Check last login mandatory settings now has combined abort

set an error flag and check all settings before exit program

Readme.md

@@ -11,22 +11,27 @@ The folder holding the script must be owned by *root* and have *600* permissions
 
 ```sh
 cd /root/
-git clone https://git.tequila.jp/ScriptsCollections/AwsUserCreate.git users
+git clone http://gitlab-ap.factory.tools/scripts-collections/aws-user-create.git users
 chown root. users
 chgrp 600 users
 ```
 
-Alternate download: `git clone http://gitlab-ap.factory.tools/scripts-collections/aws-user-create.git users`
+Alternate download:
+`git clone https://git.tequila.jp/ScriptsCollections/AwsUserCreate.git users`
 
 ## Folders
 
 Inside the base folder there are
 
-* ssh-keygen for temporary holding the PEM/PUB files
-* zip file which holds the created user list, password and PEM/PUB files
+- ssh-keygen for temporary holding the PEM/PUB files
+- zip file which holds the created user list, password and PEM/PUB files
 
 ## Options
 
+### -g (go)
+
+If not set, the script will not run.
+
 ### -t (test)
 
 Run in test mode. This will *NOT* create any groups or users. Nor will it create any ssh key files.
@@ -42,14 +47,15 @@ In the `/root/users/` folder there needs to be a file called '*user_list.txt*'
 
 This is a CSV type file with the following layout
 
-ID | Username | Group | Optional Password | Override host name | Override ssh key type
--|-|-|-|-|-
+ID | Username | Group and Sub Group | SSH Access Type | Optional Password | Override host name | Override ssh key type
+-|-|-|-|-|-|-
 
-The ID, Username and Group column must be filled.
-For sub groups add them with a *,* The first group is the master group
-If the password column is filled, the string from here will be used as the PEM Key password.
-If a override hostname is set it will be used instead of `hostname`
-If the ssh key type is set, it will override the default *ed25519* type. This is not recommended. Only *rsa* is allowed. This is for setting up backwards compatible lists.
+1: The ID, Username and Group column must be filled.
+2: For sub groups add them with a *,* The first group is the master group
+3: SSH Access type as: allow/forward. allow is default
+4: If the password column is filled, the string from here will be used as the PEM Key password.
+5: If a override hostname is set it will be used instead of `hostname`
+6: If the ssh key type is set, it will override the default *ed25519* type. Only *rsa* is allowed. This is for setting up backwards compatible lists. Change is not recommended
 
 The ID can be any string in any form.
 It can also be left empty. It is not used at the moment
@@ -59,10 +65,11 @@ The file can hold comments. The first character in the line must be a *#*
 Example file
 
 ```csv
-user1;some.name;group-a;;hostname
-user2;othername;group-a;;
+#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
+user1;some.name;group-a;allow;;hostname;
+user2;othername;group-a;allow;;;
 # I am a comment
-;username;groupC;setpassword;
+;username;groupC;allow;setpassword;;
 ...
 ```
 
