Fixes in create user script with central SSH location and dynamic home

Missing username in create folder path for adding new user

check if pub key exists in central location ran even if central file
was missing.

Fixed check for .ssh or central place to use.

File check before trying to remove chattr "i" flag, can't do that if the
file does not exists.

.gitignore

@@ -1,3 +1,3 @@
 user_list.txt
-user_password*.txt
+user_password*.txt*
 *.zip

bin/authorized_key_location_change.sh.sh

@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+
+# check if we need to move the users authorized keys to the central location
+
+TEST=0;
+SKIP_USERS=();
+while getopts ":tis:" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		s|skip)
+			SKIP_USERS+=("${OPTARG}");
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test and -s <user> for users to skip";
+			exit 1;
+			;;
+	esac;
+done;
+
+# check if authorized keys is actually enabled
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+	echo "No central authorized_keys file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+
+PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
+# list of user accounts we will never touch
+NO_ACTION=(root admin ec2-user ubuntu);
+
+# loop over passwd file
+# if not in no action then check if .ssh/authorized_keys file exists
+cat /etc/passwd | cut -d ":" -f 1,6 |
+while read user_home; do
+	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	# skip admin usernames
+	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
+		continue;
+	fi;
+	if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
+		continue;
+	fi;
+	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
+	# skip no .ssh/authorized_ekys
+	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
+		# but do we have an auth folder, if yes -> exist skip
+		if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+			printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
+		else
+			printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
+		fi;
+		continue;
+	fi;
+	# check if this user public key(s) exist in AuthorizedKeysFile target
+	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
+			if [ ${TEST} -eq 0 ]; then
+				rm "${home_folder}/.ssh/authorized_keys";
+			else
+				echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+			fi;
+			continue;
+		fi;
+		# No update, alert
+		printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
+		continue;
+	fi;
+	printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
+	# move public keys over
+	if [ ${TEST} -eq 0 ]; then
+		cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# secure new folder: chown/chmod/chattr
+		chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# confirm
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
+			break;
+		fi;
+		# remove home .ssh/authorized_keys (do not remove folder)
+		rm "${home_folder}/.ssh/authorized_keys";
+	else
+		echo "[START] ====>";
+		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		echo "[END  ] ====>";
+	fi;
+done;
+
+# __END__

