#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # Adds an user to the system # License # ======= # # Copyright (C) 2015-2016 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-adduser export TEXTDOMAINDIR="/usr/share/locale" CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-* for f in $UTILS_FILES do source $f done APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-* for f in $APP_FILES do source $f done ADD_USERNAME=$1 SSH_PUBLIC_KEY="$2" GPG_KEYSERVER='hkp://keys.gnupg.net' SSH_PORT=2222 COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt DEFAULT_DOMAIN_NAME= if [ ! $ADD_USERNAME ]; then echo $'No username was given' exit 1 fi if [ -d /home/$ADD_USERNAME ]; then echo $"The user $ADD_USERNAME already exists" exit 2 fi if [ ! -f $COMPLETION_FILE ]; then echo $"$COMPLETION_FILE not found" userdel -r $ADD_USERNAME exit 3 fi # Minimum number of characters in a password MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}') NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" chmod 600 /etc/shadow chmod 600 /etc/gshadow useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $ADD_USERNAME adduser $ADD_USERNAME sasl groupadd $ADD_USERNAME chmod 0000 /etc/shadow chmod 0000 /etc/gshadow if [ ! -d /home/$ADD_USERNAME ]; then echo $'Home directory was not created' exit 4 fi if [ "$SSH_PUBLIC_KEY" ]; then if [ ${#SSH_PUBLIC_KEY} -gt 5 ]; then if [ -f "$SSH_PUBLIC_KEY" ]; then mkdir /home/$ADD_USERNAME/.ssh cp $SSH_PUBLIC_KEY /home/$ADD_USERNAME/.ssh/authorized_keys chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.ssh echo $'ssh public key installed' else if [[ "$SSH_PUBLIC_KEY" == "ssh-"* ]]; then mkdir /home/$ADD_USERNAME/.ssh echo "$SSH_PUBLIC_KEY" > /home/$ADD_USERNAME/.ssh/authorized_keys chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.ssh echo $'ssh public key installed' else echo $'The second parameter does not look like an ssh key' exit 5 fi fi fi fi if [ -d /home/$ADD_USERNAME/Maildir ]; then if grep -q "set from=" /home/$ADD_USERNAME/.muttrc; then sed -i "s|set from=.*|set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'|g" /home/$ADD_USERNAME/.muttrc else echo "set from='$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>'" >> /home/$ADD_USERNAME/.muttrc fi USERN='$USER@' sed -i "s|$USERN|$ADD_USERNAME@|g" /home/$ADD_USERNAME/.procmailrc fi # generate a gpg key echo "Making a GPG key for $ADD_USERNAME@$HOSTNAME" mkdir /home/$ADD_USERNAME/.gnupg echo "keyserver $GPG_KEYSERVER" >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo 'keyserver-options auto-key-retrieve' >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo '' >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo '# default preferences' >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo 'personal-digest-preferences SHA256' >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo 'cert-digest-algo SHA256' >> /home/$ADD_USERNAME/.gnupg/gpg.conf echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$ADD_USERNAME/.gnupg/gpg.conf chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg chmod 700 /home/$ADD_USERNAME/.gnupg chmod 600 /home/$ADD_USERNAME/.gnupg/* # Generate a GPG key echo 'Key-Type: eddsa' > /home/$ADD_USERNAME/gpg-genkey.conf echo 'Key-Curve: Ed25519' >> /home/$ADD_USERNAME/gpg-genkey.conf echo 'Subkey-Type: eddsa' >> /home/$ADD_USERNAME/gpg-genkey.conf echo "Name-Real: $ADD_USERNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf echo "Name-Email: $ADD_USERNAME@$HOSTNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$ADD_USERNAME/gpg-genkey.conf echo "Passphrase: $NEW_USER_PASSWORD" >> /home/$ADD_USERNAME/gpg-genkey.conf chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/gpg-genkey.conf su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - $ADD_USERNAME chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg shred -zu /home/$ADD_USERNAME/gpg-genkey.conf MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$ADD_USERNAME" "$ADD_USERNAME@$HOSTNAME") MY_GPG_PUBLIC_KEY=/home/$ADD_USERNAME/public_key.gpg su -m root -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $ADD_USERNAME