@@ -131,7 +138,7 @@ If the public pem file is already provided the output will be a bit different
 
 ```txt
 ++ Create 'some.name:group-a'
- < Use existing public ssh key '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub'
+ < Use existing public ssh key '/root/users/ssh-keygen-created-pub/hostname#group-a#some.name#ed25519.pem.pub'
  > Create .ssh folder
  > Add public into authorized_keys
  > Secure folder .ssh and authorized_keys file
@@ -187,9 +194,9 @@ The SSH PEM key password can be reset or changed with
 
 To remove the password use this `-N ""`
 
-**NOTE**
-If the command is used like this it will be stored in the history file.
-For scurity reason it is recommended to not give the -P and -N options when changing the password.
+> [!notice]
+> If the command is used like this it will be stored in the history file.
+> For scurity reason it is recommended to not give the -P and -N options when changing the password
 
 ### Missing PUB key
 
@@ -197,7 +204,7 @@ The public key part can be extracted from the SSH PEM key with
 
 `$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
 
-*[PEM]* is the placeholder for the filename
+`[PEM]` is the placeholder for the filename
 
 ## Lock and unlock uses
 
@@ -249,3 +256,77 @@ The script can be put into the crontab and run once a month, it prints to STDOUT
 ```crontab
 0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
 ```
+
+For processable output there is a "csv" and "json" option to output the data in CSV or JSON format
+
+Example csv
+
+```csv
+Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Login Source,Never Logged In,Status
+some.host,name_a,staff,sshallow,2021-11-18,764,,,,true,[!] Never logged in: account created 764 days ago
+some.host,name_b,staff,sshallow,2021-11-15,767,2023-12-20 22:18:36,1,ssh,false,OK [ssh]
+...
+```
+
+```json
+{
+  "Info": {
+    "Hostname": "host.name",
+    "Date": "2023-12-21 13:11:45",
+    "MaxAgeLogin": 90,
+    "MaxAgeCreate": 30
+  },
+  "Users": [
+    {
+      "Username": "name_a",
+      "SshGroup": "sshallow",
+      "MainGroup": "staff",
+      "SubGroups": [],
+      "AccountCreatedDate": "2021-11-18",
+      "AccountAge": "764",
+      "LastLoginDate": "",
+      "LastLoginAge": "",
+      "LoginSource": "",
+      "NeverLoggedIn": true,
+      "Status": "[!] Never logged in: account created 764 days ago"
+    },
+    {
+      "Username": "name_b",
+      "SshGroup": "sshallow",
+      "MainGroup": "staff",
+      "SubGroups": [
+        "sudo",
+        "users",
+        "group_a",
+        "group_b",
+      ],
+      "AccountCreatedDate": "2021-11-15",
+      "AccountAge": "767",
+      "LastLoginDate": "2023-12-20 22:18:36",
+      "LastLoginAge": "1",
+      "LoginSource": "ssh",
+      "NeverLoggedIn": false,
+      "Status": "OK [ssh]"
+    },
+  ]
+}
+```
+
+## Delete users
+
+`bin/delete_user.sh -t -b <user 1> <user 2> ...`
+
+Deletes one or more users
+
+- `-t` test, no action done
+- `-b` do not create a backup
+
+Unless `-b` is set the home folder and public key in /etc/ssh will be backed up.
+Flags user with #DELETED-YYYYMMDD_HHmmss:id;... in the user_list.txt file
+
+## Rename user
+
+`bin/rename_user.sh -t -o <current user name> -n <new user name>`
+
+Renames a user including the home directory, public key files and any other connected data.
+Also updates the user_list.txt

backup/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

bin/authorized_key_location_change.sh

@@ -2,19 +2,24 @@
 
 # check if we need to move the users authorized keys to the central location
 
-TEST=0;
+TEST=1;
+LIST=0;
 SKIP_USERS=();
-while getopts ":tis:" opt; do
+while getopts ":gls:" opt; do
 	case "${opt}" in
-		t|test)
-			TEST=1;
+		g|go)
+			# default we test
+			TEST=0;
 			;;
 		s|skip)
 			SKIP_USERS+=("${OPTARG}");
 			;;
+		l|list)
+			LIST=1;
+			;;
 		\?)
 			echo -e "\n Option does not exist: ${OPTARG}\n";
-			echo "Use -t for test and -s <user> for users to skip";
+			echo "Use -g for go (run) and -s <user> for users to skip";
 			exit 1;
 			;;
 	esac;
@@ -23,6 +28,7 @@ done;
 # check if authorized keys is actually enabled
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_MASTER_AUTHORIZED_FILE='';
 SSH_AUTHORIZED_FILE='';
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
 	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
@@ -37,17 +43,53 @@ if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 	echo "No central authorized_keys file detected, no change check needed";
 	exit;
 fi;
-echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep -- "--master"); do
+	if [ ! -z $(echo "${cf}" | grep -- "--master") ]; then
+		SSH_MASTER_AUTHORIZED_FILE="${cf}";
+		if [ ! -f "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+			echo "ssh master authorized_file could not be found: ${SSH_MASTER_AUTHORIZED_FILE}"l
+			exit;
+		fi;
+	fi;
+done;
+if [ -z "${SSH_MASTER_AUTHORIZED_FILE}" ]; then
+	echo "No master authorized_key file detected, no change check needed";
+	exit;
+fi;
+echo "SSH Master Authorized Key file: ${SSH_MASTER_AUTHORIZED_FILE}";
+echo "SSH Authorized Keys file folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
 
+if [ ${LIST} -eq 1 ]; then
+	ls -l "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	lsattr "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+	exit;
+fi;
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# output printf
 PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
 # list of user accounts we will never touch
-NO_ACTION=(root admin ec2-user ubuntu);
+NO_ACTION=(root);
+# move, but must check that master is set
+# master key is the first in the authorized keys list for the below users
+MASTER_KEY=(admin ec2-user ubuntu);
+# skip user file
+IGNORE_USER_FILE="../config/authorized_key_location_change.ignore"
+# list of users to skip from file
+IGNORE_USER=();
+
+if [ -f "${BASE_FOLDER}${IGNORE_USER_FILE}" ]; then
+	readarray -t IGNORE_USER < "${BASE_FOLDER}${IGNORE_USER_FILE}";
+	echo "Reading ${IGNORE_USER_FILE}";
+fi;
 
 # loop over passwd file
 # if not in no action then check if .ssh/authorized_keys file exists
 cat /etc/passwd | cut -d ":" -f 1,6 |
 while read user_home; do
 	username=$(echo "${user_home}" | cut -d ":" -f 1);
+	master_user=0;
 	# skip admin usernames
