diff --git a/bin/authorized_key_location_change.sh.sh b/bin/authorized_key_location_change.sh.sh index 2145c52..d1961b4 100755 --- a/bin/authorized_key_location_change.sh.sh +++ b/bin/authorized_key_location_change.sh.sh @@ -2,19 +2,20 @@ # check if we need to move the users authorized keys to the central location -TEST=0; +TEST=1; SKIP_USERS=(); -while getopts ":tis:" opt; do +while getopts ":gs:" opt; do case "${opt}" in - t|test) - TEST=1; + g|go) + # default we + TEST=0; ;; s|skip) SKIP_USERS+=("${OPTARG}"); ;; \?) echo -e "\n Option does not exist: ${OPTARG}\n"; - echo "Use -t for test and -s for users to skip"; + echo "Use -g for go (run) and -s for users to skip"; exit 1; ;; esac; @@ -23,6 +24,7 @@ done; # check if authorized keys is actually enabled # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; +SSH_MASTER_AUTHORIZED_FILE=''; SSH_AUTHORIZED_FILE=''; for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do if [ ! -z $(echo "${cf}" | grep "%u") ]; then @@ -37,17 +39,35 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "No central authorized_keys file detected, no change check needed"; exit; fi; -echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; +for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do + if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then + SSH_MASTER_AUTHORIZED_FILE="${cf}"; + if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then + echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l + exit; + fi; + fi; +done; +if [ -z "${SSH_MASTER_AUTHORIZED_FILE}" ]; then + echo "No master authorized_key file detected, no change check needed"; + exit; +fi; +echo "SSH Msater Authorized Key file: ${SSH_MASTER_AUTHORIZED_FILE}"; +echo "SSH Authorized Keys file folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; PRINTF_INFO="%-8s [%3s]: %-25s: %s\n"; # list of user accounts we will never touch -NO_ACTION=(root admin ec2-user ubuntu); +NO_ACTION=(root); +# move, but must check that master is set +# master key is the first in the authorized keys list for the below users +MASTER_KEY=(admin ec2-user ubuntu); # loop over passwd file # if not in no action then check if .ssh/authorized_keys file exists cat /etc/passwd | cut -d ":" -f 1,6 | while read user_home; do username=$(echo "${user_home}" | cut -d ":" -f 1); + master_user=0; # skip admin usernames if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; @@ -68,13 +88,26 @@ while read user_home; do fi; continue; fi; + # check those keys are in the master key list + if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then + master_user=1; + ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}"); + if [ ! -z "${ssh_key_diff}" ]; then + printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file"; + exit; + fi; + fi; # check if this user public key(s) exist in AuthorizedKeysFile target if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); if [ -z "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys"; if [ ${TEST} -eq 0 ]; then - rm "${home_folder}/.ssh/authorized_keys"; + if [ ${master_user} -eq 0 ]; then + rm "${home_folder}/.ssh/authorized_keys"; + else + echo "[!] No delete for master user, must be done manually"; + fi; else echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; fi; @@ -99,14 +132,22 @@ while read user_home; do break; fi; # remove home .ssh/authorized_keys (do not remove folder) - rm "${home_folder}/.ssh/authorized_keys"; + if [ ${master_user} -eq 0 ]; then + rm "${home_folder}/.ssh/authorized_keys"; + else + print "=> No delete for master user, must be done manually"; + fi; else echo "[START] ====>"; echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; - echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; + if [ ${master_user} -eq 0 ]; then + echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; + else + echo "[!] No delete for master user, must be done manually"; + fi; echo "[END ] ====>"; fi; done;