Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
fb00036ab9 | ||
|
|
8808b94413 | ||
|
|
1fbc6c8125 | ||
|
|
87d53cdb13 | ||
|
|
716a0c2bfb |
@@ -35,6 +35,11 @@ while getopts ":ti" opt; do
|
||||
i|info)
|
||||
INFO=1;
|
||||
;;
|
||||
\?)
|
||||
echo -e "\n Option does not exist: ${OPTARG}\n";
|
||||
echo "Use -t for test and -i for info";
|
||||
exit 1;
|
||||
;;
|
||||
esac;
|
||||
done;
|
||||
# hostname for output file only
|
||||
@@ -45,14 +50,16 @@ separator="#";
|
||||
# base folder for all data
|
||||
# root_folder=$(pwd)'/';
|
||||
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||
root_folder="${BASE_FOLDER}";
|
||||
root_folder="${BASE_FOLDER}../";
|
||||
input_file='user_list.txt';
|
||||
output_file="user_password.${timestamp}.txt";
|
||||
output_zip_folder='zip/';
|
||||
output_zip="users.${timestamp}.zip"
|
||||
ssh_keygen_folder='ssh-keygen/';
|
||||
ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
|
||||
ssh_keytype='ed25519';
|
||||
# set default key tpye
|
||||
default_ssh_keytype='ed25519';
|
||||
ssh_keytype='';
|
||||
# sshallow or sshforward
|
||||
ssh_group='';
|
||||
ssh_forward_ok=0;
|
||||
@@ -109,11 +116,13 @@ while read i; do
|
||||
if [[ "${i}" =~ ^\# ]]; then
|
||||
continue;
|
||||
fi;
|
||||
# make lower case, remove spaces
|
||||
# POS 2: make lower case, remove spaces
|
||||
username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
|
||||
# POS 3: groups
|
||||
_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
|
||||
group=$(echo "${_group}" | cut -d "," -f 1);
|
||||
sub_group="";
|
||||
# POS 4: ssh access type
|
||||
ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
|
||||
# if not allow or forward, set to access
|
||||
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
|
||||
@@ -132,19 +141,22 @@ while read i; do
|
||||
sub_group=$(echo "${_group}" | cut -d "," -f 2-);
|
||||
sub_group_opt=" -G ${sub_group}";
|
||||
fi;
|
||||
# override host name, lowercase and spaces removed
|
||||
_hostname=$(echo "${i}" | cut -d ";" -f 5 | tr A-Z a-z | tr -d ' ');
|
||||
# POS 5: do we have a password preset
|
||||
_password=$(echo "${i}" | cut -d ";" -f 5);
|
||||
# POS 6: override host name, lowercase and spaces removed
|
||||
_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
|
||||
if [ -z "${_hostname}" ]; then
|
||||
hostname=${host};
|
||||
else
|
||||
hostname=${_hostname};
|
||||
fi;
|
||||
# do we have a password preset
|
||||
_password=$(echo "${i}" | cut -d ";" -f 4);
|
||||
_ssh_keytype=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
|
||||
# POS 7: ssh keytype override
|
||||
_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
|
||||
if [ "${_ssh_keytype}" = "rsa" ]; then
|
||||
ssh_keytype="${_ssh_keytype}";
|
||||
#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
|
||||
else
|
||||
ssh_keytype=${default_ssh_keytype};
|
||||
fi;
|
||||
# user & group not set
|
||||
if [ -z "${username}" ] || [ -z "${_group}" ]; then
|
||||
@@ -202,7 +214,7 @@ while read i; do
|
||||
# Note we only create a password if we need it
|
||||
# password + store pwgen 10 1 -1
|
||||
if [ -z "${_password}" ]; then
|
||||
password=$(printf "%s" $(pwgen 10 1));
|
||||
password=$(printf "%s" $(pwgen 14 1));
|
||||
else
|
||||
echo "! Override password set";
|
||||
password=${_password};
|
||||
|
||||
@@ -42,6 +42,7 @@ if [ ! -z "${SSH_GROUP_ADD}" ] && [ "${SSH_GROUP_ADD}" != "allow" ] && [ "${SSH_
|
||||
fi;
|
||||
|
||||
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||
root_folder="${BASE_FOLDER}../";
|
||||
input_file='user_list.txt';
|
||||
# ignore users (root and admin users)
|
||||
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
|
||||
@@ -86,8 +87,8 @@ for username in "$@"; do
|
||||
# else try to set from option
|
||||
# if not valid use allow
|
||||
ssh_add_group="${SSH_GROUP_ADD}";
|
||||
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${BASE_FOLDER}${input_file}" ]; then
|
||||
ssh_add_group=$(grep "${username}" "${BASE_FOLDER}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
|
||||
if [ -z "${SSH_GROUP_ADD}" ] && [ -f "${root_folder}${input_file}" ]; then
|
||||
ssh_add_group=$(grep "${username}" "${root_folder}${input_file}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
|
||||
fi;
|
||||
if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
|
||||
ssh_add_group="allow";
|
||||
|
||||
95
user_create_flow.md
Normal file
95
user_create_flow.md
Normal file
@@ -0,0 +1,95 @@
|
||||
# AWS user create flow
|
||||
|
||||
* Step 1: check if main group exists
|
||||
* Step 2: Add user to user_list.txt
|
||||
|
||||
Example:
|
||||
|
||||
```txt
|
||||
# 2022-12-12
|
||||
1;test.foo;group-a;allow
|
||||
```
|
||||
|
||||
* Step 3: run create script in root/users `bin/create_user.sh`
|
||||
|
||||
Not, if unsure use `-t` for testing or `-i` for info only.