 	if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then
 		printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list";
@@ -57,6 +99,10 @@ while read user_home; do
 		printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line";
 		continue;
 	fi;
+	if [[ " ${IGNORE_USER[*]} " =~ " ${username} " ]]; then
+		printf "${PRINTF_INFO}" "SKIP" "**" "${username}" "skip from ignore config file";
+		continue;
+	fi;
 	home_folder=$(echo "${user_home}" | cut -d ":" -f 2);
 	# skip no .ssh/authorized_ekys
 	if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then
@@ -68,15 +114,28 @@ while read user_home; do
 		fi;
 		continue;
 	fi;
+	# check those keys are in the master key list
+	if [[ " ${MASTER_KEY[*]} " =~ " ${username} " ]]; then
+		master_user=1;
+		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_MASTER_AUTHORIZED_FILE}");
+		if [ ! -z "${ssh_key_diff}" ]; then
+			printf "${PRINTF_INFO}" "ABORT" "!!!" "${username}" "authorized key is not matching the master key file";
+			exit;
+		fi;
+	fi;
 	# check if this user public key(s) exist in AuthorizedKeysFile target
 	if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then
 		ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}");
 		if [ -z "${ssh_key_diff}" ]; then
 			printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys";
-			if [ ${TEST} -eq 0 ]; then
-				rm "${home_folder}/.ssh/authorized_keys";
+			if [ ${master_user} -eq 0 ]; then
+				if [ ${TEST} -eq 0 ]; then
+					rm "${home_folder}/.ssh/authorized_keys";
+				else
+					echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+				fi;
 			else
-				echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+				echo "[!] No delete for master user, must be done manually";
 			fi;
 			continue;
 		fi;
@@ -99,14 +158,22 @@ while read user_home; do
 			break;
 		fi;
 		# remove home .ssh/authorized_keys (do not remove folder)
-		rm "${home_folder}/.ssh/authorized_keys";
+		if [ ${master_user} -eq 0 ]; then
+			rm "${home_folder}/.ssh/authorized_keys";
+		else
+			echo "=> No delete for master user, must be done manually";
+		fi;
 	else
 		echo "[START] ====>";
 		echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
 		echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\"";
-		echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		if [ ${master_user} -eq 0 ]; then
+			echo "$> rm \"${home_folder}/.ssh/authorized_keys\"";
+		else
+			echo "[!] No delete for master user, must be done manually";
+		fi;
 		echo "[END  ] ====>";
 	fi;
 done;

bin/check_last_login.sh

@@ -6,62 +6,178 @@
 # base folder
 BASE_FOLDER=$(dirname $(readlink -f $0))"/";
 # which groups holds the ssh allowed login users (outside of admin users)
-ssh_groups=('sshforward' 'sshallow');
+ssh_groups=('sshforward' 'sshallow' 'sshreject');
 ssh_reject_group='sshreject';
 # date now for compare
 now=$(date +"%s");
 # max age for last login or account create without login
-max_age_login=60;
+max_age_login=90;
+warn_age_login=80;
 max_age_create=30;
 # one day in seconds
 day=86400;
 # delete account strings
-delete_accounts="";
-user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";
+lock_accounts="";
+unlock_flag=0;
+unlock_accounts="";
+# only needed for json output
+first_run=1;
 # log base folder
 LOG="${BASE_FOLDER}/../log";
 # auth log file user;date from collect_login_data script
 AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
+error=0;
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
-	exit;
+	error=1;
 fi;
 if [ ! -d "${LOG}" ]; then
 	echo "log folder ${LOG} not found";
+	error=1;
+fi;
+if [ -z $(command -v curl) ]; then
+	echo "Missing curl application, aborting";
+	error=1;
+fi;
+if [ -z $(command -v jq) ]; then
+	echo "Missing jq application, aborting";
+	error=1;
+fi;
+if [ $error -eq 1 ]; then
 	exit;
 fi;
-LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
-exec &> >(tee -a "${LOG}");
-echo "[START] =============>";
-echo "Hostname          : "$(hostname);
-echo "Run date          : "$(date +"%F %T");
-echo "Max age last login: ${max_age_login} days";
-echo "Max age no login  : ${max_age_create} days";
+# option 1 in list
+case "${1,,}" in
+	text)
+		OUTPUT_TARGET="text";
+		;;
+	json)
+		OUTPUT_TARGET="json";
+		echo "{";
+		;;
+	csv)
+		CSV_LINE="%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s\n";
+		OUTPUT_TARGET="csv";
+		echo "Account ID,Region,Instance ID,Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Never Logged In,Login Source,Status";
+		;;
+	*)
+		OUTPUT_TARGET="text";
+		;;
+esac;
+
+# collect info via: curl http://169.254.169.254/latest/meta-data/
+instance_data=$(
+	TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` &&
+	curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
+)
+instance_id=$(echo "${instance_data}" | jq .instanceId)
+account_id=$(echo "${instance_data}" | jq .accountId)
+region=$(echo "${instance_data}" | jq .region)
+
+if [ "${OUTPUT_TARGET}" = "text" ]; then
+	LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
+	exec &> >(tee -a "${LOG}");
+	echo "[START] =============>";
+	echo "AWS ID             : ${account_id}";
+	echo "Region             : ${region}";
+	echo "Instance ID        : ${instance_id}";
+	echo "Hostname           : "$(hostname);
+	echo "Run date           : "$(date +"%F %T");
+	echo "Max age last login : ${max_age_login} days";
+	echo "Warn age last login: ${warn_age_login} days";
+	echo "Max age no login   : ${max_age_create} days";
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
+	echo '"Info": {'
+	echo '"AccountId": '${account_id}',';
+	echo '"Region": '${region}',';
+	echo '"InstanceId": '${instance_id}',';
+	echo '"Hostname": "'$(hostname)'",';
+	echo '"Date": "'$(date +"%F %T")'",';
+	echo '"MaxAgeLogin": '${max_age_login}',';
+	echo '"WarnAgeLogin": '${warn_age_login}',';
+	echo '"MaxAgeCreate": '${max_age_create}'';
+	echo '},'
+	echo '"Users": ['
+fi;
 for ssh_group in ${ssh_groups[@]}; do
-echo "--------------------->"
-echo "Checking Group    : ${ssh_group}";
+	if [ "${OUTPUT_TARGET}" = "text" ]; then
+		echo "--------------------->"
+		if [ "${ssh_group}" = "${ssh_reject_group}" ]; then
+			echo "Showing current SSH Reject users:";
+			unlock_flag=1
+		else
+			echo "Checking Group    : ${ssh_group}";
+		fi;
+	fi;
