歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux管理 >> Linux安全

秘鑰認證用戶自動控制

#!/bin/bash 
#author: QingFeng
#qq: 530035210
#blog: http://my.oschina.net/pwd/blog 
#自動添加秘鑰認證用戶
#缺省的配置如下
 
logdir=/data/log/shell          #日志路徑
log=$logdir/shell.log            #日志文件 
is_font=1                #終端是否打印日志: 1打印 0不打印 
is_log=0                 #是否記錄日志: 1記錄 0不記錄
random_time=$(date +%Y%m%d_%H%M%S)
 
datef(){
date "+%Y-%m-%d %H:%M:%S"
}
 
print_log(){
if [[ $is_log -eq 1  ]];then
[[ -d $logdir ]] || mkdir -p $logdir
echo "[ $(datef) ] $1" >> $log
fi
if [[ $is_font -eq 1  ]];then
echo -e "[ $(datef) ] $1"
fi
}
 
#自動生成key
addautoKey(){
 
if [[ ! -f /usr/bin/expect ]];then
print_log "$FUNCNAME():不存在expect函數:開始安裝."
yum install tcl-devel  tcl expect  -y  -q
print_log "$FUNCNAME():expect函數:安裝完成."
fi
 
mkdir -p /tmp/ssh_$random_time
cd /tmp/ssh_$random_time
expect -c "
                spawn /usr/bin/ssh-keygen -t rsa
                set timeout -1
                expect \"\*id_rsa)\*:\"
                send \"$1\r\"
                expect \"\*no passphrase)\*:\"
                send \"$1\r\"
                expect \"\*again\*:\"
                send \"$1\r\"
                expect eof 
                 
                  "   > /dev/null
num=$(ls  /tmp/ssh_$random_time/$1* -l |wc -l)
if [[ $num  -eq 2   ]];then
print_log  "$FUNCNAME():該用戶$1秘鑰自動生成完成,路徑: /tmp/ssh_$random_time"
else
print_log  "$FUNCNAME():\033[31m該用戶$1秘鑰自動生成失敗,退出\033[0m"
exit
fi
}
 
#添加用戶
addUser(){
if [[  $1 == "" ]];then
print_log "$FUNCNAME():\033[31m用戶名不能為空\033[0m"
exit
fi
strlength=$(expr length $1)
if [[ $strlength -lt 5   ]];then
print_log "$FUNCNAME():\033[31m用戶名的長度最少大於4,退出\033[0m"
exit
fi
User=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }'  |grep "$1")
if [[  -z $User ]];then
print_log "$FUNCNAME():不存在非系統用戶:$1,開始添加用戶操作."
adduser $1  -g 10
[[ -d /home/$1/.ssh  ]] || mkdir /home/$1/.ssh 
addautoKey $1
cp /tmp/ssh_$random_time/$1.pub  /home/$1/.ssh/authorized_keys 
chmod 600 /home/$1/.ssh/authorized_keys
chown $1:wheel  /home/$1/  -R
cp /etc/ssh/sshd_config   /etc/ssh/sshd_config_$(date +%Y%m%d_%H%M%S)
sshdUser=$(cat  /etc/ssh/sshd_config |grep "$1")
if [[  -z $sshdUser  ]];then
sed -i "s/AllowUsers/AllowUsers $1/"  /etc/ssh/sshd_config
/etc/init.d/sshd restart
print_log  "$FUNCNAME():更新sshd_config文件並重啟sshd完成."
else
print_log  "$FUNCNAME():sshd_config文件中已經存在$1."
fi
 
else 
print_log  "$FUNCNAME():已經存在非系統用戶:$1,請確認後在添加."
fi 
 
}
#查找用戶
lookUp(){
loginUser=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }')
print_log "$FUNCNAME():如下用戶擁有登陸系統權限:\n\033[32m$loginUser\033[0m"
}
#刪除用戶
deleteUser(){
if [[  $1 == "" ]];then
print_log "$FUNCNAME():\033[31m用戶名不能為空\033[0m"
exit
fi
User=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }'  |grep "$1")
if [[ ! -z $User   ]];then
print_log "$FUNCNAME():存在非系統用戶:$1"
else
print_log "$FUNCNAME():\033[31m不存在非系統用戶:$1,退出\033[0m"
exit
fi 
userdel -rf $1
if [[ $? -eq 0  ]];then
print_log "$FUNCNAME():刪除非系統用戶:$1成功."
else
print_log "$FUNCNAME():\033[31m刪除非系統用戶:$1失敗.\033[0m"
fi
cp /etc/ssh/sshd_config   /etc/ssh/sshd_config_$random_time
sed -i "s/$1//g"  /etc/ssh/sshd_config 
/etc/init.d/sshd restart
print_log  "$FUNCNAME():更新sshd_config文件並重啟sshd完成."
 