|
||||
|
||||
Example output for `-i`:
|
||||
|
||||
```sh
|
||||
$> bin/create_user.sh -i
|
||||
User: 'test.foo:group-a();sshallow', SSH: hostname.com#grou-a#test.foo#ed25519.pem
|
||||
```
|
||||
|
||||
Run output (example):
|
||||
|
||||
```sh
|
||||
++ Create 'test.foo:group-a()'
|
||||
! Override password set
|
||||
> Create ssh key-pair '/root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem'
|
||||
Generating public/private ed25519 key pair.
|
||||
Your identification has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem
|
||||
Your public key has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub
|
||||
The key fingerprint is:
|
||||
SHA256:IXiHXZrBGuMIHgU34L4DgAwLeFeX37AhQD69TOF1XZI hostname.com: test.foo@group-a
|
||||
The key's randomart image is:
|
||||
+--[ED25519 256]--+
|
||||
|+ o++o+o+.o ...o.|
|
||||
|*o+..+o*+Bo. E. |
|
||||
|++.+.o*+Xo = |
|
||||
|... ..o* oo . |
|
||||
|. . S |
|
||||
| . . |
|
||||
| o |
|
||||
| . |
|
||||
| |
|
||||
+----[SHA256]-----+
|
||||
> Create .ssh folder
|
||||
> Add public into authorized_keys
|
||||
> Secure folder .ssh and authorized_keys file
|
||||
adding: user_list.txt (stored 0%)
|
||||
adding: user_password.20221202-094351.txt (stored 0%)
|
||||
adding: ssh-keygen/ (stored 0%)
|
||||
adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem (deflated 24%)
|
||||
adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub (deflated 2%)
|
||||
Download: /root/users/bin/../zip/users.20221202-094351.zip
|
||||
```
|
||||
|
||||
* Step 4: Move the zip file to a folder where you can download it
|
||||
|
||||
```sh
|
||||
$> mv /root/users/bin/../zip/users.20221202-094351.zip /home/<admin user>/
|
||||
```
|
||||
|
||||
* Step 5: Download ZIP file to local computer and extract
|
||||
|
||||
Overwrite user_list.txt file if it exists
|
||||
|
||||
In the zup file there are the following files:
|
||||
|
||||
* user_password.YYYYMMDD-HHmmss.txt (creation timestamp)
|
||||
* ssh-keygen/hostname#group#user#keytype.pem
|
||||
* ssh-keygen/hostname#group#user#keytype.pem.pub
|
||||
|
||||
The .pem key has to be given to the user, the pub key is for reference only
|
||||
|
||||
* Step 6: test login
|
||||
|
||||
In the folder where the data was extracted
|
||||
|
||||
```sh
|
||||
ssh -i ssh-keygen/hostname#group#user#keytype.pem user@hostname
|
||||
```
|
||||
|
||||
Hand over to the user:
|
||||
|
||||
* username
|
||||
* hostname
|
||||
* PEM key file
|
||||
* PEM key password
|
||||
|
||||
If the password needs to be removed:
|
||||
|
||||
```sh
|
||||
ssh-keygen -p -f ssh-keygen/hostname#group#user#keytype.pem -P <old password> -N ""
|
||||
```
|
||||
Reference in New Issue
Block a user