 	for username in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
 		# check that user exists in passwd
 		if ! id "${username}" &>/dev/null; then
-			echo "[!] User $username does not exists in /etc/passwd file";
+			out_string="[!] User $username does not exists in /etc/passwd file";
+			case "${OUTPUT_TARGET}" in
+				text)
+					echo "${out_string}";
+					;;
+				json)
+					echo "{";
+					echo '"Username": "'${username}'",';
+					echo '"SshGroup": "'${ssh_group}'",';
+					echo '"MainGroup": "",';
+					echo '"SubGroups": [],';
+					echo '"AccountCreatedDate": "",';
+					echo '"AccountAge": "",';
+					echo '"LastLoginDate": "",';
+					echo '"LastLoginAge": "",';
+					echo '"LoginSource": "",';
+					echo '"NeverLoggedIn": true,';
+					echo '"Status": "'${out_string}'"';
+					echo "}";
+					;;
+				csv)
+					printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "" "${ssh_group}" "" "" "" "" "true" "${out_string}"
+					;;
+			esac;
 			continue;
 		fi;
+		# for json output, we need , between outputs
+		if [ "${OUTPUT_TARGET}" = "json" ] && [ $first_run -eq 0 ]; then
+			echo ",";
+		fi;
+		first_run=0;
+		# unlock lis of users
+		if [ $unlock_flag -eq 1 ]; then
+			unlock_accounts="${unlock_accounts} ${username}"
+		fi;
 		account_age=0;
-		delete_user=0;
+		lock_user=0;
 		out_string="";
+		# get the main group for this user
+		main_group=$(id -gn "${username}")
+		# get all the sub groups for this user, and remove the main groups
+		sub_groups=$(id -Gn "${username}" | sed -e "s/${main_group}//" | sed -e "s/${ssh_group}//")
 		#echo "* Checking user ${username}";
 		# check user create time, if we have set it in comment
-		user_create_date=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
+		user_create_date_string=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
 		# if empty try last password set time
-		if [ -z "${user_create_date}" ]; then
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
 			# user L 11/09/2020 0 99999 7 -1
-			user_create_date=$(passwd -S ${username} | cut -d " " -f 3);
+			user_create_date_string=$(passwd -S ${username} | cut -d " " -f 3);
 		fi;
 		# last try is user home .bash_logout
-		if [ -z "${user_create_date}" ]; then
-			home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
-			user_create_date=$(stat -c %Z "${home_dir}");
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			# try logout or bash history
+			home_dir_bl=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
+			home_dir_bh=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_history";
+			# check that this file exists
+			if [ -f "${home_dir_bl}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bl}");
+			elif [ -f "${home_dir_bh}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bh}");
+			fi;
+		fi;
+		# still no date -> set empty
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			user_create_date_string="";
 		fi;
 
 		# below only works if the user logged in, a lot of them are just file upload
@@ -70,20 +186,42 @@ echo "Checking Group    : ${ssh_group}";
 		# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
 		last_login_string=$(lastlog -u ${username} | sed 1d);
 		search="Never logged in";
+		never_logged_in="false";
 		found="";
+		login_source="";
+		last_login_date="";
+		account_age="";
+		last_login="";
 		# problem with running rep check in if
 		if [ -f "${AUTH_LOG}" ]; then
 			found=$(grep "${username};" "${AUTH_LOG}");
 		fi;
+		# always pre work account dates if they exist, but output only if text
+		if [ ! -z "${user_create_date_string}" ]; then
+			user_create_date=$(echo "${user_create_date_string}" | date +"%s" -f -);
+			# if all empty, we continue with only check if user has last login date
+			# else get days since creation
+			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
+			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+			user_create_date_out=$(echo "${user_create_date_string}" | date +"%F" -f -);
+		fi;
 		if [ ! -z "${found}" ]; then
-			last_login_date=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
+			last_login_date_string=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2);
+			last_login_date=$(echo "${last_login_date}" | date +"%s" -f -);
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
 				out_string="[!] last ssh log in ${last_login} days ago";
-				delete_user=1;
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
+			elif [ ${last_login} -gt ${warn_age_login} ]; then
+				out_string="OK [last ssh login ${last_login} days ago]";
 			else
 				out_string="OK [ssh]";
 			fi;
+			login_source="ssh";
+			# rewrite to Y-M-D, aka
+			last_login_date="${last_login_date_string}"
 		elif [ ! -z "${last_login_string##*$search*}" ]; then
 			# if we have "** Never logged in**" the user never logged in
 			# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
@@ -93,43 +231,92 @@ echo "Checking Group    : ${ssh_group}";
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
 				out_string="[!] last terminal log in ${last_login} days ago";
-				delete_user=1;
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
+			elif [ ${last_login} -gt ${warn_age_login} ]; then
+				out_string="OK [last terminal login ${last_login} days ago]";
 			else
 				out_string="OK [lastlog]";
 			fi;
+			login_source="lastlog";
+			last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%F %T" -f -)
 		elif [ ! -z "${user_create_date}" ]; then
-			user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
-			# if all empty, we continue with only check if user has last login date
-			# else get days since creation
-			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
-			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
 			if [ ${account_age} -gt ${max_age_create} ]; then
-				out_string="[!] Never logged in, account created ${account_age} days ago";
-				delete_user=1;
+				out_string="[!] Never logged in: account created ${account_age} days ago";
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
 			else
-				out_string="OK [first login]";
+				out_string="OK [Never logged in]";
 			fi;
+			never_logged_in="true";
 		else
 			out_string="[!!!] Never logged in and we have no create date";
+			never_logged_in="true";
 		fi;