}
 
case $1  in 
 
 add)
  addUser $2;;
 look)
  lookUp;;
 delete)
  deleteUser $2;;
   *)
  echo -e "
秘鑰認證用戶自動控制\n用法示例: \n1.添加/刪除秘鑰認證用戶: ./account.class.sh  add/delete  用戶名 \n2.查找可以登陸的用戶  ./account.class.sh  look";;  
     
esac

改進版,檢測系統是否添加key認證,無則自動添加,批量添加key認證用戶

上圖:

批量添加用戶圖:


 

#!/bin/bash 
#author: QingFeng
#qq: 530035210
#blog: http://my.oschina.net/pwd/blog 
#自動添加秘鑰認證用戶
#缺省的配置如下
logdir=/data/log/shell          #日志路徑
log=$logdir/shell.log            #日志文件 
is_font=1                #終端是否打印日志: 1打印 0不打印 
is_log=0                 #是否記錄日志: 1記錄 0不記錄
random_time=$(date +%Y%m%d_%H%M%S)
 
#定義默認公鑰
default_publicKey="ssh-dss CCCCB3NzaC1kc3MAAACBAJRKD+AyqOD2gtLSAPpbbMEy/VrMW8Z8fof1nyKA9OppiUWUWdVL9iJGDdBzvVB3hb9KZYX1bsns77KrD/VB+8jsCe/62rrsUmxJoUwvWyF2B+cvboxwe5cdXyTawt1bAMHNq8jiWrgSDaR7bplFXD3I6lwYk89I+ofxafXxmZE7AAAAFQCay8NRvgNMxkbExxhMLeRZBK2xpwAAAIEAhUpYCf0STqTUcTSTabQDmfizywG7+ZFSvppJCMrWdobG/+rZ61tN2xGWK4zRP13NJOVcIDaXsQwhhuZbGD8d1tEwGqldBAlTsouJWGiWPMJPhUfjKEFTIHn8ug2zDP/vE7yNgiuMalhn+Fglt+AMG78tiOCn1P7kYVjPeGklr8AAAACAWm3qmqYOiTIMtShfmcIJc06XOPPOjxXzwntN+c8rmy+gZbI6wx4vRwYbldaduMtPn7Q29BqJfcCAy/P7ymVyrX/a2ksWehddk7HdyUHnq9WAX1+MxE4BZq7nV4MHD3Fyn8bay+D76BgQdZjTta3dNXwbA5WdmJnZi68Bk5ZXcjM="
#定義whell組可以無密碼登陸
default_Wheel="%wheel        ALL=(ALL)       NOPASSWD: ALL"
#定義sshd配置文件
default_user="zhangsan"
default_sshdConfig="
Protocol 2
SyslogFacility AUTHPRIV
StrictModes no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem       sftp    /usr/libexec/openssh/sftp-server
AllowUsers   $default_user"
 
datef(){
date "+%Y-%m-%d %H:%M:%S"
}
 
print_log(){
if [[ $is_log -eq 1  ]];then
[[ -d $logdir ]] || mkdir -p $logdir
echo "[ $(datef) ] $1" >> $log
fi
if [[ $is_font -eq 1  ]];then
echo -e "[ $(datef) ] $1"
fi
}
 
#自動生成key
addautoKey(){
 
if [[ ! -f /usr/bin/expect ]];then
print_log "$FUNCNAME():不存在expect函數:開始安裝."
yum install tcl-devel  tcl expect  -y  -q
print_log "$FUNCNAME():expect函數:安裝完成."
fi
 
mkdir -p /tmp/ssh_$random_time
cd /tmp/ssh_$random_time
expect -c "
                spawn /usr/bin/ssh-keygen -t rsa
                set timeout -1
                expect \"\*id_rsa)\*:\"
                send \"$1\r\"
                expect \"\*no passphrase)\*:\"
                send \"$1\r\"
                expect \"\*again\*:\"
                send \"$1\r\"
                expect eof 
                 
                  "   > /dev/null
num=$(ls  /tmp/ssh_$random_time/$1* -l |wc -l)
if [[ $num  -eq 2   ]];then
print_log  "$FUNCNAME():該用戶$1秘鑰自動生成完成,路徑: /tmp/ssh_$random_time"
else
print_log  "$FUNCNAME():\033[31m該用戶$1秘鑰自動生成失敗,退出\033[0m"
exit
fi
}
 
#添加用戶
addUser(){
if [[  $1 == "" ]];then
print_log "$FUNCNAME():\033[31m用戶名不能為空\033[0m"
exit
fi
strlength=$(expr length $1)
if [[ $strlength -lt 5   ]];then
print_log "$FUNCNAME():\033[31m用戶名的長度最少大於4,退出\033[0m"
exit
fi
User=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }'  |grep "$1")
if [[  -z $User ]];then
print_log "$FUNCNAME():不存在非系統用戶:$1,開始添加用戶操作."
adduser $1  -g 10
addautoKey $1
[[ -d /home/$1/.ssh  ]] || mkdir -p /home/$1/.ssh 
cp /tmp/ssh_$random_time/$1.pub  /home/$1/.ssh/authorized_keys 
chmod 600 /home/$1/.ssh/authorized_keys
chown $1:wheel  /home/$1/  -R
cp /etc/ssh/sshd_config   /etc/ssh/sshd_config_$(date +%Y%m%d_%H%M%S)
sshdUser=$(cat  /etc/ssh/sshd_config |egrep -v "^$|^#" |grep "$1")
if [[  -z $sshdUser  ]];then
sed -i "s/AllowUsers/AllowUsers $1/"  /etc/ssh/sshd_config
/etc/init.d/sshd restart
print_log  "$FUNCNAME():更新sshd_config文件並重啟sshd完成."
else
print_log  "$FUNCNAME():sshd_config文件中已經存在$1."
fi
 
