username:"
send "USERNAME\n"
"Enter Auth Password:"
send "PASSWORD\n"
interact
end script
save and run file in map where FILE.ovpn is stored.
Could not get your code to work due, I edited it a little and it works fine now...
#!/bin/bash
exec 3<>/dev/tcp/127.0.0.1/3030
username=xxxxxxxxx # username
password=yyyyyyyyy # auth password paired with username
# read anything it sends
while read -r -u 3; do
if [[ $(echo $REPLY | grep ">PASSWORD:Need 'Auth' username/password") ]]; then
echo "username \"Auth\" $username" >&3
echo "password \"Auth\" $password" >&3
else
echo "Ignoring message: $REPLY" >&2
fi
done
I've been trying to write a script that adds a non-root user. Is it possible to use variables and adduser to do it? I've tried just adduser bob and it works perfectly fine, so why does adduser $user return adduser: Only one or two names allowed.?
#!/bin/bash
read -p 'Do you want to add a non-root user? [y/N]' answer
case "${answer}" in
[yY]|[yY][eE][sS])
echo -e "What will the username be?"
read $user
adduser $user;;
[nN]|[nN][oO])
echo "Skipping";;
esac
Your problem is you are not adding anyone. In your script you have:
read $user
it should be
read user
Also note the correct command is useradd. adduser, if it exists, is generally just a link to useradd.
I have 10 Linux servers.
To connect to server every time I have to execute the ssh command to login.
I need one single shell script to login to a remote server.
e.g if server is host name is testhost.com, user is user1 and pass password
when I give the user name user1 in terminal, it should automatically execute the shell script and logged in to remote server for the user user1
Hi i know this is an old question but here is a way to do it follow the link above from the #nick hartung then after that since you have 10 servers you call each server by name so say 'server1' or any name you like but for this example ill name one of the servers 'server1' also remember to change the port from 22 to something else eg 22277 so create a script and name it server1 and the put this in it
#!/bash/bin
ssh username#hostname -p22277
then move the script to user bin
$ sudo chmod 600 server1
$ sudo mv server1 /usr/bin/
then now u can just login to the remote host like this
$ server1
the you will be automatically logged in.
You can write a script that will take a username as a parameter and ssh to the correct host based on that. A quick example:
if [ "$1" == "username" ]; then
ssh username#hostname
fi
if [ "$1" == "username2" ]; then
...
However, the ssh command doesn't have a built in way to provide a password AFAIK. You shouldn't be storing your passwords in a script anyway. The way to get around this is to set up automatic authentication by creating a key pair using ssh-keygen. Here is a link that will show you how to set this up.