Add ignore from file for authorized keys move

Text typo fix
bug fixes in ls for ssh key move
2023-06-01 17:33:22 +09:00 · 2023-06-01 16:12:25 +09:00 · 2023-06-01 15:41:26 +09:00 · 2023-06-01 15:35:12 +09:00 · 2023-06-01 15:30:19 +09:00 · 2023-06-01 15:28:56 +09:00
2 changed files with 94 additions and 18 deletions
--- a/bin/authorized_key_location_change.sh.sh
+++ b/bin/authorized_key_location_change.sh.sh
@@ -2,19 +2,24 @@

 # check if we need to move the users authorized keys to the central location

-TEST=0;
+TEST=1;
+LIST=0;
 SKIP_USERS=();
-while getopts ":tis:" opt; do
+while getopts ":gls:" opt; do
 	case "${opt}" in
-		t|test)
-			TEST=1;
+		g|go)
+			# default we
+			TEST=0;
 			;;
 		s|skip)
 			SKIP_USERS+=("${OPTARG}");
 			;;
+		l|list)
+			LIST=1;
+			;;
 		\?)
 			echo -e "\n Option does not exist: ${OPTARG}\n";
-			echo "Use -t for test and -s <user> for users to skip";
+			echo "Use -g for go (run) and -s <user> for users to skip";
 			exit 1;
 			;;
 	esac;
@@ -23,6 +28,7 @@ done;
 # check if authorized keys is actually enabled
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_MASTER_AUTHORIZED_FILE='';
 SSH_AUTHORIZED_FILE='';
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
 	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
@@ -37,17 +43,53 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 	echo "No central authorized_keys file detected, no change check needed";
 	exit;
 fi;
-echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
+	if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then
+		SSH_MASTER_AUTHORIZED_FILE="${cf}";
+		if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+			echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+	echo "No master authorized_key file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Master Authorized Key file: ${SSH_MASTER_AUTHORIZED_FILE}";
+echo "SSH Authorized Keys file folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";

+if [ ${LIST} -eq 1 ]; then
+	ls -l "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	lsattr "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	exit;
+fi;
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# output printf
 PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
 # list of user accounts we will never touch
-NO_ACTION=(root admin ec2-user ubuntu);
+NO_ACTION=(root);
+# move, but must check that master is set
+# master key is the first in the authorized keys list for the below users
+MASTER_KEY=(admin ec2-user ubuntu);
+# skip user file
+IGNORE_USER_FILE="../config/authorized_key_location_change.ignore"
+# list of users to skip from file
+IGNORE_USER=();
+
+if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
+	readarray -t IGNORE_USER < "${BASE_FOLDER}${IGNORE_USER_FILE}";
+	echo "Reading ${IGNORE_USER_FILE}";
+fi;

 # loop over passwd file
 # if not in no action then check if .ssh/authorized_keys file exists
 cat /etc/passwd | cut -d ":" -f 1,6 |
 while read user_home; do
 	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	master_user=0;
 	# skip admin usernames
 	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
 		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
@@ -57,6 +99,10 @@ while read user_home; do
 		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
 		continue;
 	fi;
+	if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
+		continue;
+	fi;
 	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
 	# skip no .ssh/authorized_ekys
 	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
@@ -68,15 +114,28 @@ while read user_home; do
 		fi;
 		continue;
 	fi;
+	# check those keys are in the master key list
+	if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then
+		master_user=1;
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
+			exit;
+		fi;
+	fi;
 	# check if this user public key(s) exist in AuthorizedKeysFile target
 	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
 		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
 		if [ -z "${ssh_key_diff}" ]; then
 			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
-			if [ ${TEST} -eq 0 ]; then
-				rm "${home_folder}/.ssh/authorized_keys";
+			if [ ${master_user} -eq 0 ]; then
+				if [ ${TEST} -eq 0 ]; then
+					rm "${home_folder}/.ssh/authorized_keys";
+				else
+					echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+				fi;
 			else
-				echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+				echo "[!] No delete for master user, must be done manually";
 			fi;
 			continue;
 		fi;
@@ -99,14 +158,22 @@ while read user_home; do
 			break;
 		fi;
 		# remove home .ssh/authorized_keys (do not remove folder)
-		rm "${home_folder}/.ssh/authorized_keys";
+		if [ ${master_user} -eq 0 ]; then
+			rm "${home_folder}/.ssh/authorized_keys";
+		else
+			echo "=> No delete for master user, must be done manually";
+		fi;
 	else
 		echo "[START] ====>";
 		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
-		echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		if [ ${master_user} -eq 0 ]; then
+			echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		else
+			echo "[!] No delete for master user, must be done manually";
+		fi;
 		echo "[END  ] ====>";
 	fi;
 done;
--- a/bin/create_user.sh
+++ b/bin/create_user.sh
@@ -247,9 +247,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username};
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
 	# set the auth file
@@ -281,7 +281,10 @@ while read i; do
 			echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
 		fi;
 	else
-		found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		found='';
+		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+			found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+		fi;
 		if [ ! -z "${found}" ]; then
 			skip_ssh=1;
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
@@ -303,7 +306,7 @@ while read i; do
 		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
-		if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Create .ssh folder";
 			if [ ${TEST} -eq 0 ]; then
 				mkdir ${HOME_FOLDER}${username}/.ssh/;
@@ -314,12 +317,18 @@ while read i; do
 		# add
 		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
-			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
 				chattr -i ${SSH_AUTHORIZED_FILE};
 			fi;
 			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
 		else
-			if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			if
+				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -f "${SSH_AUTHORIZED_FILE}" ];
+			then
 				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
 			fi;
 			echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
Author	SHA1	Message	Date
Clemens Schwaighofer	a1af63de39	Add ignore from file for authorized keys move	2023-06-01 17:33:22 +09:00
Clemens Schwaighofer	b5854f93c4	Text typo fix	2023-06-01 16:12:25 +09:00
Clemens Schwaighofer	5735cf2ffb	bug fixes in ls for ssh key move	2023-06-01 15:41:26 +09:00
Clemens Schwaighofer	081bb1cc4c	ssh key change file name had .sh.sh extension	2023-06-01 15:35:12 +09:00
Clemens Schwaighofer	e02822f06d	wrong order for not moved ssh key check with master users	2023-06-01 15:30:19 +09:00
Clemens Schwaighofer	2956998762	used print instead of echo for info message in ssh key move	2023-06-01 15:28:56 +09:00
Clemens Schwaighofer	46dc2be34d	Update ssh key move script admin/ubuntu/ec2-user keys must move too, but the folders don't get auto removed	2023-06-01 14:46:46 +09:00
Clemens Schwaighofer	43ef147de6	Fixes in create user script with central SSH location and dynamic home Missing username in create folder path for adding new user check if pub key exists in central location ran even if central file was missing. Fixed check for .ssh or central place to use. File check before trying to remove chattr "i" flag, can't do that if the file does not exists.	2023-05-23 09:08:14 +09:00