Abort on invalid option, always set ssh keytype so it doesn't stay on last selected

bin/check_last_login.sh

@@ -5,7 +5,6 @@
 
 # base folder
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-input_file='user_list.txt';
 # which groups holds the ssh allowed login users (outside of admin users)
 ssh_groups=('sshforward' 'sshallow');
 ssh_reject_group='sshreject';

bin/create_user.sh

@@ -35,6 +35,11 @@ while getopts ":ti" opt; do
 		i|info)
 			INFO=1;
 			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test and -i for info";
+			exit 1;
+			;;
 	esac;
 done;
 # hostname for output file only
@@ -45,14 +50,16 @@ separator="#";
 # base folder for all data
 # root_folder=$(pwd)'/';
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-root_folder="${BASE_FOLDER}";
+root_folder="${BASE_FOLDER}../";
 input_file='user_list.txt';
 output_file="user_password.${timestamp}.txt";
 output_zip_folder='zip/';
 output_zip="users.${timestamp}.zip"
 ssh_keygen_folder='ssh-keygen/';
 ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
-ssh_keytype='ed25519';
+# set default key tpye
+default_ssh_keytype='ed25519';
+ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
@@ -109,11 +116,13 @@ while read i; do
 	if [[ "${i}" =~ ^\# ]]; then
 		continue;
 	fi;
-	# make lower case, remove spaces
+	# POS 2: make lower case, remove spaces
 	username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
+	# POS 3: groups
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
+	# POS 4: ssh access type
 	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
@@ -132,19 +141,22 @@ while read i; do
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
 		sub_group_opt=" -G ${sub_group}";
 	fi;
-	# override host name, lowercase and spaces removed
+	# POS 5: do we have a password preset
-	_hostname=$(echo "${i}" | cut -d ";" -f 5 | tr A-Z a-z | tr -d ' ');
+	_password=$(echo "${i}" | cut -d ";" -f 5);
+	# POS 6: override host name, lowercase and spaces removed
+	_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
 	if [ -z "${_hostname}" ]; then
 		hostname=${host};
 	else
 		hostname=${_hostname};
 	fi;
-			# do we have a password preset
+	# POS 7: ssh keytype override
-	_password=$(echo "${i}" | cut -d ";" -f 4);
+	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
-	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
 	if [ "${_ssh_keytype}" = "rsa" ]; then
 		ssh_keytype="${_ssh_keytype}";
 		#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
+	else
+		ssh_keytype=${default_ssh_keytype};
 	fi;
 	# user & group not set
 	if [ -z "${username}" ] || [ -z "${_group}" ]; then
@@ -202,7 +214,7 @@ while read i; do
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen 10 1));
+			password=$(printf "%s" $(pwgen 14 1));
 		else
 			echo "! Override password set";
 			password=${_password};

bin/unlock_user.sh

@@ -42,6 +42,8 @@ if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_
 fi;
 
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+root_folder="${BASE_FOLDER}../";
+input_file='user_list.txt';
 # ignore users (root and admin users)
 ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
 # ssh reject group
@@ -85,8 +87,8 @@ for username in "$@"; do
 	# else try to set from option
 	# if not valid use allow
 	ssh_add_group="${SSH_GROUP_ADD}";
-	if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${BASE_FOLDER}${input_file}" ]; then
+	if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
-		ssh_add_group=$(grep "${username}" "${BASE_FOLDER}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+		ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
 	fi;
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		ssh_add_group="allow";
@@ -100,9 +102,8 @@ for username in "$@"; do
 		if [ ${TEST} -eq 1 ]; then
 			printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
 		else
-			#gpasswd -d "${username}" "${ssh_reject_group}";
+			gpasswd -d "${username}" "${ssh_reject_group}";
-			#gpasswd -a "${username}" "${ssh_add_group}";
+			gpasswd -a "${username}" "${ssh_add_group}";
-			echo "NOOP";
 		fi;
 	else
 		# skip not ssh user

user_create_flow.md

@@ -0,0 +1,95 @@
+# AWS user create flow
+
+* Step 1: check if main group exists
+* Step 2: Add user to user_list.txt
+
+Example:
+
+```txt
+# 2022-12-12
+1;test.foo;group-a;allow
+```
+
+* Step 3: run create script in root/users `bin/create_user.sh`
+
+Not, if unsure use `-t` for testing or `-i` for info only.
+
+Example output for `-i`:
+
+```sh
+$> bin/create_user.sh -i
+User: 'test.foo:group-a();sshallow', SSH: hostname.com#grou-a#test.foo#ed25519.pem
+```
+
+Run output (example):
+
+```sh
+++ Create 'test.foo:group-a()'
+! Override password set
+ > Create ssh key-pair '/root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem'
+Generating public/private ed25519 key pair.
+Your identification has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem
+Your public key has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub
+The key fingerprint is:
+SHA256:IXiHXZrBGuMIHgU34L4DgAwLeFeX37AhQD69TOF1XZI hostname.com: test.foo@group-a
+The key's randomart image is:
++--[ED25519 256]--+
+|+ o++o+o+.o ...o.|
+|*o+..+o*+Bo.  E. |
+|++.+.o*+Xo =     |
+|... ..o* oo .    |
+|. .     S        |
+| . .             |
+|  o              |
+|   .             |
+|                 |
++----[SHA256]-----+
+ > Create .ssh folder
+ > Add public into authorized_keys
+ > Secure folder .ssh and authorized_keys file
+  adding: user_list.txt (stored 0%)
+  adding: user_password.20221202-094351.txt (stored 0%)
+  adding: ssh-keygen/ (stored 0%)
+  adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem (deflated 24%)
+  adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub (deflated 2%)
+Download: /root/users/bin/../zip/users.20221202-094351.zip
+```
+
+* Step 4: Move the zip file to a folder where you can download it
+
+```sh
+$> mv /root/users/bin/../zip/users.20221202-094351.zip /home/<admin user>/
+```
+
+* Step 5: Download ZIP file to local computer and extract
+
+Overwrite user_list.txt file if it exists
+
+In the zup file there are the following files:
+
+* user_password.YYYYMMDD-HHmmss.txt (creation timestamp)
+* ssh-keygen/hostname#group#user#keytype.pem
+* ssh-keygen/hostname#group#user#keytype.pem.pub
+
+The .pem key has to be given to the user, the pub key is for reference only
+
+* Step 6: test login
+
+In the folder where the data was extracted
+
+```sh
+ssh -i ssh-keygen/hostname#group#user#keytype.pem user@hostname
+```
+
+Hand over to the user:
+
+* username
+* hostname
+* PEM key file
+* PEM key password
+
+If the password needs to be removed:
+
+```sh
+ssh-keygen -p -f ssh-keygen/hostname#group#user#keytype.pem -P <old password> -N ""
+```