 		# build delete output
-		if [ ${delete_user} = 1 ]; then
-			delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_group}" "${username}" "${ssh_reject_group}")$'\n';
+		if [ ${lock_user} -eq 1 ]; then
+			lock_accounts="${lock_accounts} ${username}"
 		fi;
-		printf "* Checking user %-20s: %s\n" "${username}" "${out_string}";
+		case "${OUTPUT_TARGET}" in
+			text)
+				printf "* Checking user %-20s (%-20s): %s\n" "${username}" "${main_group}" "${out_string}";
+				;;
+			json)
+				sub_groups_string="["
+				sub_group_first=1
+				for s_group in $sub_groups; do
+					if [ "${sub_group_first}" = 0 ]; then
+						sub_groups_string="${sub_groups_string},";
+					fi;
+					sub_groups_string="${sub_groups_string}\"${s_group}\"";
+					sub_group_first=0;
+				done;
+				sub_groups_string="${sub_groups_string}]";
+				echo "{";
+				echo '"Username": "'${username}'",';
+				echo '"SshGroup": "'${ssh_group}'",';
+				echo '"MainGroup": "'${main_group}'",';
+				echo '"SubGroups": '${sub_groups_string}',';
+				echo '"AccountCreatedDate": "'${user_create_date_out}'",';
+				echo '"AccountAge": "'${account_age}'",';
+				echo '"LastLoginDate": "'${last_login_date}'",';
+				echo '"LastLoginAge": "'${last_login}'",';
+				echo '"LoginSource": "'${login_source}'",';
+				echo '"NeverLoggedIn": '${never_logged_in}',';
+				echo '"Status": "'${out_string}'"';
+				echo "}";
+				;;
+			csv)
+				printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}"
+				;;
+		esac;
 	done;
 done;
-echo "--------------------->"
-echo "Showing current SSH Reject users:"
-for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
-	echo "${username}";
-done;
-if [ ! -z "${delete_accounts}" ]; then
-	echo "--------------------->"
-	echo "% Run list below to move users to reject ssh group";
-	echo "";
-	echo "${delete_accounts}";
+if [ "${OUTPUT_TARGET}" = "text" ]; then
+	if [ ! -z "${lock_accounts}" ]; then
+		echo "--------------------->"
+		echo "% Run script below to move users to reject ssh group";
+		echo "";
+		echo "bin/lock_user.sh ${lock_accounts}";
+	fi;
+	if [ ! -z "${unlock_accounts}" ]; then
+		echo "--------------------->"
+		echo "% Run script below to move users to allow or forward ssh group";
+		echo "";
+		echo "For ALLOW:"
+		echo "bin/unlock_user.sh -s allow ${unlock_accounts}";
+		echo "";
+		echo "For FORWARDONLY:"
+		echo "bin/unlock_user.sh -s forward ${unlock_accounts}";
+	fi;
+	echo "[END] ===============>"
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
+	# users
+	echo "]";
+	# overall
+	echo "}";
 fi;
-echo "[END] ===============>"
 
 # __END__

bin/collect_login_data.sh

@@ -61,7 +61,8 @@ function parseLog()
 	if [ "${logger}" = "systemd" ]; then
 		# 2022-11-18T20:04:08+0900
 		auth_date=$(echo "${line}" | cut -d " " -f 1);
-		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
+		# Note, instead of cut with dot, remove last dot in line
+		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | sed -e "s/\.$//");
 	else
 		auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15);
 		auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);

bin/create_user.sh

@@ -25,10 +25,14 @@
 # They pem pub key must follow the set rules above
 
 # SET TO 1 to TEST [will not create user/group/folder]
-TEST=0; # no creation except ssh keys
+TEST=0; # no actions will be run
 INFO=0; # no creation of anything, just print info strings
-while getopts ":tih:" opt; do
+GO=0; # without this flag the script will exit with an info box
+while getopts ":gtih:" opt; do
 	case "${opt}" in
+		g|go)
+			GO=1;
+			;;
 		t|test)
 			TEST=1;
 			;;
@@ -41,11 +45,13 @@ while getopts ":tih:" opt; do
 		\?)
 			echo -e "\n Option does not exist: ${OPTARG}\n";
 			echo "Use -t for test and -i for info";
+			echo "Use -g for actually creation run";
 			echo "Override default /home/ folder location with -h <base>";
 			exit 1;
 			;;
 	esac;
 done;
+error=0;
 # hostname for output file only
 host=$(hostname);
 timestamp=$(date +%Y%m%d-%H%M%S)
@@ -67,18 +73,22 @@ if [ ! -z "${HOME_LOCATION}" ]; then
 	# must start with / as it has to be from root
 	if [ "${HOME_LOCATION##/*}" ]; then
 		echo "Home location folder must start with a slash (/): ${HOME_LOCATION}";
-		exit;
+		error=1;
 	fi;
 	# must be valid folder
 	if [ ! -d "${HOME_LOCATION}" ]; then
 		echo "Folder for home location does not exists: ${HOME_LOCATION}";
-		exit;
+		error=1;
 	fi;
 fi;
 # the new location for home, if override is set will be created in this folder
 HOME_FOLDER="${HOME_LOCATION}${HOME_BASE}"
 if [ ! -d "${HOME_FOLDER}" ]; then
 	echo "Home folder location not found: ${HOME_FOLDER}";
+	error=1;
+fi;
+# home dir error abort
+if [ $error -eq 1 ]; then
 	exit;
 fi;
 ROOT_FOLDER="${BASE_FOLDER}../";
@@ -119,18 +129,18 @@ fi;
 # if [ ! command -v pwgen &> /dev/null ]; then
 if [ -z $(command -v pwgen) ]; then
 	echo "Missing pwgen application, aborting";
-	exit;
+	error=1;
 fi;
 # check for zip
 # if [ ! command -v zip &> /dev/null ]; then
 if [ -z $(command -v zip) ]; then
 	echo "Missing zip application, aborting";
-	exit;
+	error=1;
 fi;
 # check if sshallow or sshfoward group exists
 if [ -z $(cat /etc/group | grep "sshallow:") ]; then
 	echo "Missing ssh access group: sshallow";
-	exit;
+	error=1;
 fi;
 # flag if we can set ssh forward
 if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
@@ -139,7 +149,7 @@ fi;
 # check if user list file exists
 if [ ! -f "${ROOT_FOLDER}${input_file}" ]; then
 	echo "Missing ${ROOT_FOLDER}${input_file}";
-	exit;
+	error=1;
 fi;
 # make sure my own folder is owned by root and 600 (except for testing)
 if [ $(stat -c %a .) != "600" ]; then
@@ -148,11 +158,23 @@ fi;
 if [ $(whoami) != "root" ]; then
 	if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then
 		echo "Script must be run as root user";
-		exit;
+		error=1;
 	else
 		echo "!!!! Script must be run as root user !!!!";
 	fi;
 fi;
+
+# exit if not -g parameter set
+if [ $GO -eq 0 ]; then
+	echo "Script has to be run with -g option for actual user creation.";
+	echo "It is recommended to run -t for testing prior to user creation.";
+	error=1;
+fi;
+
+if [ $error -eq 1 ]; then
+	exit;
+fi;
+
 # create users
 cat "${ROOT_FOLDER}${input_file}" |
 while read i; do
@@ -162,6 +184,13 @@ while read i; do
 	fi;
