Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
fa3c4e0c6e | ||
|
|
ebf0eaf412 | ||
|
|
190b12b288 | ||
|
|
3a42c521f6 |
@@ -94,6 +94,19 @@ ssh_keytype='';
|
||||
# sshallow or sshforward
|
||||
ssh_group='';
|
||||
ssh_forward_ok=0;
|
||||
# detect ssh authorized_keys setting
|
||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
||||
SSH_AUTHORIZED_FILE='';
|
||||
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
||||
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
|
||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
|
||||
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||
exit;
|
||||
fi;
|
||||
fi;
|
||||
done;
|
||||
|
||||
# check if ssh key folder exists
|
||||
if [ ! -d "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}" ]; then
|
||||
mkdir "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}";
|
||||
@@ -234,11 +247,17 @@ while read i; do
|
||||
echo "++ Create '${username}:${group}(${sub_group})'";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
# comment is user create time
|
||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${username};
|
||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username};
|
||||
else
|
||||
echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${username}";
|
||||
echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username}";
|
||||
fi;
|
||||
fi;
|
||||
# set the auth file
|
||||
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
SSH_AUTHORIZED_FILE="${HOME_FOLDER}${username}/.ssh/authorized_keys";
|
||||
else
|
||||
SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
|
||||
fi;
|
||||
skip_ssh=0;
|
||||
# if public pem already exists skip creation
|
||||
if [ ! -f "${ssh_keyfile_check_pub}" ]; then
|
||||
@@ -262,13 +281,13 @@ while read i; do
|
||||
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
|
||||
fi;
|
||||
else
|
||||
found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${HOME_FOLDER}${username}/.ssh/authorized_keys);
|
||||
found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
|
||||
if [ ! -z "${found}" ]; then
|
||||
skip_ssh=1;
|
||||
# override previously set with stored one
|
||||
ssh_keyfile_pub=${ssh_keyfile_check_pub};
|
||||
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
|
||||
else
|
||||
# override previously set with stored one
|
||||
ssh_keyfile_pub=${ssh_keyfile_check_pub};
|
||||
echo " < Use existing public ssh key '${ssh_keygen_id}.pub'";
|
||||
# Password already set notification
|
||||
fi;
|
||||
@@ -282,28 +301,53 @@ while read i; do
|
||||
create_output_file="${ROOT_FOLDER}${output_file}.TEST";
|
||||
fi;
|
||||
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
|
||||
# create folder only if we do not have central
|
||||
# create the SSH foler and authorized access file with correct permissions
|
||||
echo " > Create .ssh folder";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
mkdir ${HOME_FOLDER}${username}/.ssh/;
|
||||
else
|
||||
echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
|
||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
echo " > Create .ssh folder";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
mkdir ${HOME_FOLDER}${username}/.ssh/;
|
||||
else
|
||||
echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
|
||||
fi;
|
||||
fi;
|
||||
echo " > Add public into authorized_keys";
|
||||
# add
|
||||
echo " > Add public into authorized_keys file";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
cat "${ssh_keyfile_pub}" > ${HOME_FOLDER}${username}/.ssh/authorized_keys;
|
||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
chattr -i ${SSH_AUTHORIZED_FILE};
|
||||
fi;
|
||||
cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
|
||||
else
|
||||
echo "$> cat ${ssh_keyfile_pub} > ${HOME_FOLDER}${username}/.ssh/authorized_keys";
|
||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
|
||||
fi;
|
||||
echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
|
||||
fi;
|
||||
echo " > Secure folder .ssh and authorized_keys file";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
|
||||
chmod 700 ${HOME_FOLDER}${username}/.ssh/;
|
||||
chmod 600 ${HOME_FOLDER}${username}/.ssh/authorized_keys;
|
||||
# secure
|
||||
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||
echo " > Secure home directory folder .ssh and authorized_keys file";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
|
||||
chmod 700 ${HOME_FOLDER}${username}/.ssh/;
|
||||
chmod 600 ${SSH_AUTHORIZED_FILE};
|
||||
else
|
||||
echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
|
||||
echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
|
||||
echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
|
||||
fi;
|
||||
else
|
||||
echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
|
||||
echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
|
||||
echo "$> chmod 600 ${HOME_FOLDER}${username}/.ssh/authorized_keys";
|
||||
echo " > Secure central authorized_keys file";
|
||||
if [ ${TEST} -eq 0 ]; then
|
||||
chown ${username}:root ${SSH_AUTHORIZED_FILE};
|
||||
chmod 400 ${SSH_AUTHORIZED_FILE};
|
||||
# set +i so user can't change file
|
||||
chattr +i ${SSH_AUTHORIZED_FILE};
|
||||
else
|
||||
echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
|
||||
echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
|
||||
echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
|
||||
fi;
|
||||
fi;
|
||||
fi;
|
||||
done;
|
||||
|
||||
Reference in New Issue
Block a user