ssh-permission-check

#!/usr/bin/python3
#  TODO: check what happens when you don't have permissions (don't run as root)
import os
import pwd

suggestions = 0
checked     = []

for userdetails in pwd.getpwall():
    username = userdetails[0]    
    homedir  = userdetails[5]

    sshdir = os.path.join( homedir, '.ssh' )
    if os.path.exists(homedir) and not os.path.exists(sshdir): # basically a "is this a real user" check
        if '/var' not in homedir and '/sbin' not in homedir and homedir!='/':
            #print "User %s has homedir but no ~/.ssh directory"%username
            continue
    
    if os.path.exists(sshdir): # basically a "is this a real user" check
        #print "Checking %r"%username
        checked.append(username)
        dirmode = os.stat(sshdir).st_mode & 0o777
        if dirmode & 0o022:        
            print( 'chmod %o %r   # currently: %o'%(dirmode&0o755, sshdir, dirmode) )
            suggestions+=1
            
        for r,d,f in os.walk(sshdir):
            for fn in f:
                ffn = os.path.join(r, fn)
                curmode = os.stat(ffn).st_mode & 0o777
                newmode = curmode              
                newmode &= 0o755 # masks out 022 -- it's generally a bad idea for other people to write things
                if fn in ('known_hosts',): # maybe others?
                    newmode &= 0o644
                else:
                    newmode &= 0o600
                        
                if newmode != curmode:
                    print( 'chmod %o %-60r   # currently: %o'%(newmode, ffn, curmode) )
                    suggestions += 1

                # TODO: also suggest chowns, if owner is not user

print( "# Checked users: %s"%(', '.join(sorted(checked))) )

if suggestions==0:
    print( "# No permission suggestions, you're good." )