if [ ! -f $MY_GPG_PUBLIC_KEY ]; then echo "GPG public key was not generated for $ADD_USERNAME@$HOSTNAME $MY_GPG_PUBLIC_KEY_ID" userdel -r $ADD_USERNAME exit 7 fi gpg_agent_setup $ADD_USERNAME # add a monkeysphere subkey #echo $'Adding monkeysphere subkey' #su -c "monkeysphere gen-subkey" - $ADD_USERNAME #echo $'Adding monkeysphere subkey to ssh-agent' #su -c "monkeysphere s" - $ADD_USERNAME # add authorized GPG email address #mkdir /home/$ADD_USERNAME/.monkeysphere #chmod 755 /home/$ADD_USERNAME/.monkeysphere #echo "$ADD_USERNAME <$ADD_USERNAME@$HOSTNAME>" > /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids #chmod 644 /home/$ADD_USERNAME/.monkeysphere/authorized_user_ids #chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.monkeysphere #echo $'Updating monkeysphere users' #monkeysphere-authentication update-users if [ -f /home/$ADD_USERNAME/.muttrc ]; then # encrypt outgoing mail to the "sent" folder if ! grep -q "pgp_encrypt_only_command" /home/$ADD_USERNAME/.muttrc; then echo '' >> /home/$ADD_USERNAME/.muttrc echo $'# Encrypt items in the Sent folder' >> /home/$ADD_USERNAME/.muttrc echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$ADD_USERNAME/.muttrc else sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$ADD_USERNAME/.muttrc fi if ! grep -q "pgp_encrypt_sign_command" /home/$ADD_USERNAME/.muttrc; then echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$ADD_USERNAME/.muttrc else sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$ADD_USERNAME/.muttrc fi fi if ! grep -q "Change your GPG password" /home/$ADD_USERNAME/README; then echo '' >> /home/$ADD_USERNAME/README echo '' >> /home/$ADD_USERNAME/README echo $'# Change your GPG password' >> /home/$ADD_USERNAME/README echo $"It's very important to add a password to your GPG key so that" >> /home/$ADD_USERNAME/README echo $"if anyone does get access to your email they still won't be able" >> /home/$ADD_USERNAME/README echo $'to read them without knowning the GPG password.' >> /home/$ADD_USERNAME/README echo $'You can change the it with:' >> /home/$ADD_USERNAME/README echo '' >> /home/$ADD_USERNAME/README echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$ADD_USERNAME/README echo ' passwd' >> /home/$ADD_USERNAME/README echo ' save' >> /home/$ADD_USERNAME/README echo ' quit' >> /home/$ADD_USERNAME/README fi chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/README chown $ADD_USERNAME:$ADD_USERNAME $MY_GPG_PUBLIC_KEY chmod 600 /home/$ADD_USERNAME/README echo $'Detecting installed apps...' detect_apps get_apps_installed_names for app_name in "${APPS_INSTALLED_NAMES[@]}" do if [[ $(function_exists add_user_${app_name}) == "1" ]]; then echo $"Adding user to ${app_name}" app_load_variables ${app_name} retval=$(add_user_${app_name} "$ADD_USERNAME" "$NEW_USER_PASSWORD" | tail -n 1) if [[ $retval != '0' ]]; then echo $"Failed with error code ${retval}" ${PROJECT_NAME}-rmuser $ADD_USERNAME --force exit 672392 fi if ! grep -q "${app_name}_${ADD_USERNAME}" $APP_USERS_FILE; then echo "${app_name}_${ADD_USERNAME}" >> $APP_USERS_FILE fi fi done if [ -f /etc/nginx/.htpasswd ]; then if ! grep -q "${ADD_USERNAME}:" /etc/nginx/.htpasswd; then echo "$NEW_USER_PASSWORD" | htpasswd -i -s /etc/nginx/.htpasswd $ADD_USERNAME fi fi # add user menu on ssh login if ! grep -q 'controluser' /home/$ADD_USERNAME/.bashrc; then echo 'controluser' >> /home/$ADD_USERNAME/.bashrc fi # fix some gpg strangeness when searching for keys printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /home/$ADD_USERNAME/.gnupg/S.dirmngr if [ -d /home/$ADD_USERNAME/.gnupg/crls.d ]; then chmod +x /home/$ADD_USERNAME/.gnupg/crls.d fi ${PROJECT_NAME}-pass -u $ADD_USERNAME -a login -p "$NEW_USER_PASSWORD" gpg_agent_enable $ADD_USERNAME clear echo $"New user $ADD_USERNAME was created" echo $"Their login password is $NEW_USER_PASSWORD" echo '' echo $"They can download their GPG keys with:" echo '' echo " scp -P $SSH_PORT -r $ADD_USERNAME@$HOSTNAME:/home/$ADD_USERNAME/.gnupg ~/" echo '' echo $"They should also run ${PROJECT_NAME}-client on their system to ensure" echo $'the best security.' exit 0