#!/bin/sh
# user restricted shell
# (C) 2012 Pavel Polyakov

#env
ME="ush[$$]"
HOST=`hostname -s`
HOSTNAME=`hostname`
#hostname -s | read HOST
ACCESS="$HOSTNAME:$LOGNAME"

#echo HOST: "$HOST" >> /dev/stderr
#echo LOGNAME: "$LOGNAME" >> /dev/stderr
#echo USER: "$USER" >> /dev/stderr

#echo "$ME: START $LOGNAME to $HOSTNAME: '$@'" | logger -p auth.info
#sleep 20

if [ "$HOST" != "$LOGNAME" ]; then	# check multiple host access right
	if grep -q "^$ACCESS\$" /root/access; then
#		echo "$ME: ALLOW $LOGNAME to $HOSTNAME: '$@'" | logger -p auth.info
#		sleep 10
		#echo "Allowing $ACCESS" > /dev/stderr
#exec /bin/tcsh "$@"
	else
		ERR="Access denied: $LOGNAME to $HOSTNAME ($HOST)"
		echo "$ME: $ERR" | logger -p auth.err
		echo "$ERR" > /dev/stderr
		sleep 20
		exit 9
	fi
fi

echo "$ME: SUCCESS $LOGNAME to $HOSTNAME: '$@'" | logger -p auth.notice


#UPTIME=`uptime`

export WELCOME="$HOSTNAME at your service ($LOGNAME)"


# !!!! ANY OUTPUT to stderr breaks sftp !!!!
#echo "parm: $@" > /dev/stderr
exec /bin/tcsh "$@"

# SSH_CLIENT=127.0.0.1 46113 22
# SSH_CONNECTION=127.0.0.1 46113 127.0.0.1 22

/root/bin/ush
/root/access
/usr/share/skel/dot.cshrc

        if $?WELCOME echo "$WELCOME" > /dev/stderr


rsync -vu /root/bin/ush root@netboot:/netboot2/root/bin/
rsync -vu /root/access  root@netboot:/netboot2/root/

host435.fqdn:s435
host541.fqdn:s54x
host542.fqdn:s54x
#s531.fqdn:s531 - not needed, assumed that user has access to own host

s435:$1$xxxxxxxx$PNT5MrOv65gFiPXk.bCQy.:0:1006::0:0:User &:/home/s435:/root/bin/ush
s54x:$1$aOxxxxxxxxqS0PupSXYhoE12IU2FQa.:0:0::0:0:Charlie &:/root:/root/bin/ush
s531:$1$FlUPixxxxxxxxxxxlPuh.oxxxxxxxxx:0:1111::0:0:User &:/home/s531:/root/bin/ush