Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
fa7e7fbe86 |
114
bin/authorized_key_location_change.sh.sh
Executable file
114
bin/authorized_key_location_change.sh.sh
Executable file
@@ -0,0 +1,114 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# check if we need to move the users authorized keys to the central location
|
||||||
|
|
||||||
|
TEST=0;
|
||||||
|
SKIP_USERS=();
|
||||||
|
while getopts ":tis:" opt; do
|
||||||
|
case "${opt}" in
|
||||||
|
t|test)
|
||||||
|
TEST=1;
|
||||||
|
;;
|
||||||
|
s|skip)
|
||||||
|
SKIP_USERS+=("${OPTARG}");
|
||||||
|
;;
|
||||||
|
\?)
|
||||||
|
echo -e "\n Option does not exist: ${OPTARG}\n";
|
||||||
|
echo "Use -t for test and -s <user> for users to skip";
|
||||||
|
exit 1;
|
||||||
|
;;
|
||||||
|
esac;
|
||||||
|
done;
|
||||||
|
|
||||||
|
# check if authorized keys is actually enabled
|
||||||
|
# detect ssh authorized_keys setting
|
||||||
|
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
||||||
|
SSH_AUTHORIZED_FILE='';
|
||||||
|
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
||||||
|
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
|
||||||
|
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
|
||||||
|
if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||||
|
echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
fi;
|
||||||
|
done;
|
||||||
|
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||||
|
echo "No central authorized_keys file detected, no change check needed";
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||||
|
|
||||||
|
PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
|
||||||
|
# list of user accounts we will never touch
|
||||||
|
NO_ACTION=(root admin ec2-user ubuntu);
|
||||||
|
|
||||||
|
# loop over passwd file
|
||||||
|
# if not in no action then check if .ssh/authorized_keys file exists
|
||||||
|
cat /etc/passwd | cut -d ":" -f 1,6 |
|
||||||
|
while read user_home; do
|
||||||
|
username=$(echo "${user_home}" | cut -d ":" -f 1);
|
||||||
|
# skip admin usernames
|
||||||
|
if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
|
||||||
|
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
|
if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then
|
||||||
|
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
|
home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
|
||||||
|
# skip no .ssh/authorized_ekys
|
||||||
|
if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
|
||||||
|
# but do we have an auth folder, if yes -> exist skip
|
||||||
|
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
|
||||||
|
printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved";
|
||||||
|
else
|
||||||
|
printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file";
|
||||||
|
fi;
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
|
# check if this user public key(s) exist in AuthorizedKeysFile target
|
||||||
|
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
|
||||||
|
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
||||||
|
if [ -z "${ssh_key_diff}" ]; then
|
||||||
|
printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
|
||||||
|
if [ ${TEST} -eq 0 ]; then
|
||||||
|
rm "${home_folder}/.ssh/authorized_keys";
|
||||||
|
else
|
||||||
|
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
||||||
|
fi;
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
|
# No update, alert
|
||||||
|
printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED";
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
|
printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location";
|
||||||
|
# move public keys over
|
||||||
|
if [ ${TEST} -eq 0 ]; then
|
||||||
|
cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
|
||||||
|
# secure new folder: chown/chmod/chattr
|
||||||
|
chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
|
||||||
|
chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
|
||||||
|
chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}";
|
||||||
|
# confirm
|
||||||
|
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
||||||
|
if [ ! -z "${ssh_key_diff}" ]; then
|
||||||
|
printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}";
|
||||||
|
break;
|
||||||
|
fi;
|
||||||
|
# remove home .ssh/authorized_keys (do not remove folder)
|
||||||
|
rm "${home_folder}/.ssh/authorized_keys";
|
||||||
|
else
|
||||||
|
echo "[START] ====>";
|
||||||
|
echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
|
echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
|
echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
|
echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
|
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
||||||
|
echo "[END ] ====>";
|
||||||
|
fi;
|
||||||
|
done;
|
||||||
|
|
||||||
|
# __END__
|
||||||
Reference in New Issue
Block a user