Viclyn
asked on
Script to identify user with server domain
How can I build a list of domains that have a specific user in the passwd file?
For example
for DOMAINS in $(cat domainlist)
do
ssh root@$DOMAINS "cat /etc/passwd | grep the_user" >>domain_user
done
...I know that's not correct. But, what I'm wanting is the result to look something like this:
domain_user file should now contain:
www.foodomain.com the_user
www.thisdomain.com the_user
www.anotherdomain.com user_not_found
www.xyzdomain.com the user
...etc
So, the domains are listed in the domainlist file, and the script will build a local domain_user file that will indicate if the user was found on the domain or not.
For example
for DOMAINS in $(cat domainlist)
do
ssh root@$DOMAINS "cat /etc/passwd | grep the_user" >>domain_user
done
...I know that's not correct. But, what I'm wanting is the result to look something like this:
domain_user file should now contain:
www.foodomain.com the_user
www.thisdomain.com the_user
www.anotherdomain.com user_not_found
www.xyzdomain.com the user
...etc
So, the domains are listed in the domainlist file, and the script will build a local domain_user file that will indicate if the user was found on the domain or not.
Try "getent passwd" in place of grep passwd, that shoould work with central authentications too.
Beware that running such a script will presumably be treated as intrusion attacks, mainly because of the ssh root use
Please tell us more about your precise context (eg, if your machines are running as OpenVZ containers and you have root access to the host, you can get these thru some local script)
Please tell us more about your precise context (eg, if your machines are running as OpenVZ containers and you have root access to the host, you can get these thru some local script)
Since I'd guess this will not be a one time activity, I do the following;
Create s simple script named chk-user:
Then each time you which to enumerate the servers with that user do
Create s simple script named chk-user:
#!/bin/sh
#
# Simple script to see if a user exists. Outputs a short message if
# so, nothing otherwise.
#
HOST=`hostname`
if [ -z $1 ]; then
echo "Invalid input"
exit
fi
getent passwd $1
if [ $? == 0 ]; then
echo "$HOST $1"
fi
exit
Make it executable with "chmod +x chk-user" and copy that script to each server with for f in *(cat domainlist); do scp chk-user root@$f; done
Then each time you which to enumerate the servers with that user do
for f in *(cat domainlist); do ssh $f "chk-user $f" >>userlist; done
ASKER
Well, the problem is, I'm not a scripter...I like to pretend to be though. (I'm learning).
So, if I use your suggestion, I'd need something like this:
If [ getent passwd the_user != 0] // getent would be run on the server in ssh session
echo "$DOMAINS the_user" >> domain_user
else
echo "$DOMAINS user_not_found" >>domain_user
I would probably still like to not use getent, for reasons you listed, so
if [ ssh root@$DOMAINS "cat /etc/passwd | grep the_user" != 0 ]
So, I just don't really know the syntax
Thanks
So, if I use your suggestion, I'd need something like this:
If [ getent passwd the_user != 0] // getent would be run on the server in ssh session
echo "$DOMAINS the_user" >> domain_user
else
echo "$DOMAINS user_not_found" >>domain_user
I would probably still like to not use getent, for reasons you listed, so
if [ ssh root@$DOMAINS "cat /etc/passwd | grep the_user" != 0 ]
So, I just don't really know the syntax
Thanks
ASKER
I don't want to keep a local script on each domain. There are 1000 domains, and I'm not the only one on them.
you could use grep in place of getent. If you use grep you have to look for username: so that you don't match usernames that just contain the test username string. Using getent is cleaner and there is no security advantage or disadvantage to it over grep. Neither has to be run as root though whoever is doing the scan has to have a login account on the server.
The script only has to be placed on each server one time. From then on it simply gets used.
Oh yeah, the script (and commands) I wrote have been tested and work.
The script only has to be placed on each server one time. From then on it simply gets used.
Oh yeah, the script (and commands) I wrote have been tested and work.
ASKER
I figured it out. Below is what I was looking for.
I'm accepting jlevie's solution too, as it's a good solution if one wishes to run the script locally from each server. Thanks
#!/bin/bash
for DOMAINS in $(cat domainlist)
do
ssh root@$DOMAINS "cat /etc/passwd | grep -i the_user"
if [ $? -ne 0 ]
then
echo "user_not_found $DOMAINS" >> domain_users
else
echo "user_found $DOMAINS" >> domain_users
fi
done
I'm accepting jlevie's solution too, as it's a good solution if one wishes to run the script locally from each server. Thanks
#!/bin/bash
for DOMAINS in $(cat domainlist)
do
ssh root@$DOMAINS "cat /etc/passwd | grep -i the_user"
if [ $? -ne 0 ]
then
echo "user_not_found $DOMAINS" >> domain_users
else
echo "user_found $DOMAINS" >> domain_users
fi
done
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for Viclyn's comment #a40033126
Assisted answer: 500 points for jlevie's comment #a40031970
for the following reason:
Reason already provided
Accepted answer: 0 points for Viclyn's comment #a40033126
Assisted answer: 500 points for jlevie's comment #a40031970
for the following reason:
Reason already provided
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, yours is definitely better. Thanks jlevie
Just for the completeness of the record: I presume that line 11 of the above script should user_found, exact?
B-)
B-)
Line 13 should be user_found. Any return status other than 0 indicates some sort of error.
B-) so I would guess that line 11 checks code 0 for user_found, and that line 13 is left unchanged?
Line 8 checks for a failure of ssh. Line 10 checks to see if the remote command failed to find the username. Those are the only possible return codes. If neither of those the remote command must have found the user in the authentication database.
ASKER
jlevie
There are a couple of problems with this script.
It doesn't appear to be connecting to the domains. Yet, it executes line 11 (seems like it should be executing line 9 if it can't connect to a domain).
Also, line 7 should read:
ssh root@$DOMAIN "getent passwd $1"
correct?
There are a couple of problems with this script.
It doesn't appear to be connecting to the domains. Yet, it executes line 11 (seems like it should be executing line 9 if it can't connect to a domain).
Also, line 7 should read:
ssh root@$DOMAIN "getent passwd $1"
correct?
My mistake. Yes that should be "getent passwd $1". That is why it is executing 11 ( the getent command failed).
ASKER
The script works - except line 9 still never executes.
I put a domain in the list that doesn't exists, and it still executes line 11.
...this is beyond the scope of the initial question, but I am curious.
I put a domain in the list that doesn't exists, and it still executes line 11.
...this is beyond the scope of the initial question, but I am curious.
Sorry about that. When I posted that script I was having to do everything from memory, didn't have access to the man page for getent, and could not test the script. As written it isn't going to work quite right, but what follows does and is more elegant.
#!/bin/sh
if [ -z $1 ]; then
echo "Username not specified"
exit
fi
for DOMAIN in $(cat domainlist); do
ssh root@$DOMAIN "getent passwd $1 >/dev/null" >/dev/null 2>&1
case $? in
0)
echo "user_found $DOMAIN" >> domain_users ;;
2)
echo "user_not_found $DOMAIN" >> domain_users ;;
255)
echo "$DOMAIN not checked" >> domain_users ;;
esac
done
ASKER
jlevie - I definitely appreciate your input and expertise.
Line 13, I believe - needs to be changed to 254 instead of 255.
Then it works perfectly. Thanks again.
Line 13, I believe - needs to be changed to 254 instead of 255.
Then it works perfectly. Thanks again.
Dunno about Ubuntu, but on CentOS or Redhat the man page for ssh says:
"ssh exits with the exit status of the remote command or with 255 if an error occurred."
As does the man page on OS X/FreeBSD.
"ssh exits with the exit status of the remote command or with 255 if an error occurred."
As does the man page on OS X/FreeBSD.
ASKER
Oh. Yeah, I'm sure that's it. ...I learned *another* new thing. Thanks!
I'm using cygwin for the PC
I'm using cygwin for the PC