Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server'
, and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent
if you want to try keeping your keys protected with a passphrase.
The base algorithm of what you're looking for looks something like this (according to me, anyway):
- Enumerate all of the group with the right prefix.
- Recursively follow their GroupMembers to enumerate any nested groups in them.
- Once you get a group with no groups as members, stop recursing.
- Take the list of users, for each user
- Enumerate their Group Memberships
- If any have the right prefix, remove them from it.
- If any of the remaining groups are in the list of groups enumerated in the previous major step, remove them from that one too.
Now for actual code-like things.
Enumerating all groups with a prefix (untested, there will be bugs):
$RecurseList=dsquery group -name "abc-*"
$TargetList=$RecurseList
foreach $Grp in $RecurseList {
# Now get the members of that group, do not expand
$GrpMembers=dsget group "$Grp" -members
foreach ($Member in $GrpMembers) {
$isGroup=dsget group $Member
if ($isGroup.dn -eq $Member) {
$TargetList.add("$Member")
RecurseIntoGroup($isGroup.dn)
}
}
}
Then when it comes time to talk the CSV list, get the membership of the user, and check to see if that group exists in $TargetList above. If so, remove it.
This is a heck of a lot of work to go through when removing just one user from potentially thousands of groups, but if you're doing a LOT of these then having the pre-built list will save you time.
If you only need to do it for a few users (say, 10 or so), you can walk back up the tree.
$UserGroups = dsquery user -name $Username -memberof
foreach ($uGroup in $UserGroups) {
if (isConcerning($uGroup)) {
$ConcerningGroups.add("$uGroup")
}
}
function isConcerning {
param ($uGroup)
$parentGroups=dsget group $uGroup -memberOf
$found=$False
foreach ($pg in $parentGroup) {
if ($parentGroup.startswith("abc-")) {
return($true)
$found=$true
} else {
$concerning=isConcerning($pg)
if ($concerning) {
return($true)
$found=$true
}
}
}
if (-not $found) {
return($False)
}
And then remove the concerning groups as needed.
Best Answer
Welp nevermind, I found my answer on StackOverflow.