From d13dd088558e7a8dfdac7123c504778f263342cb Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Thu, 10 Mar 2022 11:12:18 +0900 Subject: [PATCH] Update -t test option flow, added -i info option -t test will NOT create an ssh key anymore. The user password list file gets a .TEST extension -i info is a new option to just show user/group and ssh key name without creating anything at all. Can be used to update old public key names to new format --- Readme.md | 16 +++++++++-- bin/user_create.sh | 63 +++++++++++++++++++++++++++++++------------- user_list.txt-sample | 2 +- 3 files changed, 60 insertions(+), 21 deletions(-) diff --git a/Readme.md b/Readme.md index cac9a63..996e725 100644 --- a/Readme.md +++ b/Readme.md @@ -24,19 +24,31 @@ Inside the base folder there are * ssh-keygen for temporary holding the PEM/PUB files * zip file which holds the created user list, password and PEM/PUB files +## Options + +### -t (test) + +Run in test mode. This will *NOT* create any groups or users. Nor will it create any ssh key files. +`user_password` output file will be written with `.TEST` extension + +### -i (info) + +Do not created anything at all, just print out info strings + ## User list creation In the `/root/users/` folder there needs to be a file called '*user_list.txt*' This is a CSV type file with the following layout -ID | Username | Group | Optional Password | Override host name --|-|-|-|- +ID | Username | Group | Optional Password | Override host name | Override ssh key type +-|-|-|-|-|- The ID, Username and Group column must be filled. For sub groups add them with a *,* The first group is the master group If the password column is filled, the string from here will be used as the PEM Key password. If a override hostname is set it will be used instead of `hostname` +If the ssh key type is set, it will override the default *ed25519* type. This is not recommended. Only *rsa* is allowed. This is for setting up backwards compatible lists. The ID can be any string in any form. It can also be left empty. It is not used at the moment diff --git a/bin/user_create.sh b/bin/user_create.sh index 5d35564..39d365c 100755 --- a/bin/user_create.sh +++ b/bin/user_create.sh @@ -21,12 +21,16 @@ # They pem pub key must follow the set rules above # SET TO 1 to TEST [will no create user/group/folder] -TEST=0; -while getopts ":t" opt; do +TEST=0; # no creation except ssh keys +INFO=0; # no creation of anything, just print info strings +while getopts ":ti" opt; do case "${opt}" in t|test) TEST=1; ;; + i|info) + INFO=1; + ;; esac; done; # hostname for output file only @@ -71,7 +75,7 @@ if [ $(stat -c %a .) != "600" ]; then echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!" fi; if [ $(whoami) != "root" ]; then - if [ ${TEST} -eq 0 ]; then + if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then echo "Script must be run as root user"; exit; else @@ -105,20 +109,17 @@ while read i; do fi; # do we have a password preset _password=$(echo "${i}" | cut -d ";" -f 4); + _ssh_keytype=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' '); + if [ "${_ssh_keytype}" = "rsa" ]; then + ssh_keytype="${_ssh_keytype}"; + echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]"; + fi; # user & group not set if [ -z "${user}" ] || [ -z "${_group}" ]; then echo "[!!!!!] Missing user or group entry for ${user}/${_group}"; - echo "[ABORT RUN]" + echo "[*** ABORT RUN ***]" break; fi; - # add group for each entry in _group - for create_group in ${_group//,/ }; do - if [ ${TEST} -eq 0 ]; then - groupadd -f ${create_group}; - else - echo "$> groupadd -f ${create_group}"; - fi; - done; # SSH file name part without folder ssh_keygen_id="${hostname}${separator}${group}${separator}${user}${separator}${ssh_keytype}.pem"; # the full file including folder name @@ -127,6 +128,20 @@ while read i; do ssh_keyfile_pub="${ssh_keyfile}.pub"; # check existing pub file ssh_keyfile_check_pub="${root_folder}${ssh_keygen_folder_created_pub}${ssh_keygen_id}.pub"; + + if [ ${INFO} -eq 1 ]; then + echo "User: '${user}:${group}(${sub_group})', SSH: ${ssh_keygen_id}"; + continue; + fi; + + # add group for each entry in _group + for create_group in ${_group//,/ }; do + if [ ${TEST} -eq 0 ]; then + groupadd -f ${create_group}; + else + echo "$> groupadd -f ${create_group}"; + fi; + done; # check if user is not already created if getent passwd ${user} > /dev/null 2>&1; then echo "-- Skip '${user}:${group}(${sub_group})'"; @@ -151,11 +166,15 @@ while read i; do fi; # create SSH key echo " > Create ssh key-pair '${ssh_keyfile}'"; - ssh-keygen \ - -t ${ssh_keytype} \ - -f "${ssh_keyfile}" \ - -C "${hostname}: ${user}@${group}" \ - -a 100 -N "${password}" + if [ ${TEST} -eq 0 ]; then + ssh-keygen \ + -t ${ssh_keytype} \ + -f "${ssh_keyfile}" \ + -C "${hostname}: ${user}@${group}" \ + -a 100 -N "${password}" + else + echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${user}@${group} -a 100 -N ${password}"; + fi; else found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${user}/.ssh/authorized_keys); if [ ! -z "${found}" ]; then @@ -171,7 +190,11 @@ while read i; do fi; if [ ${skip_ssh} -eq 0 ]; then # write login info to output file - echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}; + if [ ${TEST} -eq 0 ]; then + echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}; + else + echo $(date +"%F %T")";"${host}";"${_hostname}";"${user}";"${password} >> ${root_folder}${output_file}".TEST"; + fi; # create the SSH foler and authorized access file with correct permissions echo " > Create .ssh folder"; if [ ${TEST} -eq 0 ]; then @@ -199,6 +222,10 @@ while read i; do fi; done; +# End before anything because this is just info run +if [ ${INFO} -eq 1 ]; then + exit; +fi; # zip everything and remove data in ssh key folder, delete output file with passwords zip -r \ "${root_folder}${output_zip_folder}${output_zip}" \ diff --git a/user_list.txt-sample b/user_list.txt-sample index ee933b8..f6993aa 100644 --- a/user_list.txt-sample +++ b/user_list.txt-sample @@ -1 +1 @@ -#user_id;user_name;group,subgroup;optional override password;optional override hostname +#user_id;user_name;group,subgroup;override password;override hostname;override ssh type