Add ignore from file for authorized keys move

admin/ubuntu/ec2-user keys must move too, but the folders don't get
auto removed

bin/authorized_key_location_change.sh

@@ -0,0 +1,181 @@
+#!/usr/bin/env bash
+
+# check if we need to move the users authorized keys to the central location
+
+TEST=1;
+LIST=0;
+SKIP_USERS=();
+while getopts ":gls:" opt; do
+	case "${opt}" in
+		g|go)
+			# default we
+			TEST=0;
+			;;
+		s|skip)
+			SKIP_USERS+=("${OPTARG}");
+			;;
+		l|list)
+			LIST=1;
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -g for go (run) and -s <user> for users to skip";
+			exit 1;
+			;;
+	esac;
+done;
+
+# check if authorized keys is actually enabled
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_MASTER_AUTHORIZED_FILE='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+	echo "No central authorized_keys file detected, no change check needed";
+	exit;
+fi;
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
+	if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then
+		SSH_MASTER_AUTHORIZED_FILE="${cf}";
+		if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+			echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+	echo "No master authorized_key file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Master Authorized Key file: ${SSH_MASTER_AUTHORIZED_FILE}";
+echo "SSH Authorized Keys file folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+
+if [ ${LIST} -eq 1 ]; then
+	ls -l "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	lsattr "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	exit;
+fi;
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# output printf
+PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
+# list of user accounts we will never touch
+NO_ACTION=(root);
+# move, but must check that master is set
+# master key is the first in the authorized keys list for the below users
+MASTER_KEY=(admin ec2-user ubuntu);
+# skip user file
+IGNORE_USER_FILE="../config/authorized_key_location_change.ignore"
+# list of users to skip from file
+IGNORE_USER=();
+
+if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
+	readarray -t IGNORE_USER < "${BASE_FOLDER}${IGNORE_USER_FILE}";
+	echo "Reading ${IGNORE_USER_FILE}";
+fi;
+
+# loop over passwd file
+# if not in no action then check if .ssh/authorized_keys file exists
+cat /etc/passwd | cut -d ":" -f 1,6 |
+while read user_home; do
+	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	master_user=0;
+	# skip admin usernames
+	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
+		continue;
+	fi;
+	if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
+		continue;
+	fi;
+	if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
+		continue;
+	fi;
+	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
+	# skip no .ssh/authorized_ekys
+	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
+		# but do we have an auth folder, if yes -> exist skip
+		if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+			printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
+		else
+			printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
+		fi;
+		continue;
+	fi;
+	# check those keys are in the master key list
+	if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then
+		master_user=1;
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
+			exit;
+		fi;
+	fi;
+	# check if this user public key(s) exist in AuthorizedKeysFile target
+	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
+			if [ ${master_user} -eq 0 ]; then
+				if [ ${TEST} -eq 0 ]; then
+					rm "${home_folder}/.ssh/authorized_keys";
+				else
+					echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+				fi;
+			else
+				echo "[!] No delete for master user, must be done manually";
+			fi;
+			continue;
+		fi;
+		# No update, alert
+		printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
+		continue;
+	fi;
+	printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
+	# move public keys over
+	if [ ${TEST} -eq 0 ]; then
+		cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# secure new folder: chown/chmod/chattr
+		chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# confirm
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
+			break;
+		fi;
+		# remove home .ssh/authorized_keys (do not remove folder)
+		if [ ${master_user} -eq 0 ]; then
+			rm "${home_folder}/.ssh/authorized_keys";
+		else
+			echo "=> No delete for master user, must be done manually";
+		fi;
+	else
+		echo "[START] ====>";
+		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		if [ ${master_user} -eq 0 ]; then
+			echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		else
+			echo "[!] No delete for master user, must be done manually";
+		fi;
+		echo "[END  ] ====>";
+	fi;
+done;
+
+# __END__

bin/create_user.sh

@@ -94,6 +94,19 @@ ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+
 # check if ssh key folder exists
 if [ ! -d "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}" ]; then
 	mkdir "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}";
@@ -234,11 +247,17 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
+	# set the auth file
+	if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		SSH_AUTHORIZED_FILE="${HOME_FOLDER}${username}/.ssh/authorized_keys";
+	else
+		SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
+	fi;
 	skip_ssh=0;
 	# if public pem already exists skip creation
 	if [ ! -f "${ssh_keyfile_check_pub}" ]; then
@@ -262,13 +281,16 @@ while read i; do
 			echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
 		fi;
 	else
-		found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${HOME_FOLDER}${username}/.ssh/authorized_keys);
+		found='';
+		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+			found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		fi;
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
-			# override previously set with stored one
-			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
 		else
+			# override previously set with stored one
+			ssh_keyfile_pub=${ssh_keyfile_check_pub};
 			echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
 			# Password already set notification
 		fi;
@@ -282,28 +304,59 @@ while read i; do
 			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
+		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		echo " > Create .ssh folder";
-		if [ ${TEST} -eq 0 ]; then
-			mkdir ${HOME_FOLDER}${username}/.ssh/;
-		else
-			echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Create .ssh folder";
+			if [ ${TEST} -eq 0 ]; then
+				mkdir ${HOME_FOLDER}${username}/.ssh/;
+			else
+				echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
+			fi;
 		fi;
-		echo " > Add public into authorized_keys";
+		# add
+		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
-			cat "${ssh_keyfile_pub}" > ${HOME_FOLDER}${username}/.ssh/authorized_keys;
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
+				chattr -i ${SSH_AUTHORIZED_FILE};
+			fi;
+			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
-			echo "$> cat ${ssh_keyfile_pub} > ${HOME_FOLDER}${username}/.ssh/authorized_keys";
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
+				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
+			fi;
+			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
 		fi;
-		echo " > Secure folder .ssh and authorized_keys file";
-		if [ ${TEST} -eq 0 ]; then
-			chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
-			chmod 700 ${HOME_FOLDER}${username}/.ssh/;
-			chmod 600 ${HOME_FOLDER}${username}/.ssh/authorized_keys;
+		# secure
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo " > Secure home directory folder .ssh and authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
+				chmod 700 ${HOME_FOLDER}${username}/.ssh/;
+				chmod 600 ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
+			fi;
 		else
-			echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
-			echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
-			echo "$> chmod 600 ${HOME_FOLDER}${username}/.ssh/authorized_keys";
+			echo " > Secure central authorized_keys file";
+			if [ ${TEST} -eq 0 ]; then
+				chown ${username}:root ${SSH_AUTHORIZED_FILE};
+				chmod 400 ${SSH_AUTHORIZED_FILE};
+				# set +i so user can't change file
+				chattr +i ${SSH_AUTHORIZED_FILE};
+			else
+				echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
+				echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
+				echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
+			fi;
 		fi;
 	fi;
 done;