Skip to content

deetoo/dudi

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
INSTALL
INSTALL
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
crontab.txt
crontab.txt
 
 
dudi.png
dudi.png
 
 
dudi.sh
dudi.sh
 
 
index.php
index.php
 
 
servers.dat
servers.dat
 
 
user.dat
user.dat
 
 

Repository files navigation

dudi

Distributed Useraccount Disabler

I started this project a while back. We had a plan for being able to quickly disable user accounts across hundreds of servers. This could have been accomplished easily enough with a shell script looping through a list of servers, but the project was ultimately going to be handled by HR/front-office people. So the system had to be both very easy to use, and to track its usage.

Concept

First thing, this project is intended to exist within a protected environment, this is NOT a secure solution, it's not designed with an emphasis on security, just practicality.

Assumptions

It's assumed you know how to create, and configure a trusted SSH key relationship between servers. The way I employed this script was to have a normal user account (ex: dudi), create an SSH key, and copy the public key to the root account's authorized_keys file (/root/.ssh/authorized_keys) on ALL of the servers this script would function on (not secure, I know).
The normal user account that will be executing this script also needs to be joined to whatever group your web-server account uses (on Debian, it's www-data). The reason for this, is because that account must be able to read, and then DELETE the temporary user.dat file which contains the user account which will be disabled. In my deployment, I simply created a /home/www-data directory to store many of the files, and then I made sure my 'dudi' user was joined to the www-data group, and could both read, and delete files within /home/www-data
That should make sense, I hope :)

There are a few requirements that must be met for this project to work for you:

  • You will need SSH-key trusts setup from the server that hosts this project, to ALL servers it will disable user accounts on.
  • Apache, and PHP ust be installed on the host server.
  • The project can attempt to email a person, or list when a user account is disabled, outbound SMTP is needed for this.

Nuts and Bolts

The underlying process is very simple, I'll list the operational steps below:

  1. You are given the task of disabling the 'jdoe' user acount.
  2. You point your web browser to the URL of the host machine and enter your username/password.
  3. After authenticating, you enter 'jdoe' in the form, and press submit.
  4. The system checks against a list of usernames that should NEVER be disabled.
  5. If the username passes that check, it's passed to a data file.
  6. At a pre-defined schedule, cron runs a job that looks for that data file, and if it exists, reads the contents.
  7. The cron job now has a user to disable, it reads a list of servers, connects to each sequentially, disables the account.
  8. Any errors are logged.
  9. An email is then crafted which gives details on each operation, and any errors. The mail is sent to a list, or user.
  10. The data file with the 'jdoe' user account is deleted.

About

Distributed Useraccount Disable

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages