Rootless and GitHub User has sudo

by displague
74 deployments · 35 still active · last rev. 12 days ago

Sick of passwords? Have a GitHub account configured with your favorite ssh keys?

You've come to the right place. This StackScript removes the barrier to entry. The root password has been disabled, so you can't ssh in as root. But wait, root is not out of reach!

With one simple text entry of your GitHub username, all of your GitHub configured ssh keys will be authorized for login with your existing GitHub username. Root password? Who needs it. While you will be prompted for one, this miracle script will promptly remove the root password on first boot.

Your GitHub username is all you need to sudo or su. No more secrets!

Compatible with: CentOS 7, Debian 7, Debian 8, Fedora 24, Slackware 14.1, Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, CentOS 5.6, CentOS 6.5, Fedora 23, Gentoo 2013-11-26, openSUSE 13.1, Slackware 13.37, Ubuntu 12.04 LTS, Slackware 13.37 32bit
						#!/bin/bash
# <UDF name="gh_username" Label="GitHub Username" example="GitHub User account to create with sudo access (use spaces or commas for multiple accounts)" />
source <ssinclude StackScriptID=1>

function btr_user_add_sudo {
  USERNAME="$1"
  USERPASS="$2"
  if [ ! -n "$USERNAME" ] || [ ! -n "$USERPASS" ]; then
    echo "No new username and/or password entered"
    return 1;
  fi

  if [ -f /etc/debian_version ]; then
    adduser "$USERNAME" --disabled-password --gecos ""
    echo "$USERNAME:$USERPASS" | chpasswd
    apt-get install -y sudo
    usermod -aG sudo "$USERNAME"
  elif [ -f /etc/redhat-release ]; then
    adduser "$USERNAME" -p "$USERPASS"
    yum install -y sudo
    usermod -aG wheel "$USERNAME"
  fi
}

# Fetch GitHub SSH Keys
function user_github_keys {
    # Adds the users public key to authorized_keys for the specified user. Make sure you wrap your input variables in double quotes, or the key may not load properly.
    #
    #
    # $1 - Required - username
    USERNAME="${1}"
    GITHUBKEYS="https://github.com/${1}.keys"

    if [ ! -n "$USERNAME" ]; then
        echo "Must provide a username"
        return 1;
    fi

    HDIR="$(grep "$USERNAME" /etc/passwd | cut -f6 -d:)"
    mkdir -p $HDIR/.ssh
    wget -q -O- "${GITHUBKEYS}" >> "$HDIR/.ssh/authorized_keys"
    chown -R "$USERNAME":"$USERNAME" "$HDIR/.ssh"
    chmod 600 "$HDIR/.ssh/authorized_keys"
}

echo -e "\n\nPasswords have been disabled. Use SSH:\n" >> /etc/issue

export ALL_GH_USERNAMES="${GH_USERNAME//,/ }"

for GH_USERNAME in ${ALL_GH_USERNAMES}; do
echo "#################"
echo "########"
echo "########  G I T H U B :"
echo "  ======                $GH_USERNAME"
echo "  ======"
echo ""
echo "Creating user..."
btr_user_add_sudo "$GH_USERNAME" "$(randomString)"
passwd -d "$GH_USERNAME"

echo "Giving user passwordless sudo/su..."
sed -i 's/#\?\s*\(auth\s\+sufficient\s\+pam_wheel.so\s\+trust\)/\1/' /etc/pam.d/su
#sed -i "s/^root:.*/\0,$GH_USERNAME/" /etc/group
#sed -i "s/^wheel:.*/\0,$GH_USERNAME/" /etc/group

if [ -d /etc/sudoers.d ]; then
  SUDOERS="/etc/sudoers.d/$GH_USERNAME"
else
  SUDOERS=/etc/sudoers
fi

echo "$GH_USERNAME ALL=NOPASSWD: ALL" >> "$SUDOERS"
chmod 0440 "$SUDOERS"

echo "Adding GitHub SSH Keys..."
user_github_keys "$GH_USERNAME"

echo -e "    ssh://$GH_USERNAME@$(dnsdomainname -f)" >> /etc/issue

done

echo "Disabling Root SSH..."
ssh_disable_root

echo "Disabling Root Password..."
passwd -d root

echo "Disabling Root Shell..."
chsh -s $(which nologin) root

echo "Disabling NullOK Pam/Unix Auth for SecureTTYs..."
grep -l nullok_secure /etc/pam.d/* | while read pamf; do sed -i s/nullok_secure// $pamf; done

echo "Done."
echo ""
echo "  ======"
echo "########"
echo "########"