User creation scripts for aws servers

2021-12-14 06:50:13 +09:00
commit 95451f2e46
3 changed files with 338 additions and 0 deletions
--- a/Readme.md
+++ b/Readme.md
@@ -0,0 +1,189 @@
+# AWS User Creation
+
+Two files to create new user entries with an SSH key and zip all the data for download
+
+## Setup
+
+The application **pwgen** and **zip** must be installed.
+
+Copy the two files '*user_create.sh*', '*user_zip.sh*' to any target folder on the target aws server.
+For exmaple `/root/bin`
+
+`$> mkdir /root/bin`
+
+Create a base folder where all the user lists and keys are stored.
+For example `/root/users`
+
+`$> mkdir /root/users`
+
+The script will automatically create `/ssh-keygen` as as sub folder to above set `/root/users`
+
+## User list creation
+
+In the `/root/users` folder there needs to be a file called '*user_list.txt*'
+
+This is a CSV type file with the following layout
+
+ID | Username | Group | Optional Password
+-|-|-|-
+
+The ID, Username and Group column must be filled.
+If the password column is filled, the string from here will be used as the PEM Key password.
+
+The ID can be any string in any form.
+It can also be left empty. It is not used at the moment
+
+The file can hold comments. The first character in the line must be a *#*
+
+Example file
+```
+user1;some.name;group-a
+user2;othername;group-a
+# I am a comment
+;username;groupC;setpassword
+...
+```
+
+### User with existing PEM key
+
+If we want to create a user that already has a PEM key or we want to have the user use the same PEM key for login we can copy the existing pub key into the ssh key folder
+
+If the folder `ssh-keygen` does not exist, create it as as sub folder to the folder where the '*user_list.txt*' is located
+
+In our example
+
+`$> mkdir /root/users/ssh-keygen`
+
+The public PEM key file format is as followed
+
+**group name**-**user name**.pem.pub
+
+In the example above for *user1* the file name would be for **some.name** and **group-a**
+
+`group-a-some.name.pem.pub`
+
+Copy this file into the ssh-keygen folder and add the user to the '*user_list.txt*' file.
+This must be with the same name and group as set in the PEM public key.
+
+Example:
+
+PEM public key file is `Bgroup-foobar.pem.pub`
+Then the line for the '*user_list.txt*' must be
+
+`[some user id];foobar;Bgroup`
+
+Note that *[some user id]* can be any string or left empty
+
+## Script run
+
+The current directory **MUST** be the directory where '*user_list.txt*' is stored.
+
+`$> cd /root/users`
+
+Then run the script without any options
+
+`$> /root/bin/user_create.sh`
+
+Sample output for above example file
+```
++ Create 'some.name:group-a'
+ > Create ssh key-pair '/root/users/ssh-keygen/group-a-some.name.pem'
+Generating public/private rsa key pair.
+Your identification has been saved in /root/users/ssh-keygen/group-a-some.name.pem.
+Your public key has been saved in /root/users/ssh-keygen/group-a-some.name.pem.pub.