bin/create_user.sh

@@ -27,7 +27,7 @@
 # SET TO 1 to TEST [will not create user/group/folder]
 TEST=0; # no creation except ssh keys
 INFO=0; # no creation of anything, just print info strings
-while getopts ":ti" opt; do
+while getopts ":tih:" opt; do
 	case "${opt}" in
 		t|test)
 			TEST=1;
@@ -35,6 +35,15 @@ while getopts ":ti" opt; do
 		i|info)
 			INFO=1;
 			;;
+		h|home)
+			HOME_LOCATION="${OPTARG}";
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test and -i for info";
+			echo "Override default /home/ folder location with -h <base>";
+			exit 1;
+			;;
 	esac;
 done;
 # hostname for output file only
@@ -43,26 +52,68 @@ timestamp=$(date +%Y%m%d-%H%M%S)
 # character to set getween info blocks
 separator="#";
 # base folder for all data
-# root_folder=$(pwd)'/';
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-root_folder="${BASE_FOLDER}../";
+# home folder is always thome
+HOME_BASE="/home/";
+# config location
+CONFIG_BASE="${BASE_FOLDER}../config/";
+# check config folder for .env file with HOME_LOCATION
+# only use if HOME_LOCATION not yet set
+if [ -z "${HOME_LOCATION}" ] && [ -f "${CONFIG_BASE}create_user.cfg" ]; then
+	source <(grep = ${CONFIG_BASE}create_user.cfg | sed 's/ *= */=/g')
+fi;
+
+if [ ! -z "${HOME_LOCATION}" ]; then
+	# must start with / as it has to be from root
+	if [ "${HOME_LOCATION##/*}" ]; then
+		echo "Home location folder must start with a slash (/): ${HOME_LOCATION}";
+		exit;
+	fi;
+	# must be valid folder
+	if [ ! -d "${HOME_LOCATION}" ]; then
+		echo "Folder for home location does not exists: ${HOME_LOCATION}";
+		exit;
+	fi;
+fi;
+# the new location for home, if override is set will be created in this folder
+HOME_FOLDER="${HOME_LOCATION}${HOME_BASE}"
+if [ ! -d "${HOME_FOLDER}" ]; then
+	echo "Home folder location not found: ${HOME_FOLDER}";
+	exit;
+fi;
+ROOT_FOLDER="${BASE_FOLDER}../";
 input_file='user_list.txt';
 output_file="user_password.${timestamp}.txt";
 output_zip_folder='zip/';
 output_zip="users.${timestamp}.zip"
-ssh_keygen_folder='ssh-keygen/';
-ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
-ssh_keytype='ed25519';
+SSH_KEYGEN_FOLDER='ssh-keygen/';
+SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
+# set default key tpye
+default_ssh_keytype='ed25519';
+ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+
 # check if ssh key folder exists
-if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
-	mkdir "${root_folder}${ssh_keygen_folder}";
+if [ ! -d "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}" ]; then
+	mkdir "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}";
 fi;
 # check if zip folder is missing
-if [ ! -d "${root_folder}${output_zip_folder}" ]; then
-	mkdir "${root_folder}${output_zip_folder}";
+if [ ! -d "${ROOT_FOLDER}${output_zip_folder}" ]; then
+	mkdir "${ROOT_FOLDER}${output_zip_folder}";
 fi;
 # check if password generate software is installed
 # if [ ! command -v pwgen &> /dev/null ]; then
@@ -86,8 +137,8 @@ if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
 	ssh_forward_ok=1;
 fi;
 # check if user list file exists
-if [ ! -f "${root_folder}${input_file}" ]; then
-	echo "Missing ${root_folder}${input_file}";
+if [ ! -f "${ROOT_FOLDER}${input_file}" ]; then
+	echo "Missing ${ROOT_FOLDER}${input_file}";
 	exit;
 fi;
 # make sure my own folder is owned by root and 600 (except for testing)
@@ -103,17 +154,19 @@ if [ $(whoami) != "root" ]; then
 	fi;
 fi;
 # create users
-cat "${root_folder}${input_file}" |
+cat "${ROOT_FOLDER}${input_file}" |
 while read i; do
 	# skip rows start with # (comment)
 	if [[ "${i}" =~ ^\# ]]; then
 		continue;
 	fi;
-	# make lower case, remove spaces
+	# POS 2: make lower case, remove spaces
 	username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
+	# POS 3: groups
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
+	# POS 4: ssh access type
 	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
@@ -132,19 +185,22 @@ while read i; do
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
 		sub_group_opt=" -G ${sub_group}";
 	fi;
-	# override host name, lowercase and spaces removed
-	_hostname=$(echo "${i}" | cut -d ";" -f 5 | tr A-Z a-z | tr -d ' ');
+	# POS 5: do we have a password preset
+	_password=$(echo "${i}" | cut -d ";" -f 5);
+	# POS 6: override host name, lowercase and spaces removed
+	_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
 	if [ -z "${_hostname}" ]; then
 		hostname=${host};
 	else
 		hostname=${_hostname};
 	fi;
-			# do we have a password preset
-	_password=$(echo "${i}" | cut -d ";" -f 4);
-	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
+	# POS 7: ssh keytype override
+	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
 	if [ "${_ssh_keytype}" = "rsa" ]; then
 		ssh_keytype="${_ssh_keytype}";
 		#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
+	else
+		ssh_keytype=${default_ssh_keytype};
 	fi;
 	# user & group not set
 	if [ -z "${username}" ] || [ -z "${_group}" ]; then
@@ -155,11 +211,11 @@ while read i; do
 	# SSH file name part without folder
 	ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
 	# the full file including folder name
-	ssh_keyfile="${root_folder}${ssh_keygen_folder}${ssh_keygen_id}";
+	ssh_keyfile="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}${ssh_keygen_id}";
 	# publ file if new
 	ssh_keyfile_pub="${ssh_keyfile}.pub";
 	# check existing pub file
-	ssh_keyfile_check_pub="${root_folder}${ssh_keygen_folder_created_pub}${ssh_keygen_id}.pub";
+	ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub";
 
