Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a1af63de39 | ||
|
|
b5854f93c4 | ||
|
|
5735cf2ffb | ||
|
|
081bb1cc4c | ||
|
|
e02822f06d | ||
|
|
2956998762 | ||
|
|
46dc2be34d | ||
|
|
43ef147de6 |
@@ -2,19 +2,24 @@
|
|||||||
|
|
||||||
# check if we need to move the users authorized keys to the central location
|
# check if we need to move the users authorized keys to the central location
|
||||||
|
|
||||||
TEST=0;
|
TEST=1;
|
||||||
|
LIST=0;
|
||||||
SKIP_USERS=();
|
SKIP_USERS=();
|
||||||
while getopts ":tis:" opt; do
|
while getopts ":gls:" opt; do
|
||||||
case "${opt}" in
|
case "${opt}" in
|
||||||
t|test)
|
g|go)
|
||||||
TEST=1;
|
# default we
|
||||||
|
TEST=0;
|
||||||
;;
|
;;
|
||||||
s|skip)
|
s|skip)
|
||||||
SKIP_USERS+=("${OPTARG}");
|
SKIP_USERS+=("${OPTARG}");
|
||||||
;;
|
;;
|
||||||
|
l|list)
|
||||||
|
LIST=1;
|
||||||
|
;;
|
||||||
\?)
|
\?)
|
||||||
echo -e "\n Option does not exist: ${OPTARG}\n";
|
echo -e "\n Option does not exist: ${OPTARG}\n";
|
||||||
echo "Use -t for test and -s <user> for users to skip";
|
echo "Use -g for go (run) and -s <user> for users to skip";
|
||||||
exit 1;
|
exit 1;
|
||||||
;;
|
;;
|
||||||
esac;
|
esac;
|
||||||
@@ -23,6 +28,7 @@ done;
|
|||||||
# check if authorized keys is actually enabled
|
# check if authorized keys is actually enabled
|
||||||
# detect ssh authorized_keys setting
|
# detect ssh authorized_keys setting
|
||||||
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
|
||||||
|
SSH_MASTER_AUTHORIZED_FILE='';
|
||||||
SSH_AUTHORIZED_FILE='';
|
SSH_AUTHORIZED_FILE='';
|
||||||
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
|
||||||
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
|
if [ ! -z $(echo "${cf}" | grep "%u") ]; then
|
||||||
@@ -37,17 +43,53 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
|||||||
echo "No central authorized_keys file detected, no change check needed";
|
echo "No central authorized_keys file detected, no change check needed";
|
||||||
exit;
|
exit;
|
||||||
fi;
|
fi;
|
||||||
echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
|
||||||
|
if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then
|
||||||
|
SSH_MASTER_AUTHORIZED_FILE="${cf}";
|
||||||
|
if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
|
||||||
|
echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
fi;
|
||||||
|
done;
|
||||||
|
if [ -z "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
|
||||||
|
echo "No master authorized_key file detected, no change check needed";
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
echo "SSH Master Authorized Key file: ${SSH_MASTER_AUTHORIZED_FILE}";
|
||||||
|
echo "SSH Authorized Keys file folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||||
|
|
||||||
|
if [ ${LIST} -eq 1 ]; then
|
||||||
|
ls -l "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||||
|
lsattr "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
|
||||||
|
# base folder
|
||||||
|
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
|
||||||
|
# output printf
|
||||||
PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
|
PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
|
||||||
# list of user accounts we will never touch
|
# list of user accounts we will never touch
|
||||||
NO_ACTION=(root admin ec2-user ubuntu);
|
NO_ACTION=(root);
|
||||||
|
# move, but must check that master is set
|
||||||
|
# master key is the first in the authorized keys list for the below users
|
||||||
|
MASTER_KEY=(admin ec2-user ubuntu);
|
||||||
|
# skip user file
|
||||||
|
IGNORE_USER_FILE="../config/authorized_key_location_change.ignore"
|
||||||
|
# list of users to skip from file
|
||||||
|
IGNORE_USER=();
|
||||||
|
|
||||||
|
if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
|
||||||
|
readarray -t IGNORE_USER < "${BASE_FOLDER}${IGNORE_USER_FILE}";
|
||||||
|
echo "Reading ${IGNORE_USER_FILE}";
|
||||||
|
fi;
|
||||||
|
|
||||||
# loop over passwd file
|
# loop over passwd file
|
||||||
# if not in no action then check if .ssh/authorized_keys file exists
|
# if not in no action then check if .ssh/authorized_keys file exists
|
||||||
cat /etc/passwd | cut -d ":" -f 1,6 |
|
cat /etc/passwd | cut -d ":" -f 1,6 |
|
||||||
while read user_home; do
|
while read user_home; do
|
||||||
username=$(echo "${user_home}" | cut -d ":" -f 1);
|
username=$(echo "${user_home}" | cut -d ":" -f 1);
|
||||||
|
master_user=0;
|
||||||
# skip admin usernames
|
# skip admin usernames
|
||||||
if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
|
if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
|
||||||
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
|
printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
|
||||||
@@ -57,6 +99,10 @@ while read user_home; do
|
|||||||
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
|
printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
|
||||||
continue;
|
continue;
|
||||||
fi;
|
fi;
|
||||||
|
if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then
|
||||||
|
printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
|
||||||
|
continue;
|
||||||
|
fi;
|
||||||
home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
|
home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
|
||||||
# skip no .ssh/authorized_ekys
|
# skip no .ssh/authorized_ekys
|
||||||
if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
|
if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
|
||||||
@@ -68,15 +114,28 @@ while read user_home; do
|
|||||||
fi;
|
fi;
|
||||||
continue;
|
continue;
|
||||||
fi;
|
fi;
|
||||||
|
# check those keys are in the master key list
|
||||||
|