+The key fingerprint is:
+SHA256:Ufalh41IRLJTHZlsaEJVK5N7cOYhxRdqf3fCDxhHdCA egrp10070.globalad.org: some.name@group-a
+The key's randomart image is:
+---[RSA 3072]----+
+|       .o+O*E=*o.|
+|        .Bo=B@.. |
+|        +oB.&.+  |
+|         o @ O   |
+|        S . + = +|
+|           .   =o|
+|                .|
+|                 |
+|                 |
+----[SHA256]-----+
+ > Create .ssh folder
+ > Add public into authorized_keys
+ > Secure folder .ssh and authorized_keys file
+```
+
+If the public pem file is already provided the output will be a bit different
+```
++ Create 'some.name:group-a'
+ < Use existing public ssh key '/root/users/ssh-keygen/group-a-some.name.pem.pub'
+ > Create .ssh folder
+ > Add public into authorized_keys
+ > Secure folder .ssh and authorized_keys file
+```
+
+There is no SSH key generate output but *Use existing public ssh key* information line
+
+If the user has been created, the creating will be skipped
+```
+-- Skip 'some.name:group-a'
+```
+
+## Script output
+
+The generated users and the passwords are stored in the '*user_password.txt*' file
+
+For above the output will be
+```
+2020-11-27 13:51:01;sever.hostname.org;some.name;Aeh9uph8Oo
+2020-11-27 13:51:02;sever.hostname.org;othername;AePejoo9ch
+2020-11-27 13:51:02;sever.hostname.org;username;setpassword
+```
+
+Note that the *sever.hostname.org* is set from the hostname of the server where the script is unr
+
+If a existing pem public key is used, the entry for a new user will be
+```
+2020-11-27 13:53:18;sever.hostname.org;some.name;[ALREADY SET]
+```
+
+Not that the password field has now *[ALREADY SET]*
+
+### PEM key password reset
+
+The SSH PEM key password can be reset or changed with
+
+`$> ssh-keygen -p -f [PEM].pem -P old_passphrase -N new_passphrase`
+
+To remove the password use this `-N ""`
+
+**NOTE**
+
+If the command is used like this it will be stored in the history file.
+For scurity reason it is recommended to not give the -P and -N options when changing the password.
+
+### Missing PUB key
+
+The public key part can be extracted from the SSH PEM key with
+
+`$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
+
+*[PEM]* is the placeholder for the filename
+
+## Get the user data
+
+To copy the user data with the SSH PEM file and password list the following command can be used.
+Like the create user command it **MUST** be run in the folder where the '*user_list.txt*'
+
+`$> cd /root/users`
+
+The script needs to be run with one parameter that is the folder where the output file '*users.zip*' is stored.
+
+`$> /root/bin/user_zip.sh [target folder]`
+
+In the *[target folder]* a file name '*users.zip*' will be created.
+This file has the following data data inside
+- user_list.txt
+- user_password.txt
+- ssh-keygen/*.pem
+- ssh-keygen/*.pem.pub
+
+When extracted this will **NOT** create a sub folder.
+Create a folder where to store this data on the local side is highly recommended
--- a/user_create.sh
+++ b/user_create.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# * input file
+# user_list.txt
+# <ignored id>;<user name>;<group>[;optional override password]
+# lines with # are skipped
+# already created users are skipped
+# * output file
+# <date>;<target connect host name>;<username>;<password>
+# If already existing PEM key is used then <password> is [ALREADY SET]
+#
+# * PEM KEY
+# <group>-<user>.pem
+# * PUBLIC KEY
+# <group>-<user>.pem.pub
+# store in
+# ssh-keygen/
+#
+# If a previously exsting PEM key should be used, put the public pem file
+# into the ssh-keygen/ folder
+# They pem pub key must follow the set rules above
+
+# SET TO 1 to TEST [will no create user/group/folder]
+TEST=0;
+# hostname for output file only
+host=$(hostname);
+# base folder for all data
+root_folder=$(pwd)'/';
+input_file='user_list.txt';
+output_file='user_password.txt';
+ssh_keygen_folder='ssh-keygen/';
+# check if ssh key folder exists
+if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
+	mkdir "${root_folder}${ssh_keygen_folder}";
+fi;
