From fa7e7fbe86e755fa8bcb73db81d3fe55b32832b9 Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Tue, 16 May 2023 08:58:53 +0900
Subject: [PATCH] Script to move authorized_keys to central location

If there is a ssh setting that we have a central location for SSH keys
move all users ssh keys there.
Currently skipped are core admin users, they will move later once all
tests are done
---
 bin/authorized_key_location_change.sh.sh | 114 +++++++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100755 bin/authorized_key_location_change.sh.sh

diff --git a/bin/authorized_key_location_change.sh.sh b/bin/authorized_key_location_change.sh.sh
new file mode 100755
index 0000000..2145c52
--- /dev/null
+++ b/bin/authorized_key_location_change.sh.sh
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+
+# check if we need to move the users authorized keys to the central location
+
+TEST=0;
+SKIP_USERS=();
+while getopts ":tis:" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		s|skip)
+			SKIP_USERS+=("${OPTARG}");
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test and -s <user> for users to skip";
+			exit 1;
+			;;
+	esac;
+done;
+
+# check if authorized keys is actually enabled
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+	echo "No central authorized_keys file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+
+PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
+# list of user accounts we will never touch
+NO_ACTION=(root admin ec2-user ubuntu);
+
+# loop over passwd file
+# if not in no action then check if .ssh/authorized_keys file exists
+cat /etc/passwd | cut -d ":" -f 1,6 |
+while read user_home; do
+	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	# skip admin usernames
+	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
+		continue;
+	fi;
+	if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
+		continue;
+	fi;
+	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
+	# skip no .ssh/authorized_ekys
+	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
+		# but do we have an auth folder, if yes -> exist skip
+		if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+			printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
+		else
+			printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
+		fi;
+		continue;
+	fi;
+	# check if this user public key(s) exist in AuthorizedKeysFile target
+	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
+			if [ ${TEST} -eq 0 ]; then
+				rm "${home_folder}/.ssh/authorized_keys";
+			else
+				echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+			fi;
+			continue;
+		fi;
+		# No update, alert
+		printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
+		continue;
+	fi;
+	printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
+	# move public keys over
+	if [ ${TEST} -eq 0 ]; then
+		cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# secure new folder: chown/chmod/chattr
+		chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# confirm
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
+			break;
+		fi;
+		# remove home .ssh/authorized_keys (do not remove folder)
+		rm "${home_folder}/.ssh/authorized_keys";
+	else
+		echo "[START] ====>";
+		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		echo "[END  ] ====>";
+	fi;
+done;
+
+# __END__