if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then
|
||||||
|
master_user=1;
|
||||||
|
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
|
||||||
|
if [ ! -z "${ssh_key_diff}" ]; then
|
||||||
|
printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
|
||||||
|
exit;
|
||||||
|
fi;
|
||||||
|
fi;
|
||||||
# check if this user public key(s) exist in AuthorizedKeysFile target
|
# check if this user public key(s) exist in AuthorizedKeysFile target
|
||||||
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
|
if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
|
||||||
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
|
||||||
if [ -z "${ssh_key_diff}" ]; then
|
if [ -z "${ssh_key_diff}" ]; then
|
||||||
printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
|
printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
|
||||||
if [ ${TEST} -eq 0 ]; then
|
if [ ${master_user} -eq 0 ]; then
|
||||||
rm "${home_folder}/.ssh/authorized_keys";
|
if [ ${TEST} -eq 0 ]; then
|
||||||
|
rm "${home_folder}/.ssh/authorized_keys";
|
||||||
|
else
|
||||||
|
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
||||||
|
fi;
|
||||||
else
|
else
|
||||||
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
echo "[!] No delete for master user, must be done manually";
|
||||||
fi;
|
fi;
|
||||||
continue;
|
continue;
|
||||||
fi;
|
fi;
|
||||||
@@ -99,14 +158,22 @@ while read user_home; do
|
|||||||
break;
|
break;
|
||||||
fi;
|
fi;
|
||||||
# remove home .ssh/authorized_keys (do not remove folder)
|
# remove home .ssh/authorized_keys (do not remove folder)
|
||||||
rm "${home_folder}/.ssh/authorized_keys";
|
if [ ${master_user} -eq 0 ]; then
|
||||||
|
rm "${home_folder}/.ssh/authorized_keys";
|
||||||
|
else
|
||||||
|
echo "=> No delete for master user, must be done manually";
|
||||||
|
fi;
|
||||||
else
|
else
|
||||||
echo "[START] ====>";
|
echo "[START] ====>";
|
||||||
echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
|
||||||
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
if [ ${master_user} -eq 0 ]; then
|
||||||
|
echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
|
||||||
|
else
|
||||||
|
echo "[!] No delete for master user, must be done manually";
|
||||||
|
fi;
|
||||||
echo "[END ] ====>";
|
echo "[END ] ====>";
|
||||||
fi;
|
fi;
|
||||||
done;
|
done;
|
||||||
@@ -247,9 +247,9 @@ while read i; do
|
|||||||
echo "++ Create '${username}:${group}(${sub_group})'";
|
echo "++ Create '${username}:${group}(${sub_group})'";
|
||||||
if [ ${TEST} -eq 0 ]; then
|
if [ ${TEST} -eq 0 ]; then
|
||||||
# comment is user create time
|
# comment is user create time
|
||||||
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username};
|
useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
|
||||||
else
|
else
|
||||||
echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}" -m ${username}";
|
echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
|
||||||
fi;
|
fi;
|
||||||
fi;
|
fi;
|
||||||
# set the auth file
|
# set the auth file
|
||||||
@@ -281,7 +281,10 @@ while read i; do
|
|||||||
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
|
echo "$> ssh-keygen -t ${ssh_keytype} -f ${ssh_keyfile} -C ${hostname}: ${username}@${group} -a 100 -N ${password}";
|
||||||
fi;
|
fi;
|
||||||
else
|
else
|
||||||
found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
|
found='';
|
||||||
|
if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
|
||||||
|
found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
|
||||||
|
fi;
|
||||||
if [ ! -z "${found}" ]; then
|
if [ ! -z "${found}" ]; then
|
||||||
skip_ssh=1;
|
skip_ssh=1;
|
||||||
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
|
echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
|
||||||
@@ -303,7 +306,7 @@ while read i; do
|
|||||||
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
|
echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
|
||||||
# create folder only if we do not have central
|
# create folder only if we do not have central
|
||||||
# create the SSH foler and authorized access file with correct permissions
|
# create the SSH foler and authorized access file with correct permissions
|
||||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
||||||
echo " > Create .ssh folder";
|
echo " > Create .ssh folder";
|
||||||
if [ ${TEST} -eq 0 ]; then
|
if [ ${TEST} -eq 0 ]; then
|
||||||
mkdir ${HOME_FOLDER}${username}/.ssh/;
|
mkdir ${HOME_FOLDER}${username}/.ssh/;
|
||||||
@@ -314,12 +317,18 @@ while read i; do
|
|||||||
# add
|
# add
|
||||||
echo " > Add public into authorized_keys file";
|
echo " > Add public into authorized_keys file";
|
||||||
if [ ${TEST} -eq 0 ]; then
|
if [ ${TEST} -eq 0 ]; then
|
||||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
if
|
||||||
|
[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
|
||||||
|
[ -f "${SSH_AUTHORIZED_FILE}" ];
|
||||||
|
then
|
||||||
chattr -i ${SSH_AUTHORIZED_FILE};
|
chattr -i ${SSH_AUTHORIZED_FILE};
|
||||||
fi;
|
fi;
|
||||||
cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
|
cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
|
||||||
else
|
else
|
||||||
if [ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
|
if
|
||||||
|
[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
|
||||||
|
[ -f "${SSH_AUTHORIZED_FILE}" ];
|
||||||
|
then
|
||||||
echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
|
echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
|
||||||
fi;
|
fi;
|
||||||
echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
|
echo "$> cat ${ssh_keyfile_pub} > ${SSH_AUTHORIZED_FILE}";
|
||||||
|
|||||||
Reference in New Issue
Block a user