+# check if password generate software is installed
+if [ ! command -v pwgen &> /dev/null ]; then
+	echo "Missing pwgen application, aborting";
+	exit;
+fi;
+# check if user list file exists
+if [ ! -f "${root_folder}${input_file}" ]; then
+	echo "Missing ${root_folder}${input_file}";
+	exit;
+fi;
+# create users
+cat "${root_folder}${input_file}" |
+while read i; do
+	# skip rows start with # (comment)
+	if [[ "${i}" =~ ^# ]]; then
+		echo -e "";
+	else
+		user=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z);
+		group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z);
+		# user & group not set
+		if [ -z "${user}" ] || [ -z "${group}" ]; then
+			echo "[!!!!!] Missing user or group entry for ${user}/${group}";
+			echo "[ABORT RUN]"
+			break;
+		fi;
+		# do we have a password preset
+		_password=$(echo "${i}" | cut -d ";" -f 4);
+		# add group
+		if [ ${TEST} -eq 0 ]; then
+			groupadd -f ${group};
+		else
+			echo "$> groupadd -f ${group}";
+		fi;
+		# SSH key base name (removed ${host}- so we can use it more easy for multi server same key)
+		ssh_keygen_id="${group}-${user}.pem";
+		# check if user is not already created
+		if getent passwd ${user} > /dev/null 2>&1; then
+			echo "-- Skip '${user}:${group}'";
+		else
+			echo "++ Create '${user}:${group}'";
+			if [ ${TEST} -eq 0 ]; then
+				useradd -s /bin/bash -g ${group} -m ${user};
+			else
+				echo "$> useradd -s /bin/bash -g ${group} -m ${user}";
+			fi;
+			# if public pem already exists skip creation
+			if [ ! -f ${root_folder}${ssh_keygen_folder}${ssh_keygen_id}".pub" ]; then
+				# Note we only create a password if we need it
+				# password + store pwgen 10 1 -1
+				if [ -z "${_password}" ]; then
+					password=$(printf "%s" $(pwgen 10 1));
+				else
+					echo "! Override password set";
+					password=${_password};
+				fi;
+				# create SSH key
+				echo " > Create ssh key-pair '${root_folder}${ssh_keygen_folder}${ssh_keygen_id}'";
+				ssh-keygen -f ${root_folder}${ssh_keygen_folder}${ssh_keygen_id} -C "${host}: ${user}@${group}" -N "${password}"
+			else
+				echo " < Use existing public ssh key '${root_folder}${ssh_keygen_folder}${ssh_keygen_id}.pub'";
+				# Password already set notification
+				password="[ALREADY SET]";
+			fi;
+			# write login info to output file
+			echo $(date +"%F %T")";"${host}";"${user}";"${password} >> ${root_folder}${output_file};
+			# create the SSH foler and authorized access file with correct permissions
+			echo " > Create .ssh folder";
+			if [ ${TEST} -eq 0 ]; then
+				mkdir /home/${user}/.ssh/;
+			else
+				echo "$> mkdir /home/${user}/.ssh/";
+			fi;
+			echo " > Add public into authorized_keys";
+			if [ ${TEST} -eq 0 ]; then
+				cat ${root_folder}${ssh_keygen_folder}/${ssh_keygen_id}.pub > /home/${user}/.ssh/authorized_keys;
+			else
+				echo "$> cat ${root_folder}${ssh_keygen_folder}/${ssh_keygen_id}.pub > /home/${user}/.ssh/authorized_keys";
+			fi;
+			echo " > Secure folder .ssh and authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown -R ${user}:${group} /home/${user}/.ssh/;
+				chmod 700 /home/${user}/.ssh/;
+				chmod 600 /home/${user}/.ssh/authorized_keys;
+			else
+				echo "$> chown -R ${user}:${group} /home/${user}/.ssh/";
+				echo "$> chmod 700 /home/${user}/.ssh/";
+				echo "$> chmod 600 /home/${user}/.ssh/authorized_keys";
+			fi;
+		fi;
+	fi;
+done;
+
+if [ -f "${root_folder}${output_file}" ]; then
+	chmod 600 ${root_folder}${output_file};
+fi;
--- a/user_zip.sh
+++ b/user_zip.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+root_folder=$(pwd)'/';
+
+if [ ! command -v zip &> /dev/null ]; then
+	echo "Missing zip application, aborting";
+	exit;
+fi;
+
+# arg 1 must be valid path to where we store the zip file
+if [ ! -d "${1}" ]; then
+	echo "${1} is not a valid path";
+	exit;
+fi;
+
+# zip key folder, user list, user password into users.zip
+echo "Zipping data to: ${1}/users.zip"
+$(cd "${root_folder}"; zip -FSr "${1}/users.zip" "user_list.txt" "user_password.txt" "ssh-keygen/");
+echo "Data zipped";