From 7ca71b5bdc78d00b617eae705641fdac841343c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Barbosa?= Date: Fri, 5 Sep 2025 12:16:59 +0100 Subject: [PATCH] Add functionality to create an additional user during setup. Implement user input validation, SSH key generation for the additional user, and update firewall configuration to allow access for both sysadmin and additional users. Enhance user feedback throughout the process. --- setup.sh | 140 ++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 119 insertions(+), 21 deletions(-) diff --git a/setup.sh b/setup.sh index 940c1ff..d090c4e 100755 --- a/setup.sh +++ b/setup.sh @@ -14,6 +14,8 @@ NC='\033[0m' # No Color ### === SETTINGS === ### SYSADMIN_USER="sysadmin" +CREATE_ADDITIONAL_USER="" +ADDITIONAL_USER="" USE_UFW="" USE_FAIL2BAN="" @@ -45,6 +47,50 @@ check_debian() { fi } +# Ask user about creating an additional user +ask_additional_user() { + echo "" + echo -e "${BLUE}=== Additional User Creation ===${NC}" + echo "This script will create the 'sysadmin' user by default." + echo "You can also create an additional user account if needed." + echo "" + read -p "Would you like to create an additional user account? (y/N): " create_user_choice + + if [[ "$create_user_choice" =~ ^[Yy]$ ]]; then + CREATE_ADDITIONAL_USER="yes" + echo "" + echo -e "${YELLOW}Enter username for the additional user:${NC}" + echo "(This user will also have sudo privileges)" + echo "" + while true; do + read -p "Username: " username_input + + # Validate username + if [[ -z "$username_input" ]]; then + echo -e "${RED}Username cannot be empty. Please try again.${NC}" + continue + elif [[ ! "$username_input" =~ ^[a-z][a-z0-9_-]*$ ]]; then + echo -e "${RED}Invalid username. Use lowercase letters, numbers, hyphens, and underscores only.${NC}" + echo -e "${RED}Username must start with a letter.${NC}" + continue + elif [[ "$username_input" == "$SYSADMIN_USER" ]]; then + echo -e "${RED}Username cannot be the same as sysadmin user. Please choose a different name.${NC}" + continue + elif id "$username_input" &>/dev/null; then + echo -e "${RED}User '$username_input' already exists. Please choose a different name.${NC}" + continue + else + ADDITIONAL_USER="$username_input" + log "Will create additional user: $ADDITIONAL_USER" + break + fi + done + else + CREATE_ADDITIONAL_USER="no" + log "Skipping additional user creation" + fi +} + # Ask user about firewall preferences ask_firewall_preferences() { echo "" @@ -131,6 +177,28 @@ create_sysadmin_user() { usermod -aG sudo "$SYSADMIN_USER" } +create_additional_user() { + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + log "Creating additional user: $ADDITIONAL_USER" + + if id "$ADDITIONAL_USER" &>/dev/null; then + warn "User $ADDITIONAL_USER already exists, skipping creation" + else + # Create user with home directory + useradd -m -s /bin/bash "$ADDITIONAL_USER" + log "User $ADDITIONAL_USER created successfully" + + # Set password for additional user + echo "Please set a password for user $ADDITIONAL_USER:" + passwd "$ADDITIONAL_USER" + fi + + # Add additional user to sudo group + log "Adding $ADDITIONAL_USER to sudo group..." + usermod -aG sudo "$ADDITIONAL_USER" + fi +} + configure_security() { # Disable root SSH login log "Disabling root SSH login..." @@ -148,7 +216,11 @@ configure_security() { echo "MaxAuthTries 3" echo "ClientAliveInterval 300" echo "ClientAliveCountMax 2" - echo "AllowUsers $SYSADMIN_USER" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo "AllowUsers $SYSADMIN_USER $ADDITIONAL_USER" + else + echo "AllowUsers $SYSADMIN_USER" + fi } >> /etc/ssh/sshd_config # Remove/lock root password @@ -311,39 +383,45 @@ generate_ssh_keys() { read -p "Enter your email: " user_email # Generate SSH key for sysadmin user - generate_sysadmin_ssh_key "$user_email" + generate_user_ssh_key "$SYSADMIN_USER" "$user_email" + + # Generate SSH key for additional user if created + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + generate_user_ssh_key "$ADDITIONAL_USER" "$user_email" + fi # Generate SSH key for root user generate_root_ssh_key "$user_email" } -generate_sysadmin_ssh_key() { - local user_email="$1" - local sysadmin_home="/home/$SYSADMIN_USER" - local ssh_dir="$sysadmin_home/.ssh" +generate_user_ssh_key() { + local username="$1" + local user_email="$2" + local user_home="/home/$username" + local ssh_dir="$user_home/.ssh" local ssh_key="$ssh_dir/id_ed25519" - log "Setting up SSH key for user: $SYSADMIN_USER" + log "Setting up SSH key for user: $username" - # Create .ssh directory for sysadmin user if it doesn't exist + # Create .ssh directory for user if it doesn't exist if [ ! -d "$ssh_dir" ]; then - sudo -u "$SYSADMIN_USER" mkdir -p "$ssh_dir" - sudo -u "$SYSADMIN_USER" chmod 700 "$ssh_dir" + sudo -u "$username" mkdir -p "$ssh_dir" + sudo -u "$username" chmod 700 "$ssh_dir" fi if [ ! -f "$ssh_key.pub" ]; then - log "Generating SSH key for $SYSADMIN_USER..." + log "Generating SSH key for $username..." - # Generate SSH key as sysadmin user - sudo -u "$SYSADMIN_USER" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" + # Generate SSH key as user + sudo -u "$username" ssh-keygen -t ed25519 -C "$user_email" -f "$ssh_key" -N "" # Set proper permissions - sudo -u "$SYSADMIN_USER" chmod 600 "$ssh_key" - sudo -u "$SYSADMIN_USER" chmod 644 "$ssh_key.pub" + sudo -u "$username" chmod 600 "$ssh_key" + sudo -u "$username" chmod 644 "$ssh_key.pub" - log "SSH key generated successfully for $SYSADMIN_USER" + log "SSH key generated successfully for $username" else - warn "SSH key already exists for $SYSADMIN_USER" + warn "SSH key already exists for $username" fi } @@ -392,6 +470,18 @@ show_ssh_keys() { echo "----------------------------------------" echo "" + # Show additional user SSH key if created + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + local additional_home="/home/$ADDITIONAL_USER" + local additional_ssh_key="$additional_home/.ssh/id_ed25519.pub" + + echo -e "${YELLOW}ADDITIONAL USER ($ADDITIONAL_USER) SSH KEY:${NC}" + echo "----------------------------------------" + cat "$additional_ssh_key" + echo "----------------------------------------" + echo "" + fi + echo -e "${YELLOW}ROOT USER SSH KEY:${NC}" echo "----------------------------------------" cat "$root_ssh_key" @@ -399,8 +489,13 @@ show_ssh_keys() { echo "" echo -e "${YELLOW}Instructions:${NC}" - echo "1. Copy both keys above" - echo "2. Add both keys to your git server and any other systems you need access to" + if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then + echo "1. Copy all keys above" + echo "2. Add all keys to your git server and any other systems you need access to" + else + echo "1. Copy both keys above" + echo "2. Add both keys to your git server and any other systems you need access to" + fi echo "3. You can now use these keys for SSH authentication" echo "" read -p "Press Enter to continue..." @@ -489,7 +584,8 @@ main() { echo "This script will:" echo "1. Set up a secure Debian 12 system" echo "2. Create a sysadmin user with SSH key authentication" - echo "3. Generate SSH keys for both sysadmin and root users" + echo "3. Optionally create an additional user account" + echo "4. Generate SSH keys for all created users and root" echo "" read -p "Continue? (y/N): " confirm @@ -498,12 +594,14 @@ main() { exit 0 fi - # Ask for firewall preferences + # Ask for user and firewall preferences + ask_additional_user ask_firewall_preferences # System setup setup_system create_sysadmin_user + create_additional_user configure_security # SSH key setup