 	if [ ${INFO} -eq 1 ]; then
 		# test if pub file exists or not, test if user exists
@@ -191,18 +247,24 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
+	# set the auth file
+	if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		SSH_AUTHORIZED_FILE="${HOME_FOLDER}${username}/.ssh/authorized_keys";
+	else
+		SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
+	fi;
 	skip_ssh=0;
 	# if public pem already exists skip creation
 	if [ ! -f "${ssh_keyfile_check_pub}" ]; then
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen 10 1));
+			password=$(printf "%s" $(pwgen 14 1));
 		else
 			echo "! Override password set";
 			password=${_password};
@@ -219,13 +281,16 @@ while read i; do
 			echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
 		fi;
 	else
-		found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${username}/.ssh/authorized_keys);
+		found='';
+		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+			found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		fi;
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
-			# override previously set with stored one
-			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
 		else
+			# override previously set with stored one
+			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
 			# Password already set notification
 		fi;
@@ -234,33 +299,64 @@ while read i; do
 	if [ ${skip_ssh} -eq 0 ]; then
 		# write login info to output file
 		if [ ${TEST} -eq 0 ]; then
-			create_output_file="${root_folder}${output_file}";
+			create_output_file="${ROOT_FOLDER}${output_file}";
 		else
-			create_output_file="${root_folder}${output_file}.TEST";
+			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
+		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		echo " > Create .ssh folder";
-		if [ ${TEST} -eq 0 ]; then
-			mkdir /home/${username}/.ssh/;
-		else
-			echo "$> mkdir /home/${username}/.ssh/";
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Create .ssh folder";
+			if [ ${TEST} -eq 0 ]; then
+				mkdir ${HOME_FOLDER}${username}/.ssh/;
+			else
+				echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
+			fi;
 		fi;
-		echo " > Add public into authorized_keys";
+		# add
+		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
-			cat "${ssh_keyfile_pub}" > /home/${username}/.ssh/authorized_keys;
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
+				chattr -i ${SSH_AUTHORIZED_FILE};
+			fi;
+			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
-			echo "$> cat ${ssh_keyfile_pub} > /home/${username}/.ssh/authorized_keys";
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
+				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
+			fi;
+			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
 		fi;
-		echo " > Secure folder .ssh and authorized_keys file";
-		if [ ${TEST} -eq 0 ]; then
-			chown -R ${username}:${group} /home/${username}/.ssh/;
-			chmod 700 /home/${username}/.ssh/;
-			chmod 600 /home/${username}/.ssh/authorized_keys;
+		# secure
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Secure home directory folder .ssh and authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
+				chmod 700 ${HOME_FOLDER}${username}/.ssh/;
+				chmod 600 ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
+			fi;
 		else
-			echo "$> chown -R ${username}:${group} /home/${username}/.ssh/";
-			echo "$> chmod 700 /home/${username}/.ssh/";
-			echo "$> chmod 600 /home/${username}/.ssh/authorized_keys";
+			echo " > Secure central authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown ${username}:root ${SSH_AUTHORIZED_FILE};
+				chmod 400 ${SSH_AUTHORIZED_FILE};
+				# set +i so user can't change file
+				chattr +i ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
+				echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
+				echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
+			fi;
 		fi;
 	fi;
 done;
@@ -270,24 +366,33 @@ if [ ${INFO} -eq 1 ]; then
 	exit;
 fi;
 # zip everything and remove data in ssh key folder, delete output file with passwords
-zip -r \
-	"${root_folder}${output_zip_folder}${output_zip}" \
-	"${input_file}" \
-	"${output_file}" \
-	"${ssh_keygen_folder}" \
-	-x\*.gitignore;
-echo "Download: ${root_folder}${output_zip_folder}${output_zip}";
+if [ ${TEST} -eq 0 ]; then
+	zip -r \
+		"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
+		"${input_file}" \
+		"${output_file}" \
+		"${SSH_KEYGEN_FOLDER}" \
+		-x\*.gitignore;
+else
+	echo "zip -r \\"
+	echo "${ROOT_FOLDER}${output_zip_folder}${output_zip} \\"
+	echo "${input_file} \\"
+	echo "${output_file} \\"
+	echo "${SSH_KEYGEN_FOLDER} \\"
+	echo "-x\*.gitignore;"
+fi;
+echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 # cleam up user log file and ssh keys
 if [ ${TEST} -eq 0 ]; then
 	# move pub to created folders
-	mv "${root_folder}${ssh_keygen_folder}"*.pub "${root_folder}${ssh_keygen_folder_created_pub}";
+	mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
 	# delete the rest
-	rm "${root_folder}${output_file}";
-	rm "${root_folder}${ssh_keygen_folder}"*;
+	rm "${ROOT_FOLDER}${output_file}";
+	rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
 else
-	echo "$> mv ${root_folder}${ssh_keygen_folder}*.pub ${root_folder}${ssh_keygen_folder_created_pub};";
-	echo "$> rm ${root_folder}${output_file}";
-	echo "$> rm ${root_folder}${ssh_keygen_folder}*";
+	echo "$> mv ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*.pub ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB};";
+	echo "$> rm ${ROOT_FOLDER}${output_file}";
+	echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*";
 fi;
 
 # __END__

config/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

user_create_flow.md

@@ -0,0 +1,95 @@
+# AWS user create flow
+
+* Step 1: check if main group exists
+* Step 2: Add user to user_list.txt
+
+Example:
+
+```txt
+# 2022-12-12
+1;test.foo;group-a;allow
+```
+
+* Step 3: run create script in root/users `bin/create_user.sh`
+
+Not, if unsure use `-t` for testing or `-i` for info only.
+
+Example output for `-i`:
+
+```sh
+$> bin/create_user.sh -i
+User: 'test.foo:group-a();sshallow', SSH: hostname.com#grou-a#test.foo#ed25519.pem
+```
+
+Run output (example):
+
+```sh
+++ Create 'test.foo:group-a()'
+! Override password set
+ > Create ssh key-pair '/root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem'
+Generating public/private ed25519 key pair.
+Your identification has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem
+Your public key has been saved in /root/users/bin/../ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub
+The key fingerprint is:
+SHA256:IXiHXZrBGuMIHgU34L4DgAwLeFeX37AhQD69TOF1XZI hostname.com: test.foo@group-a
+The key's randomart image is:
++--[ED25519 256]--+
+|+ o++o+o+.o ...o.|
+|*o+..+o*+Bo.  E. |
+|++.+.o*+Xo =     |
+|... ..o* oo .    |
+|. .     S        |
+| . .             |
+|  o              |
+|   .             |
+|                 |
++----[SHA256]-----+
+ > Create .ssh folder
+ > Add public into authorized_keys
+ > Secure folder .ssh and authorized_keys file
+  adding: user_list.txt (stored 0%)
+  adding: user_password.20221202-094351.txt (stored 0%)
+  adding: ssh-keygen/ (stored 0%)
+  adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem (deflated 24%)
+  adding: ssh-keygen/hostname.com#group-a#test.foo#ed25519.pem.pub (deflated 2%)
+Download: /root/users/bin/../zip/users.20221202-094351.zip
+```
+
+* Step 4: Move the zip file to a folder where you can download it
+
+```sh
+$> mv /root/users/bin/../zip/users.20221202-094351.zip /home/<admin user>/
+```
+
+* Step 5: Download ZIP file to local computer and extract
+
+Overwrite user_list.txt file if it exists
+
+In the zup file there are the following files:
+
+* user_password.YYYYMMDD-HHmmss.txt (creation timestamp)
+* ssh-keygen/hostname#group#user#keytype.pem
+* ssh-keygen/hostname#group#user#keytype.pem.pub
+
+The .pem key has to be given to the user, the pub key is for reference only
+
+* Step 6: test login
+
+In the folder where the data was extracted
+
+```sh
+ssh -i ssh-keygen/hostname#group#user#keytype.pem user@hostname
+```
+
+Hand over to the user:
+
+* username
+* hostname
+* PEM key file
+* PEM key password
+
+If the password needs to be removed:
+
+```sh
+ssh-keygen -p -f ssh-keygen/hostname#group#user#keytype.pem -P <old password> -N ""
+```