From bd6556768d13510e74e5b07bfc83867a52c975a6 Mon Sep 17 00:00:00 2001
From: chunzhi <chunzhi@chunzhideMac-mini.local>
Date: Sun, 12 Apr 2026 13:32:08 +0800
Subject: [PATCH] fix: use --allow-bad-names for dotted usernames, configure
 passwordless sudo

---
 setup-cf-browser-ssh.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/setup-cf-browser-ssh.sh b/setup-cf-browser-ssh.sh
index e160349..904bd4d 100644
--- a/setup-cf-browser-ssh.sh
+++ b/setup-cf-browser-ssh.sh
@@ -465,9 +465,13 @@ create_login_user() {
   fi
 
   info "创建用户 '$user'（无密码，仅证书登录）..."
-  adduser --disabled-password --gecos "" "$user"
-  usermod -aG sudo "$user"
-  info "用户 '$user' 已创建并加入 sudo 组 ✓"
+  adduser --disabled-password --gecos "" --allow-bad-names "$user"
+
+  # 配置免密 sudo（证书用户没有密码，普通 sudo 组会要求输入密码）
+  local sudoers_file="/etc/sudoers.d/${user//[^a-zA-Z0-9_-]/-}"
+  echo "$user ALL=(ALL) NOPASSWD:ALL" > "$sudoers_file"
+  chmod 440 "$sudoers_file"
+  info "用户 '$user' 已创建，免密 sudo 已配置 ✓"
 }
 
 # ----- 打印后续手工步骤 -----