 	# POS 2: make lower case, remove spaces
 	username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
+	# check username is alphanumeric with .
+	if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
+		echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}";
+		if [ ${TEST} -eq 0 ]; then
+			break;
+		fi;
+	fi;
 	# POS 3: groups
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
@@ -175,7 +204,9 @@ while read i; do
 	fi;
 	if [ $ssh_forward_ok -eq 0 ] && [ "${ssh_access_type}" = "forward" ]; then
 		echo "[!!!] sshforward group does not exsts, cannot set user ${username}";
-		break;
+		if [ ${TEST} -eq 0 ]; then
+			break;
+		fi;
 	fi;
 	ssh_group="ssh${ssh_access_type}";
 	# sshallow group is always added
@@ -206,7 +237,21 @@ while read i; do
 	if [ -z "${username}" ] || [ -z "${_group}" ]; then
 		echo "[!!!!!] Missing user or group entry for ${username}/${_group}";
 		echo "[*** ABORT RUN ***]"
-		break;
+		if [ ${TEST} -eq 0 ]; then
+			break;
+		fi;
+	else
+		group_error=0;
+		# check group names valid
+		for create_group in ${_group//,/ }; do
+			if ! [[ "${create_group}" =~ ^[a-z0-9]+([a-z0-9_-]+[a-z0-9])?$ ]]; then
+				echo "Group name can only be a-z 0-9 - _ and cannot start or end with - or _: ${create_group}";
+				group_error=1;
+			fi;
+		done;
+		if [ $group_error -eq 1 ] && [ ${TEST} -eq 0 ]; then
+			break;
+		fi;
 	fi;
 	# SSH file name part without folder
 	ssh_keygen_id="${hostname}${separator}${group}${separator}${username}${separator}${ssh_keytype}.pem";
@@ -303,7 +348,7 @@ while read i; do
 		else
 			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
-		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
+		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_access_type} >> ${create_output_file};
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
 		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then

bin/delete_user.sh

@@ -0,0 +1,182 @@
+#!/usr/bin/env bash
+
+# Delete user
+# - Backup
+# - delete user
+# - delete home
+# - remove ssh-keygen-created-pub files
+# - remove ssh central auth data if exits
+# - update user_list.txt and comment (#) line for this user
+# - write delete log
+
+# This will permaently remove the user
+
+TEST=0; # do not run any actions
+BACKUP=1;
+while getopts ":tb" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		b|nobackup)
+			BACKUP=0;
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test";
+			echo "Use -g for actually creation run";
+			echo "Use -b to not make a backup of the home folder and public key"
+			exit 1;
+			;;
+	esac;
+done;
+shift "$((OPTIND-1))"
+
+if [ $(whoami) != "root" ]; then
+	if [ ${TEST} -eq 0 ]; then
+		echo "Script must be run as root user";
+		exit;
+	else
+		echo "!!!! Script must be run as root user !!!!";
+	fi;
+fi;
+
+if [ $# -eq 0 ]; then
+	echo "Must give at least one user name";
+	exit;
+fi;
+
+# check tar, bzip2 is installed if backup = 1
+
+host=$(hostname);
+timestamp=$(date +%Y%m%d-%H%M%S);
+# character to set getween info blocks
+separator="#";
+# base folder for all data
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+root_folder="${BASE_FOLDER}../";
+backup_folder="${BASE_FOLDER}../backup/";
+SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
+input_file='user_list.txt';
+user_list_file="${root_folder}${input_file}";
+# log file
+LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S");
+if [ ${TEST} -eq 0 ]; then
+	LOG="${LOG}.log";
+else
+	LOG="${LOG}.test.log";
+fi;
+# ignore users (root and admin users)
+ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			exit;
+		fi;
+	fi;
+done;
+
+if [ ! -f "${user_list_file}" ]; then
+	echo "${input_file} is missing";
+	exit;
+fi;
+
+# $1 ... $n
+for username in "$@"; do
+	error=0;
+	# skip if there is an option hidden
+	if [[ ${_arg:0:1} = "-" ]]; then
+		continue;
+	fi;
+	# skip ignore users, note that if a user is not in the sshallow list anyway
+	# we skip them too, this is just in case check
+	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
+		echo "[!] User ${username} is in the ignore user list";
+		continue;
+	fi;
+
+	# user must exist in user_list.txt and /etc/passwd
+	# if missing in or another do not continue
+	if ! id "${username}" &>/dev/null; then
+		# not in passwd
+		echo "[!!!] User ${username} does not exist in /etc/passwd";
+		error=1;
+	fi;
+	user_list_entry=$(grep "${username}" "${user_list_file}");
+	if [ -z "${user_list_entry}" ]; then
+		echo "[!!!] User ${username} does not exist in user_list.txt file";
+		error=1;
+	elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
+		echo "[!!!] User ${username} is flagged as deleted in user_list.txt file";
+		error=1;
+	fi;
+
+	if [ $error -eq 1 ]; then
+		if [ ${TEST} -eq 0 ]; then
+			break;
+		fi;
+	fi;
+
+	echo "=> Delete: ${username}";
+	# ssh authorized file
+	SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";
+
+	# make backup from /home
+	if [ ${BACKUP} -eq 1 ]; then
+		home_folder=$(getent passwd ${username} | cut -d ":" -f 6);
+		backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
+		files_list="${home_folder}";
+		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+			files_list="${files_list} ${SSH_AUTHORIZED_FILE}";
+		fi;
+		echo "[0] Backup ${files_list} to ${backup_file}";
+		if [ ${TEST} -eq 0 ]; then
+			tar cfjp "${backup_file}" ${file_list};
+		else
+			echo "$> tar cfjp \"${backup_file}\" ${files_list};";
+		fi;
+	fi;
+
+	echo "[1] Remove user + home dir";
+	if [ ${TEST} -eq 0 ]; then
+		userdel -r ${username}
+	else
+		echo "$> userdel -r ${username}";
+	fi;
+
+	# remove ssh files in pub
+	echo "[2] Remove SSH Public key";
+	# Note, we keep the public key in the -created-pub folder
+	if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
+		if [ ${TEST} -eq 0 ]; then
+			chattr -i "${SSH_AUTHORIZED_FILE}";
+			rm "${SSH_AUTHORIZED_FILE}";
+		else
+			echo "$> chattr -i \"${SSH_AUTHORIZED_FILE}\";";
+			echo "$> rm \"${SSH_AUTHORIZED_FILE}\";"
+		fi;
+	else
+		# Not critical error
+		echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}";
+	fi;
+
+	# Update user_list.txt file and add # for the line
+	echo "[3] Update user_list.txt file";
+	# eg n;foo -> #DELETED-YYYYMMDD_HHmmss:n;foo ...
+	delete_date=$(date +%Y%m%d_%H%M%S)
+	if [ ${TEST} -eq 0 ]; then
