Bug in user create test output

Missing ! for central ssh authorized_file check in pub key update flow

.gitignore

@@ -1,3 +1,3 @@
 user_list.txt
-user_password*.txt
+user_password*.txt*
 *.zip

bin/create_user.sh

@@ -27,7 +27,7 @@
 # SET TO 1 to TEST [will not create user/group/folder]
 TEST=0; # no creation except ssh keys
 INFO=0; # no creation of anything, just print info strings
-while getopts ":ti" opt; do
+while getopts ":tih:" opt; do
 	case "${opt}" in
 		t|test)
 			TEST=1;
@@ -35,9 +35,13 @@ while getopts ":ti" opt; do
 		i|info)
 			INFO=1;
 			;;
+		h|home)
+			HOME_LOCATION="${OPTARG}";
+			;;
 		\?)
 			echo -e "\n Option does not exist: ${OPTARG}\n";
 			echo "Use -t for test and -i for info";
+			echo "Override default /home/ folder location with -h <base>";
 			exit 1;
 			;;
 	esac;
@@ -48,28 +52,68 @@ timestamp=$(date +%Y%m%d-%H%M%S)
 # character to set getween info blocks
 separator="#";
 # base folder for all data
-# root_folder=$(pwd)'/';
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
-root_folder="${BASE_FOLDER}../";
+# home folder is always thome
+HOME_BASE="/home/";
+# config location
+CONFIG_BASE="${BASE_FOLDER}../config/";
+# check config folder for .env file with HOME_LOCATION
+# only use if HOME_LOCATION not yet set
+if [ -z "${HOME_LOCATION}" ] && [ -f "${CONFIG_BASE}create_user.cfg" ]; then
+	source <(grep = ${CONFIG_BASE}create_user.cfg | sed 's/ *= */=/g')
+fi;
+
+if [ ! -z "${HOME_LOCATION}" ]; then
+	# must start with / as it has to be from root
+	if [ "${HOME_LOCATION##/*}" ]; then
+		echo "Home location folder must start with a slash (/): ${HOME_LOCATION}";
+		exit;
+	fi;
+	# must be valid folder
+	if [ ! -d "${HOME_LOCATION}" ]; then
+		echo "Folder for home location does not exists: ${HOME_LOCATION}";
+		exit;
+	fi;
+fi;
+# the new location for home, if override is set will be created in this folder
+HOME_FOLDER="${HOME_LOCATION}${HOME_BASE}"
+if [ ! -d "${HOME_FOLDER}" ]; then
+	echo "Home folder location not found: ${HOME_FOLDER}";
+	exit;
+fi;
+ROOT_FOLDER="${BASE_FOLDER}../";
 input_file='user_list.txt';
 output_file="user_password.${timestamp}.txt";
 output_zip_folder='zip/';
 output_zip="users.${timestamp}.zip"
-ssh_keygen_folder='ssh-keygen/';
-ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
+SSH_KEYGEN_FOLDER='ssh-keygen/';
+SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
 # set default key tpye
 default_ssh_keytype='ed25519';
 ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+
 # check if ssh key folder exists
-if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
-	mkdir "${root_folder}${ssh_keygen_folder}";
+if [ ! -d "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}" ]; then
+	mkdir "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}";
 fi;
 # check if zip folder is missing
-if [ ! -d "${root_folder}${output_zip_folder}" ]; then
-	mkdir "${root_folder}${output_zip_folder}";
+if [ ! -d "${ROOT_FOLDER}${output_zip_folder}" ]; then
+	mkdir "${ROOT_FOLDER}${output_zip_folder}";
 fi;
 # check if password generate software is installed
 # if [ ! command -v pwgen &> /dev/null ]; then
@@ -93,8 +137,8 @@ if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
 	ssh_forward_ok=1;
 fi;
 # check if user list file exists
-if [ ! -f "${root_folder}${input_file}" ]; then
-	echo "Missing ${root_folder}${input_file}";
+if [ ! -f "${ROOT_FOLDER}${input_file}" ]; then
+	echo "Missing ${ROOT_FOLDER}${input_file}";
 	exit;
 fi;
 # make sure my own folder is owned by root and 600 (except for testing)
@@ -110,7 +154,7 @@ if [ $(whoami) != "root" ]; then
 	fi;
 fi;
 # create users
-cat "${root_folder}${input_file}" |
+cat "${ROOT_FOLDER}${input_file}" |
 while read i; do
 	# skip rows start with # (comment)
 	if [[ "${i}" =~ ^\# ]]; then
@@ -167,11 +211,11 @@ while read i; do
 	# SSH file name part without folder
 	ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
 	# the full file including folder name
-	ssh_keyfile="${root_folder}${ssh_keygen_folder}${ssh_keygen_id}";
+	ssh_keyfile="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}${ssh_keygen_id}";
 	# publ file if new
 	ssh_keyfile_pub="${ssh_keyfile}.pub";
 	# check existing pub file
-	ssh_keyfile_check_pub="${root_folder}${ssh_keygen_folder_created_pub}${ssh_keygen_id}.pub";
+	ssh_keyfile_check_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${ssh_keygen_id}.pub";
 
