The below code snippet was used to add SSH users to RackSpace cloud CentOS Linux nodes being used as application servers and managed via RightScale. The SSH users were required during a testing phase so they could look through logs and make modifications to specific configuration files, etc. There are three things that have to happen to create the SSH user, allow them to login, and provide them the necessary rights on the server to accomplish their tasks which include adding the user, modifying the sshd config to allow password logins, and update the sudoers file to enable sudo access for wheel group users.
RightScript Used To Add SSH Users During Linux Instance Boot Process:
- #!/bin/bash -e
- # add user
- useradd -m -p $SSH_USER_PASS1 $SSH_USER1 -g wheel
- # add second user
- useradd -m -p $SSH_USER_PASS2 $SSH_USER2 -g wheel
- # modify sshd_config to allow password logins
- /bin/sed -ie "s/PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
- # restart sshd
- /etc/init.d/sshd restart
- # modify sudoers to allow members of wheel group to sudo
- /bin/sed -ie "s/# %wheel\tALL=(ALL)\tALL/%wheel\tALL=(ALL)\tALL/g" /etc/sudoers
The above script actually adds two users so that portion of the script can easily be modified for more or less SSH users. The variables, which include $SSH_USER1, $SSH_USER_PASS1, $SSH_USER2, and $SSH_USER_PASS2, will be required inputs for the ServerTemplate that the RightScript is applied to. Also not that the \t in the sudoers configuration file modification line represents a tab as explained in this article that was previously written on QD. This script should work for multiple Cloud providers and multiple ServerTemplates representing multiple Linux distributions.
you should use a password that forces the end user to create a new password immediately.
# for name in someuser anotheruser yetanotheruser; do useradd $name; echo ‘password’ | passwd –stdin $name; chage -d 0 $name; done
Hello Steve,
Hah! How goes man. Definitely a good idea and agreed however in this scenario it was a rush job and shared between users.
Thanks!
alex
I noticed this line in your script does not work:
# modify sudoers to allow members of wheel group to sudo
/bin/sed -ie “s/# %wheeltALL=(ALL)tALL/%wheeltALL=(ALL)tALL/g” /etc/sudoers
Proof and an alternative (that gives passwordless sudo):
[root@devtest4 scripts]# cat /etc/sudoers | grep wheel
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL
[root@devtest4 scripts]# /bin/sed -ie “s/# %wheeltALL=(ALL)tALL/%wheeltALL=(ALL)tALL/g” /etc/sudoers
[root@devtest4 scripts]# cat /etc/sudoers | grep wheel
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL
[root@devtest4 scripts]# perl -pi -e ‘/NOPASSWD/ && s/^..//’ /etc/sudoers
[root@devtest4 scripts]# cat /etc/sudoers | grep wheel
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
[root@devtest4 scripts]#
Hello Steve,
Likely just a spacing issue in the way it was formatted. In the example from the article we would not want to provide passwordless sudo either for security concerns.
Thanks for taking the time to provide an alternative method though for people that may not be worried about the security aspect of passwordless sudo.
Thanks.
alex
you also need to add user rightscale to wheel or you can’t use mindterm to ssh in:
# usermod -G wheel -a rightscale
Hello Steve,
Having mindterm available was not a requirement for the example. Thanks for noting though for users that may need that functionality.
Thanks.
alex