+		sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
+	else
+		echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
+	fi;
+
+	echo $(date +"%F %T")";${host};${username}" >> "${LOG}";
+
+done;
+
+# __END__

bin/lock_user.sh

@@ -39,7 +39,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"
@@ -52,17 +52,17 @@ for username in "$@"; do
 	# skip ignore users, note that if a user is not in the sshallow list anyway
 	# we skip them too, this is just in case check
 	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
-		echo "[!] User $username is in the ignore user list";
+		echo "[!] User ${username} is in the ignore user list";
 		continue;
 	fi;
 	# check that user exists in passwd
 	if ! id "${username}" &>/dev/null; then
-		echo "[!] User $username does not exists in /etc/passwd file";
+		echo "[!] User ${username} does not exists in /etc/passwd file";
 		continue;
 	fi;
 	# if not check if in reject list
 	if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
-		echo "[.] User $username already in the ${ssh_reject_group} list";
+		echo "[.] User ${username} already in the ${ssh_reject_group} list";
 		continue;
 	fi;
 	# check if user is in sshallow/forward list
@@ -73,14 +73,14 @@ for username in "$@"; do
 	# if user is in ssh allow group and ALSO in ssh forward group -> bad
 	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
 		if [ ! -z "${ssh_remove_group}" ]; then
-			echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
+			echo "[!!!! ERROR !!!!] User ${username} exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
 			break;
 		fi;
 		ssh_remove_group="${ssh_forward_group}";
 	fi;
 	if [ ! -z "${ssh_remove_group}" ]; then
 		# remove user from ssh group and add to reject groups
-		echo "[*] User $username will be removed from ${ssh_remove_group}";
+		echo "[*] User ${username} will be removed from ${ssh_remove_group}";
 		if [ ${TEST} -eq 1 ]; then
 			printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}";
 		else
@@ -89,7 +89,7 @@ for username in "$@"; do
 		fi;
 	else
 		# skip not ssh user
-		echo "[?] User $username not in any ssh allow/foward groups";
+		echo "[?] User ${username} not in any ssh allow/foward groups";
 	fi;
 done;
 

bin/rename_user.sh

@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+
+# Rename user
+# - rename user name
+# - rename home folder + owner
+# - rename public key file in /etc/ssh/
+# - rename in user_list.txt
+# - rename created public key file
+
+TEST=0; # do not run any actions
+OLD_USERNAME="";
+NEW_USERNAME="";
+while getopts ":to:n:" opt; do
+	case "${opt}" in
+		t|test)
+			TEST=1;
+			;;
+		o|old-user)
+			if [ -z "${OLD_USERNAME}" ]; then
+				OLD_USERNAME="${OPTARG}";
+			fi;
+			;;
+		n|new-user)
+			if [ -z "${NEW_USERNAME}" ]; then
+				NEW_USERNAME="${OPTARG}";
+			fi;
+			;;
+		\?)
+			echo -e "\n Option does not exist: ${OPTARG}\n";
+			echo "Use -t for test";
+			echo "-o: Current user";
+			echo "-n: New username";
+			exit 1;
+			;;
+	esac;
+done;
+shift "$((OPTIND-1))"
+
+if [ $(whoami) != "root" ]; then
+	if [ ${TEST} -eq 0 ]; then
+		echo "Script must be run as root user";
+		exit;
+	else
+		echo "!!!! Script must be run as root user !!!!";
+	fi;
+fi;
+
+error=0;
+host=$(hostname);
+timestamp=$(date +%Y%m%d-%H%M%S);
+# character to set getween info blocks
+separator="#";
+# base folder for all data
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+root_folder="${BASE_FOLDER}../";
+SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
+input_file='user_list.txt';
+user_list_file="${root_folder}${input_file}";
+default_ssh_keytype='ed25519';
+ssh_keytype='';
+# log file
+LOG="${BASE_FOLDER}/../log/rename_user."$(date +"%F_%H%m%S");
+if [ ${TEST} -eq 0 ]; then
+	LOG="${LOG}.log";
+else
+	LOG="${LOG}.test.log";
+fi;
+# ignore users (root and admin users)
+ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
+# detect ssh authorized_keys setting
+SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
+SSH_AUTHORIZED_FILE='';
+for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
+	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
+			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
+			error=1;
+		fi;
+	fi;
+done;
+if [ ! -f "${user_list_file}" ]; then
+	echo "${input_file} is missing";
+	error=1;
+fi;
+
+if [ -z "${OLD_USERNAME}" ] || [ -z "${NEW_USERNAME}" ]; then
+	echo "[!!!] Current and new username must be provided";
+	error=1;
+fi;
+
+if [ "${OLD_USERNAME}" = "${NEW_USERNAME}" ]; then
+	echo "[!!!] Current and new username cannot be the same";
+	error=1;
+fi;
+
+if ! [[ "${NEW_USERNAME}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
+	echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${NEW_USERNAME}";
+	error=1;
+fi;
+
+# skip ignore users, note that if a user is not in the sshallow list anyway
+# we skip them too, this is just in case check
+if [[ " ${ignore_users[*]} " =~ " ${OLD_USERNAME} " ]]; then
+	echo "[!] User ${OLD_USERNAME} is in the ignore user list";
+	error=1;
+fi;
+if [[ " ${ignore_users[*]} " =~ " ${NEW_USERNAME} " ]]; then
+	echo "[!] User ${NEW_USERNAME} is in the ignore user list";
+	error=1;
+fi;
+# user must exist in user_list.txt and /etc/passwd
+# if missing in or another do not continue
+if ! id "${OLD_USERNAME}" &>/dev/null; then
+	# not in passwd
+	echo "[!!!] User ${OLD_USERNAME} does not exist in /etc/passwd";
+	error=1;
+fi;
+if id "${NEW_USERNAME}" &>/dev/null; then
+	# not in passwd
+	echo "[!!!] User ${NEW_USERNAME} exists in /etc/passwd";
+	error=1;
+fi;
+if [ -f "${user_list_file}" ]; then
+	user_list_entry=$(grep "${OLD_USERNAME}" "${user_list_file}");
+	if [ -z "${user_list_entry}" ]; then
+		echo "[!!!] User ${OLD_USERNAME} does not exist in user_list.txt file";
+		error=1;
+	fi;
+	# if the old user exists but as DELETED -> no go
+	if [ ! -z $(echo "${user_list_entry}" | grep "#DELETED-") ]; then
+		echo "[!!!] User ${OLD_USERNAME} has been flagged as deleted";
+		error=1;
+	fi;
+	# if new user name already exists in user list file for whatever reason
+	if [ $(grep "${NEW_USERNAME}" "${user_list_file}") ]; then
+		echo "[!!!] User ${NEW_USERNAME} exists in user_list.txt file";
+		error=1;
+	fi;
+fi;
+# exit on any error
+if [ $error -eq 1 ]; then
+	exit;
+fi;
+
+# parse user list entry for group/hostname/ssh type key to build ssh key list
+
+# POS 3: groups
+_group=$(echo "${user_list_entry}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
+group=$(echo "${_group}" | cut -d "," -f 1);
+# POS 6: override host name, lowercase and spaces removed
+_hostname=$(echo "${user_list_entry}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
+if [ -z "${_hostname}" ]; then
+	hostname=${host};
+else
+	hostname=${_hostname};
+fi;
+# POS 7: ssh keytype override
+_ssh_keytype=$(echo "${user_list_entry}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
+if [ "${_ssh_keytype}" = "rsa" ]; then
+	ssh_keytype="${_ssh_keytype}";
+else
+	ssh_keytype=${default_ssh_keytype};
+fi;
+
+echo "* Rename ${OLD_USERNAME} to ${NEW_USERNAME}";
+
+old_home_dir=$(getent passwd "${OLD_USERNAME}" | cut -d: -f6);
+new_home_dir=$(echo "${old_home_dir}" | sed -e "s/\/${OLD_USERNAME}$/\/${NEW_USERNAME}/");
+# rename user
+if [ $TEST -eq 0 ]; then
+	echo "usermod with ${new_home_dir}";
+	usermod -l ${NEW_USERNAME} -m -d "${new_home_dir}" ${OLD_USERNAME};
+else
+	echo "$> usermod -l ${NEW_USERNAME} -m -d \"${new_home_dir}\" ${OLD_USERNAME};";
+fi
+# check that home folder is renamed and owned by new user
+
+# check if spool exists
+if [ -f "/var/spool/mail/${OLD_USERNAME}" ]; then
+	if [ $TEST -eq 0 ]; then
+		echo "rename to /var/spool/mail/${NEW_USERNAME}";
+		mv "/var/spool/mail/${OLD_USERNAME}" "/var/spool/mail/${NEW_USERNAME}";
+	else
+		echo "$> mv \"/var/spool/mail/${OLD_USERNAME}\" \"/var/spool/mail/${NEW_USERNAME}\";";
+	fi
+fi;
+# check if crontab exists
+if [ -f "/var/spool/cron/crontabs/${OLD_USERNAME}" ]; then
+	if [ $TEST -eq 0 ]; then
+		echo "rename to /var/spool/cron/crontabs/${NEW_USERNAME}";
+		mv "/var/spool/cron/crontabs/${OLD_USERNAME}" "/var/spool/cron/crontabs/${NEW_USERNAME}";
+	else
+		echo "$> mv \"/var/spool/cron/crontabs/${OLD_USERNAME}\" \"/var/spool/cron/crontabs/${NEW_USERNAME}\";";
+	fi
+fi;
+
+# public key files user must be renamed
+OLD_SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${OLD_USERNAME}";
+NEW_SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${NEW_USERNAME}";
+
+if [ -f "${OLD_SSH_AUTHORIZED_FILE}" ]; then
+	if [ $TEST -eq 0 ]; then
+		echo "rename to ${NEW_SSH_AUTHORIZED_FILE}";
+		chattr -i "${OLD_SSH_AUTHORIZED_FILE}";
+		mv "${OLD_SSH_AUTHORIZED_FILE}" "${NEW_SSH_AUTHORIZED_FILE}";
+		chattr +i "${NEW_SSH_AUTHORIZED_FILE}";
+	else
+		echo "$> chattr -i \"${OLD_SSH_AUTHORIZED_FILE}\";";
+		echo "$> mv \"${OLD_SSH_AUTHORIZED_FILE}\" \"${NEW_SSH_AUTHORIZED_FILE}\";";
+		echo "$> chattr +i \"${NEW_SSH_AUTHORIZED_FILE}\";";
+	fi;
+else
+	echo "[?] ${OLD_SSH_AUTHORIZED_FILE} is missing";
+fi;
+
+# rename keygen public file
+OLD_ssh_keygen_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${hostname}${separator}${group}${separator}${OLD_USERNAME}${separator}${ssh_keytype}.pem.pub";
+NEW_ssh_keygen_pub="${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}${hostname}${separator}${group}${separator}${NEW_USERNAME}${separator}${ssh_keytype}.pem.pub";
+
+if [ -f "${OLD_ssh_keygen_pub}" ]; then
+	if [ $TEST -eq 0 ]; then
+		echo "rename to ${NEW_ssh_keygen_pub}";
+		mv "${OLD_ssh_keygen_pub}" "${NEW_ssh_keygen_pub}";
+	else
+		echo "$> mv \"${OLD_ssh_keygen_pub}\" \"${NEW_ssh_keygen_pub}\";";
+	fi;
+else
+	echo "[?] ${OLD_ssh_keygen_pub} is missing";
+fi;
+
+# rename entry in user list txt file
+if [ $TEST -eq 0 ]; then
+	echo "update ${user_list_file}";
+	sed -i -e "s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/" "${user_list_file}";
+else
+	echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\}\);${OLD_USERNAME};/\1;${NEW_USERNAME};/\" \"${user_list_file}\";";
+fi;
+
+# __END__

bin/unlock_user.sh

@@ -53,7 +53,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"
@@ -66,21 +66,21 @@ for username in "$@"; do
 	# skip ignore users, note that if a user is not in the sshallow list anyway
 	# we skip them too, this is just in case check
 	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
-		echo "[!] User $username is in the ignore user list";
+		echo "[!] User ${username} is in the ignore user list";
 		continue;
 	fi;
 	# check that user exists in passwd
 	if ! id "${username}" &>/dev/null; then
-		echo "[!] User $username does not exists in /etc/passwd file";
+		echo "[!] User ${username} does not exists in /etc/passwd file";
 		continue;
 	fi;
 	# check if already in OK groups
 	if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
-		echo "[.] User $username already in the ${ssh_allow_group} list";
+		echo "[.] User ${username} already in the ${ssh_allow_group} list";
 		continue;
 	fi;
 	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
-		echo "[.] User $username already in the ${ssh_forward_group} list";
+		echo "[.] User ${username} already in the ${ssh_forward_group} list";
 		continue;
 	fi;
 	# try to find user in user_list.txt and get the allow/forward flag from there,
@@ -98,7 +98,7 @@ for username in "$@"; do
 	# check if user is in reject group remove
 	if id -nGz "${username}" | grep -qzxF "${ssh_reject_group}"; then
 		# remove user from ssh group and add to reject groups
-		echo "[*] User $username will be added to ${ssh_add_group}";
+		echo "[*] User ${username} will be added to ${ssh_add_group}";
 		if [ ${TEST} -eq 1 ]; then
 			printf "${user_group_tpl}" "${username}" "${ssh_reject_group}" "${username}" "${ssh_add_group}";
 		else
@@ -107,7 +107,7 @@ for username in "$@"; do
 		fi;
 	else
 		# skip not ssh user
-		echo "[?] User $username not in the ssh reject group";
+		echo "[?] User ${username} not in the ssh reject group";
 	fi;
 done;
 

user_create_flow.md

@@ -1,11 +1,16 @@
 # AWS user create flow
 
+**NOTE** The script will check in the /etc/ssh/sshd_config for `AuthorizedKeysFile` keyword with `/etc/ssh/authorized_keys/%u`. If this exists it will move the ssk keys from the users home folder the folder `/etc/ssh/authorized_keys` with the created username as file name
+
 * Step 1: check if main group exists
 * Step 2: Add user to user_list.txt
 
-Example:
+Very basic example with minimum settings:
+
+SSH Type will default to EP25519
 
 ```txt
+#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
 # 2022-12-12
 1;test.foo;group-a;allow
 ```