I'm trying to get terraform to create users for me other than the specified admin and also add them to sudoers to allow my ansible scripts to then run without requiring a sudo login. Optionally, if I could just allow my admin to login and not require sudo passowrd that would work as well since I can add the users I need via ansible.
I have attempted the only option I could find with my feeble googling skills. The option is to add a provisioner to my azurerm_virtual_machine resource that runs the following via remote-exec:
provisioner "remote-exec" {
inline = [
"useradd myuser && echo myuser:password123 | /usr/sbin/chpasswd",
"chmod +w /etc/sudoers && echo \"myuser ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers && chmod -w /etc/sudoers",
]
connection {
user = "myadmin"
agent = false
}
on_failure = "continue"
}
It says that it has successfully run however when I ssh to one of the boxes I provisioned these changes have not taken place. What am I doing wrong?
you can try this script.
#!/bin/bash
set -euo pipefail
USERNAME=$1 # sudo non-root username here
# Create user and immediately expire password to force a change on login
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
passwd --delete "${USERNAME}"
chage --lastday 0 "${USERNAME}"
# Create SSH directory for sudo user and move keys over
home_directory="$(eval echo ~${USERNAME})"
mkdir --parents "${home_directory}/.ssh"
cp /root/.ssh/authorized_keys "${home_directory}/.ssh"
chmod 0700 "${home_directory}/.ssh"
chmod 0600 "${home_directory}/.ssh/authorized_keys"
chown --recursive "${USERNAME}":"${USERNAME}" "${home_directory}/.ssh"
# Disable root SSH login with password
sed --in-place 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# if sshd -t -q; then systemctl restart sshd fi
Related
Based on my requirement in my dev server, I have Created a Linux function that will create a dev user,(Take the user's first name and create a Linux user )
we have a devs group in our developer server, and now want to create a Linux function for 10 plus developers (user)
as a requirement If any of the '$1' directories exist, it would throw a notice to the executor. our developer will have their own key my plan was not to copy the key. we could pass the key in when this is executed, or have this generate the key and output it on completion.
I have tried this code:
#!/bin/bash
CREATE_USER_NAME="pi"
# Create account
echo "============= now create an account ============="
sudo useradd -s /usr/bin/fish -m $CREATE_USER_NAME
sudo usermod -aG devs $CREATE_USER_NAME
sudo passwd $CREATE_USER_NAME
if getent passwd "$1" > /dev/null 2>&1; then
echo "yes the user exists"
else
echo "No, the user does not exist"
fi
mkdir -p /home/santosh/.ssh
chmod 0700 /home/santosh/.ssh
touch /home/santosh/.ssh/authorized_keys
chmod 600 /home/santosh/.ssh/authorized_keys
sudo mkdir -p /var/www/html/santosh-dev.jove.com/
sudo chown -R santosh /var/www/html/santosh-dev.jove.com/
sudo mkdir -p /var/log/httpd/santosh-dev.jove.com/
sudo chown -R santosh /var/log/httpd/santosh-dev.jove.com/
#
Output I Received:
[santosh#skb Desktop]$ ./user1.sh
============= now create an account =============
[sudo] password for santosh:
useradd: user 'pi' already exists
Changing password for user pi.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
No, the user does not exist
what is the best advice here! I'm unable to figure it what is wrong here? can anyone guide me on it!
Is there a tool or a common script for adding users to a linux server that also configures the ssh keys?
For example, I found I can automate creation of users with useradd or adduser, and it is even possible to setup an account with password login with e.g. adduser --password my_password. However, that still leaves me having to add the .ssh folders and files and set the correct permissions, which in my case leaves plenty of room for typos.
What I am looking for is something like
adduser --ssh user_public_key
where user_public_key is key provided to me by the new user.
I imagine there might be an existing tool for this, but my duckducking didn't turn up anything useful.
Try this (for centos, plus enables docker)
set -euo pipefail
DEV_GROUP="somegroup"
sudo groupadd --force "${DEV_GROUP}"
function adduser() {
local var_user="$1"
shift
local var_ssh_pub_key="$*"
id --user "${var_user}" &>/dev/null || sudo useradd --gid "${DEV_GROUP}" --groups wheel,docker "${var_user}"
echo "${var_user} ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/${var_user}"
sudo --user "${var_user}" mkdir -p "/home/${var_user}/.ssh"
sudo --user "${var_user}" touch "/home/${var_user}/.ssh/authorized_keys"
echo "${var_ssh_pub_key}" | sudo --user "${var_user}" tee "/home/${var_user}/.ssh/authorized_keys"
}
adduser someuser ssh-rsa AAAAB3NzaC1.... user#host
You can do this in a script as root:
$ mkdir ~username/.ssh
$ cat user_public_key >> ~username/.ssh/authorized_keys
$ chown -R username ~username/.ssh
If a root user is running a bash script that configure some stuff on machine for a user. The script would configure a git repository and an ssh key for password-less github communication, then it would clone the repository.
