forked from widdix/aws-ec2-ssh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
install.sh
executable file
·185 lines (156 loc) · 4.68 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
#!/bin/bash -e
show_help() {
cat << EOF
Usage: ${0##*/} [-hv] [-a ARN] [-i GROUP,GROUP,...] [-l GROUP,GROUP,...] [-s GROUP] [-p PROGRAM] [-u "ARGUMENTS"] [-r RELEASE]
Install import_users.sh and authorized_key_commands.
-h display this help and exit
-v verbose mode.
-a arn Assume a role before contacting AWS IAM to get users and keys.
This can be used if you define your users in one AWS account, while the EC2
instance you use this script runs in another.
-i group,group Which IAM groups have access to this instance
Comma seperated list of IAM groups. Leave empty for all available IAM users
-l group,group Give the users these local UNIX groups
Comma seperated list
-s group,group Specify IAM group(s) for users who should be given sudo privileges, or leave
empty to not change sudo access, or give it the value '##ALL##' to have all
users be given sudo rights.
Comma seperated list
-p program Specify your useradd program to use.
Defaults to '/usr/sbin/useradd'
-u "useradd args" Specify arguments to use with useradd.
Defaults to '--create-home --shell /bin/bash'
-r release Specify a release of aws-ec2-ssh to download from GitHub. This argument is
passed to \`git clone -b\` and so works with branches and tags.
Defaults to 'master'
EOF
}
export SSHD_CONFIG_FILE="/etc/ssh/sshd_config"
export AUTHORIZED_KEYS_COMMAND_FILE="/opt/authorized_keys_command.sh"
export IMPORT_USERS_SCRIPT_FILE="/opt/import_users.sh"
export MAIN_CONFIG_FILE="/etc/aws-ec2-ssh.conf"
IAM_GROUPS=""
SUDO_GROUPS=""
LOCAL_GROUPS=""
ASSUME_ROLE=""
USERADD_PROGRAM=""
USERADD_ARGS=""
USERDEL_PROGRAM=""
USERDEL_ARGS=""
RELEASE="master"
while getopts :hva:i:l:s:p:u:d:f:r: opt
do
case $opt in
h)
show_help
exit 0
;;
i)
IAM_GROUPS="$OPTARG"
;;
s)
SUDO_GROUPS="$OPTARG"
;;
l)
LOCAL_GROUPS="$OPTARG"
;;
v)
set -x
;;
a)
ASSUME_ROLE="$OPTARG"
;;
p)
USERADD_PROGRAM="$OPTARG"
;;
u)
USERADD_ARGS="$OPTARG"
;;
d)
USERDEL_PROGRAM="$OPTARG"
;;
f)
USERDEL_ARGS="$OPTARG"
;;
r)
RELEASE="$OPTARG"
;;
\?)
echo "Invalid option: -$OPTARG" >&2
show_help
exit 1
;;
:)
echo "Option -$OPTARG requires an argument." >&2
show_help
exit 1
esac
done
export IAM_GROUPS
export SUDO_GROUPS
export LOCAL_GROUPS
export ASSUME_ROLE
export USERADD_PROGRAM
export USERADD_ARGS
export USERDEL_PROGRAM
export USERDEL_ARGS
# check if AWS CLI exists
if ! [ -x "$(which aws)" ]; then
echo "aws executable not found - exiting!"
exit 1
fi
# check if git exists
if ! [ -x "$(which git)" ]; then
echo "git executable not found - exiting!"
exit 1
fi
tmpdir=$(mktemp -d)
cd "$tmpdir"
git clone -b "$RELEASE" https://github.com/widdix/aws-ec2-ssh.git
cd "$tmpdir/aws-ec2-ssh"
cp authorized_keys_command.sh $AUTHORIZED_KEYS_COMMAND_FILE
cp import_users.sh $IMPORT_USERS_SCRIPT_FILE
if [ "${IAM_GROUPS}" != "" ]
then
echo "IAM_AUTHORIZED_GROUPS=\"${IAM_GROUPS}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${SUDO_GROUPS}" != "" ]
then
echo "SUDOERS_GROUPS=\"${SUDO_GROUPS}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${LOCAL_GROUPS}" != "" ]
then
echo "LOCAL_GROUPS=\"${LOCAL_GROUPS}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${ASSUME_ROLE}" != "" ]
then
echo "ASSUMEROLE=\"${ASSUME_ROLE}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${USERADD_PROGRAM}" != "" ]
then
echo "USERADD_PROGRAM=\"${USERADD_PROGRAM}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${USERADD_ARGS}" != "" ]
then
echo "USERADD_ARGS=\"${USERADD_ARGS}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${USERDEL_PROGRAM}" != "" ]
then
echo "USERDEL_PROGRAM=\"${USERDEL_PROGRAM}\"" >> $MAIN_CONFIG_FILE
fi
if [ "${USERDEL_ARGS}" != "" ]
then
echo "USERDEL_ARGS=\"${USERDEL_ARGS}\"" >> $MAIN_CONFIG_FILE
fi
./install_configure_selinux.sh
./install_configure_sshd.sh
cat > /etc/cron.d/import_users << EOF
SHELL=/bin/bash
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin
MAILTO=root
HOME=/
*/10 * * * * root $IMPORT_USERS_SCRIPT_FILE
EOF
chmod 0644 /etc/cron.d/import_users
$IMPORT_USERS_SCRIPT_FILE
./install_restart_sshd.sh