From ebf0eaf412a1590cccdcf34a6ee7fa763f349aef Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Wed, 5 Apr 2023 13:19:50 +0900
Subject: [PATCH] Bug fixes in user create for new ssh key central location

* Bug with existing ssh key but not in ssh authorized_file
The correct public key location was not set for the existing file

* Bug with attr set on authorzied_file update if central location
If a central location the +i attrib must be removed first
It will set always in the folder rights change

* Change the authorized file group to root for central file location
---
 bin/create_user.sh | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/bin/create_user.sh b/bin/create_user.sh
index b01ed9e..90937b9 100755
--- a/bin/create_user.sh
+++ b/bin/create_user.sh
@@ -284,10 +284,10 @@ while read i; do
 		found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
-			# override previously set with stored one
-			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
 		else
+			# override previously set with stored one
+			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
 			# Password already set notification
 		fi;
@@ -303,7 +303,7 @@ while read i; do
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Create .ssh folder";
 			if [ ${TEST} -eq 0 ]; then
 				mkdir ${HOME_FOLDER}${username}/.ssh/;
@@ -311,12 +311,20 @@ while read i; do
 				echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
 			fi;
 		fi;
+		# add
 		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
+			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+				chattr -i ${SSH_AUTHORIZED_FILE};
+			fi;
 			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
+			if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
+			fi;
 			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
 		fi;
+		# secure
 		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Secure home directory folder .ssh and authorized_keys file";
 			if [ ${TEST} -eq 0 ]; then
@@ -331,12 +339,12 @@ while read i; do
 		else
 			echo " > Secure central authorized_keys file";
 			if [ ${TEST} -eq 0 ]; then
-				chown ${username}:${group} ${SSH_AUTHORIZED_FILE};
+				chown ${username}:root ${SSH_AUTHORIZED_FILE};
 				chmod 400 ${SSH_AUTHORIZED_FILE};
 				# set +i so user can't change file
 				chattr +i ${SSH_AUTHORIZED_FILE};
 			else
-				echo "$> chown ${username}:${group} ${SSH_AUTHORIZED_FILE}";
+				echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
 				echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
 				echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
 			fi;