This will only happens once.
I'm new to bash, how would I do this?
My solution so far (this script is run as root):
USERNAME="vagrant"
HOMEDIR="/home/$USERNAME"
apt-get update -y
apt-get install git -y
cp id_rsa* $HOMEDIR/.ssh #copying predefined keys
su -c "eval `ssh-agent -s` ssh-add $HOMEDIR/.ssh/id_rsa" $USERNAME
chmod 400 $HOMEDIR/.ssh/id_rsa
cat $HOMEDIR/.ssh/id_rsa.pub > $HOMEDIR/.ssh/known_hosts
This doesn't work because the key is not being added, I get the error:
Could not open a connection to your authentication agent.
With a root user that has no login on a remote host, and /root/.ssh does not exist, I can interactively ssh in with:
su - $USERNAME -c "ssh $USERNAME#<remotehost>"
It reads USERNAME's ~/.ssh/known_hosts file (or prompts for verification). If correct keys exist in USERNAME's ~/.ssh it uses them. When done, there is still no /root/.ssh, i.e. this is completely done as USERNAME, not root.
Likewise with git cloning:
su - $USERNAME -c "git clone remoteuser#host:/path/to/repo"
Just be careful of quoting. If you want a variable dereferenced at the time you run su, use double quotes. If you want a variable dereferenced after su has handed off to the user's shell, use single quotes. Example:
su - myuser -c "echo $HOME"
/root
su - myuser -c 'echo $HOME'
/home/myuser
I'm usin ISPConfig to have multiple domains for my clients. Now, I have Jenkins to deploy an specific project.
Jenkins has assigned the working directory on /var/www/myproject/web which it is the VirtualHost on ISPConfig.
Manually I have to:
chown -R jenkins:nogroup /var/www/myproject/web
> Build Jenkins project
chown -R web38:client17 /var/www/myproject/web
Questions:
Is ok if I grant sudo permissions to Jenkins?
Instead of that, should I create a bash script with sudo permissions?
Is any permission role that I didn't notice to do this properly?
Thx
This is the solution I've found.
Install "Batch tasks" module on Jenkins.
Create an script as follows with root:root permissions on /var/www/your_domain.com/jenkins-post-build.sh
#!/bin/bash
SOURCE=$1
TARGET=$2
echo Moving $SOURCE to $TARGET
rm -rf $TARGET
cp -R $SOURCE $TARGET
ln -s $TARGET/build $TARGET/public/build
chown -R web39:client11 $TARGET
Add a Post Build action using the "Invoke batch tastsk"
sudo /var/www/your_domain.com/jenkins-post-build.sh ${WORKSPACE} /var/www/your_domain.com/web
Add this script right sudo permissions
Cmnd_Alias HIPER_DEV = /var/www/your_domain.com/jenkins-post-build.sh
jenkins ALL=(ALL) NOPASSWD:HIPER_DEV
I'm trying to create a post install script for Linux and I want to have the script edit the sudoers file so that users wont need to do sudo visudo and edit it manually.
In the script I have:
if [[ ! `sudo -l -U "$user" 2>&1 | grep "ALL"` ]]; then
su -c "echo '$user ALL=(ALL) ALL' >> /etc/sudoers"
su -c "echo '$user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers"
fi
the problem with this is that when I sudo whoami after I run the script I get this output:
sudo: >>> /etc/sudoers: syntax error near line 31 <<<
sudo: parse error in /etc/sudoers near line 31
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
How do I do this without ruining my sudoers file?
EDIT:
As requested here is my sudoers file:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Mind that it is not possible to do cat /etc/sudoers after the script has run.
EDIT 2:
The solution is to define $user as user=$(whoami)
As the comment at the end of the default sudoers file suggests, you should create a new file in /etc/sudoers.d/.
Doing this from a (Debian) package's postinst seems fishy, though. Where does the value of user come from?
Also, any particular reason this user is not simply added to one of the existing groups, admin or sudoers?
My solution is to have the script ask the user to enter his password and store the value in a variable to be used along with Expect. The script installs Expect if it's not installed and then the script does:
read -p "Please enter your password: " PASSWD
export PASSWD
username=$USER
export username
if [[ ! `sudo -l -U "$USER" 2>&1 | grep "ALL"` ]]; then
expect -c '
spawn "su -c \"cat <<EOF >> /etc/sudoers.d/$env(username)
$env(username) ALL=(ALL:ALL) ALL
$env(username) ALL=(ALL) NOPASSWD:ALL
EOF
\"
"
expect "Password:\r"
send $env(PASSWD)
interact
'
fi
You can edit file /etc/sudoers through "pkexec visudo", after when you will delete bad line, sudo will be work.