Missing username in create folder path for adding new user
check if pub key exists in central location ran even if central file
was missing.
Fixed check for .ssh or central place to use.
File check before trying to remove chattr "i" flag, can't do that if the
file does not exists.
If there is a ssh setting that we have a central location for SSH keys
move all users ssh keys there.
Currently skipped are core admin users, they will move later once all
tests are done
* Bug with existing ssh key but not in ssh authorized_file
The correct public key location was not set for the existing file
* Bug with attr set on authorzied_file update if central location
If a central location the +i attrib must be removed first
It will set always in the folder rights change
* Change the authorized file group to root for central file location
* new detect for central authorized keys folder
1) must have %u set in the AuthorizedKeysFile list
2) folder must exists (will not be created, if not exists abort)
If above is set, it will create a username file with the ssh key in there
and lock it down as r--/user and +i attrib
else uses old .ssh folder form
* fix for user add with different home base folder
add this as option for the useradd command
If /home is eg located in /storge then we can now set a prefix for this.
Option -h or via config setting in "user_create.cfg" named
HOME_LOCATION="/path"
Note: Path has to be prefix with /. Any sub folders in home will be
ignored and the user is always created in /home/user.name
Group names as sub folders in /home are not supported
Make sure that lock script reejcts core users
(root/ec2-user/admin/ubuntu)
Unlock script works reverse with also optional check in user_list.txt
for ssh allow/foward group type
Internal:
rename all $user to $username
Add a user lock script to move users from ssh allow/foward group to ssh
reject group.
Rename user_create.sh script to create_user.sh script and add new ssh
allow/foward flag in user_list.txt file after group block and before
password name block
Update check last login script with better add/remove from groups
Auth collector from either systemd logger or fallback /var/log/secure
(old Amazon V1).
Use this as primary last login source in check last login script
Logging of all output to log/ folder for check last login script user.
Also for delete, user script now outputs move from ssh allow to ssh
reject group.
A new last logged in, last created script has been added to check which
users we have to disable.
- checks in group sshallow
- if last login older than 60days, remove account from ssh group
- if we have account create date, check if never logged in and older
than 30 days, remove account from ssh group
Both dates can be set separate
Update create script to add create date in Y-m-d (%F) format as
comment to the passwd file
Also add user to sshallow group (group always exists, is created on
server creation)
-t test will NOT create an ssh key anymore. The user password list file
gets a .TEST extension
-i info is a new option to just show user/group and ssh key name without
creating anything at all.
Can be used to update old public key names to new format