else 
print_log  "$FUNCNAME():已經存在非系統用戶:$1,請確認後在添加."
fi 
 
}
#查找用戶
lookUp(){
loginUser=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }')
print_log "$FUNCNAME():如下用戶擁有登陸系統權限:\n\033[32m$loginUser\033[0m"
}
#刪除用戶
deleteUser(){
if [[  $1 == "" ]];then
print_log "$FUNCNAME():\033[31m用戶名不能為空\033[0m"
exit
fi
User=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }'  |grep "$1")
if [[ ! -z $User   ]];then
print_log "$FUNCNAME():存在非系統用戶:$1"
else
print_log "$FUNCNAME():\033[31m不存在非系統用戶:$1,退出\033[0m"
exit
fi 
userdel -rf $1
if [[ $? -eq 0  ]];then
print_log "$FUNCNAME():刪除非系統用戶:$1成功."
else
print_log "$FUNCNAME():\033[31m刪除非系統用戶:$1失敗.\033[0m"
fi
cp /etc/ssh/sshd_config   /etc/ssh/sshd_config_$random_time
sed -i "s/$1//g"  /etc/ssh/sshd_config 
/etc/init.d/sshd restart
print_log  "$FUNCNAME():更新sshd_config文件並重啟sshd完成."
 
}
#檢查key認證
checkUser(){
if [[  $default_user == "" ]];then
print_log "$FUNCNAME():\033[31m用戶名不能為空\033[0m"
exit
fi
strlength=$(expr length $default_user)
if [[ $strlength -lt 5   ]];then
print_log "$FUNCNAME():\033[31m用戶名的長度最少大於4,退出\033[0m"
exit
fi
User=$(cat /etc/passwd |grep -v "nologin" |awk -F':' '{if ($3> 500) print $1 }'  |grep "$default_user")
if [[  -z $User ]];then
print_log "$FUNCNAME():不存在非系統用戶:$default_user,開始添加用戶操作."
adduser $default_user  -g 10
[[ -d /home/$default_user/.ssh  ]] || mkdir /home/$default_user/.ssh 
echo $default_publicKey >   /home/$default_user/.ssh/authorized_keys 
chmod 600 /home/$default_user/.ssh/authorized_keys
chown $default_user:wheel  /home/$default_user/  -R
cp /etc/ssh/sshd_config   /etc/ssh/sshd_config_$(date +%Y%m%d_%H%M%S)
sshdUser=$(cat  /etc/ssh/sshd_config |egrep -v "^$|^#"|grep "$default_user")
if [[  -z $sshdUser  ]];then
echo -e "$default_sshdConfig" > /etc/ssh/sshd_config
sed -i "s/^$//g" /etc/ssh/sshd_config 
check_suders=$(cat  /etc/sudoers |egrep -v  "^#|^$"|grep "%wheel")
if [[  -z  $check_suders  ]];then
echo  -e  "$default_Wheel" >>  /etc/sudoers
fi 
/etc/init.d/sshd restart
print_log  "$FUNCNAME():添加key認證,更新sshd_config文件並重啟sshd完成."
else
print_log  "$FUNCNAME():sshd_config文件中已經存在$default_user."
fi
 
else 
check_sshdnum=1
check_sudersnum=1
check_sshd=$(cat /etc/ssh/sshd_config |egrep  -v "^#|^$" |grep "$default_user")
if [[  -z $check_sshd ]];then
check_sshdnum=0
print_log "已經添加$default_user用戶,但是沒有配置sshd_config"
fi
 
check_suders=$(cat /etc/sudoers |egrep  -v "^#|^$" |grep "wheel" |grep "NOPASSWD")
if [[  -z $check_suders  ]];then
check_sudersnum=0
print_log "已經添加$default_user用戶,但是沒有配置sudoers"
fi 
 
if [[ $check_sshdnum -ne 0 && $check_sudersnum -ne 0 ]];then
print_log "該服務器已經配置秘鑰認證."
fi
 
 
fi
 
}
 
case $1  in 
 
 add)
  addUser $2;;
 look)
  lookUp;;
 delete)
  deleteUser $2;;
 check)
  checkUser ;;
   *)
  echo -e "
秘鑰認證用戶自動控制\n用法示例: \n1.添加/刪除秘鑰認證用戶: ./account.class.sh  add/delete  用戶名 \n2.查找可以登陸的用戶  ./account.class.sh  look\n3.檢測系統是否是key認證,不是則添加key認證   ./account.class.sh  check\n(默認增加一個[$default_user]的認證用戶)";;
     
esac
原文:http://my.oschina.net/pwd/blog/388254
Copyright © Linux教程網 All Rights Reserved