Fixes in create user script with central SSH location and dynamic home

Missing username in create folder path for adding new user check if pub key exists in central location ran even if central file was missing. Fixed check for .ssh or central place to use. File check before trying to remove chattr "i" flag, can't do that if the file does not exists.
Script to move authorized_keys to central location
2023-05-23 09:08:14 +09:00 · 2023-05-16 08:58:53 +09:00
2 changed files with 129 additions and 6 deletions
--- a/bin/authorized_key_location_change.sh.sh
+++ b/bin/authorized_key_location_change.sh.sh
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+
+# check if we need to move the users authorized keys to the central location
+
+TEST=0;
+SKIP_USERS=();
+while getopts ":tis:" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		s|skip)
+			SKIP_USERS+=("${OPTARG}");
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test and -s <user> for users to skip";
+			exit 1;
+			;;
+	esac;
+done;
+
+# check if authorized keys is actually enabled
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+	echo "No central authorized_keys file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+
+PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
+# list of user accounts we will never touch
+NO_ACTION=(root admin ec2-user ubuntu);
+
+# loop over passwd file
+# if not in no action then check if .ssh/authorized_keys file exists
+cat /etc/passwd | cut -d ":" -f 1,6 |
+while read user_home; do
+	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	# skip admin usernames
+	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
+		continue;
+	fi;
+	if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
+		continue;
+	fi;
+	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
+	# skip no .ssh/authorized_ekys
+	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
+		# but do we have an auth folder, if yes -> exist skip
+		if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+			printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
+		else
+			printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
+		fi;
+		continue;
+	fi;
+	# check if this user public key(s) exist in AuthorizedKeysFile target
+	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
+			if [ ${TEST} -eq 0 ]; then
+				rm "${home_folder}/.ssh/authorized_keys";
+			else
+				echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+			fi;
+			continue;
+		fi;
+		# No update, alert
+		printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
+		continue;
+	fi;
+	printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
+	# move public keys over
+	if [ ${TEST} -eq 0 ]; then
+		cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# secure new folder: chown/chmod/chattr
+		chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
+		# confirm
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
+			break;
+		fi;
+		# remove home .ssh/authorized_keys (do not remove folder)
+		rm "${home_folder}/.ssh/authorized_keys";
+	else
+		echo "[START] ====>";
+		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
+		echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		echo "[END  ] ====>";
+	fi;
+done;
+
+# __END__
--- a/bin/create_user.sh
+++ b/bin/create_user.sh
@@ -247,9 +247,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username};
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
 	# set the auth file
@@ -281,7 +281,10 @@ while read i; do
 			echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
 		fi;
 	else
-		found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		found='';
+		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+			found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		fi;
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
@@ -303,7 +306,7 @@ while read i; do
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Create .ssh folder";
 			if [ ${TEST} -eq 0 ]; then
 				mkdir ${HOME_FOLDER}${username}/.ssh/;
@@ -314,12 +317,18 @@ while read i; do
 		# add
 		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
-			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
 				chattr -i ${SSH_AUTHORIZED_FILE};
 			fi;
 			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
-			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
 				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
 			fi;
 			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";