 	if [ ${INFO} -eq 1 ]; then
 		# test if pub file exists or not, test if user exists
@@ -203,11 +247,17 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username};
 		else
-			echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username}";
 		fi;
 	fi;
+	# set the auth file
+	if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		SSH_AUTHORIZED_FILE="${HOME_FOLDER}${username}/.ssh/authorized_keys";
+	else
+		SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
+	fi;
 	skip_ssh=0;
 	# if public pem already exists skip creation
 	if [ ! -f "${ssh_keyfile_check_pub}" ]; then
@@ -231,13 +281,13 @@ while read i; do
 			echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
 		fi;
 	else
-		found=$(grep "$(cat ${ssh_keyfile_check_pub})" /home/${username}/.ssh/authorized_keys);
+		found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
-			# override previously set with stored one
-			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
 		else
+			# override previously set with stored one
+			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
 			# Password already set notification
 		fi;
@@ -246,33 +296,58 @@ while read i; do
 	if [ ${skip_ssh} -eq 0 ]; then
 		# write login info to output file
 		if [ ${TEST} -eq 0 ]; then
-			create_output_file="${root_folder}${output_file}";
+			create_output_file="${ROOT_FOLDER}${output_file}";
 		else
-			create_output_file="${root_folder}${output_file}.TEST";
+			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
+		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		echo " > Create .ssh folder";
-		if [ ${TEST} -eq 0 ]; then
-			mkdir /home/${username}/.ssh/;
-		else
-			echo "$> mkdir /home/${username}/.ssh/";
+		if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Create .ssh folder";
+			if [ ${TEST} -eq 0 ]; then
+				mkdir ${HOME_FOLDER}${username}/.ssh/;
+			else
+				echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
+			fi;
 		fi;
-		echo " > Add public into authorized_keys";
+		# add
+		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
-			cat "${ssh_keyfile_pub}" > /home/${username}/.ssh/authorized_keys;
+			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+				chattr -i ${SSH_AUTHORIZED_FILE};
+			fi;
+			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
-			echo "$> cat ${ssh_keyfile_pub} > /home/${username}/.ssh/authorized_keys";
+			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
+			fi;
+			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
 		fi;
-		echo " > Secure folder .ssh and authorized_keys file";
-		if [ ${TEST} -eq 0 ]; then
-			chown -R ${username}:${group} /home/${username}/.ssh/;
-			chmod 700 /home/${username}/.ssh/;
-			chmod 600 /home/${username}/.ssh/authorized_keys;
+		# secure
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Secure home directory folder .ssh and authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
+				chmod 700 ${HOME_FOLDER}${username}/.ssh/;
+				chmod 600 ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
+			fi;
 		else
-			echo "$> chown -R ${username}:${group} /home/${username}/.ssh/";
-			echo "$> chmod 700 /home/${username}/.ssh/";
-			echo "$> chmod 600 /home/${username}/.ssh/authorized_keys";
+			echo " > Secure central authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown ${username}:root ${SSH_AUTHORIZED_FILE};
+				chmod 400 ${SSH_AUTHORIZED_FILE};
+				# set +i so user can't change file
+				chattr +i ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
+				echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
+				echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
+			fi;
 		fi;
 	fi;
 done;
@@ -282,24 +357,33 @@ if [ ${INFO} -eq 1 ]; then
 	exit;
 fi;
 # zip everything and remove data in ssh key folder, delete output file with passwords
-zip -r \
-	"${root_folder}${output_zip_folder}${output_zip}" \
-	"${input_file}" \
-	"${output_file}" \
-	"${ssh_keygen_folder}" \
-	-x\*.gitignore;
-echo "Download: ${root_folder}${output_zip_folder}${output_zip}";
+if [ ${TEST} -eq 0 ]; then
+	zip -r \
+		"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
+		"${input_file}" \
+		"${output_file}" \
+		"${SSH_KEYGEN_FOLDER}" \
+		-x\*.gitignore;
+else
+	echo "zip -r \\"
+	echo "${ROOT_FOLDER}${output_zip_folder}${output_zip} \\"
+	echo "${input_file} \\"
+	echo "${output_file} \\"
+	echo "${SSH_KEYGEN_FOLDER} \\"
+	echo "-x\*.gitignore;"
+fi;
+echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 # cleam up user log file and ssh keys
 if [ ${TEST} -eq 0 ]; then
 	# move pub to created folders
-	mv "${root_folder}${ssh_keygen_folder}"*.pub "${root_folder}${ssh_keygen_folder_created_pub}";
+	mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
 	# delete the rest
-	rm "${root_folder}${output_file}";
-	rm "${root_folder}${ssh_keygen_folder}"*;
+	rm "${ROOT_FOLDER}${output_file}";
+	rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
 else
-	echo "$> mv ${root_folder}${ssh_keygen_folder}*.pub ${root_folder}${ssh_keygen_folder_created_pub};";
-	echo "$> rm ${root_folder}${output_file}";
-	echo "$> rm ${root_folder}${ssh_keygen_folder}*";
+	echo "$> mv ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*.pub ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB};";
+	echo "$> rm ${ROOT_FOLDER}${output_file}";
+	echo "$> rm ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*";
 fi;
 
 # __END__

config/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore