Text fix for error strings in last login check

if WARN then write WARN instead of OK.
Add day numbers if OK

Some minor shellscript updates

.shellcheckrc

@@ -0,0 +1,2 @@
+shell=bash
+external-sources=true

Readme.md

@@ -26,6 +26,31 @@ Inside the base folder there are
 - ssh-keygen for temporary holding the PEM/PUB files
 - zip file which holds the created user list, password and PEM/PUB files
 
+## Config
+
+### create_user.sh: create_user.cfg
+
+A `create_user.cfg` can be created to set a differen HOME_LOCATION and PASSWORD_LENGTH values
+
+eg:
+
+```ini
+HOME_LOCATION="/storage"
+PASSWORD_LENGTH=14
+```
+
+### authorized_key_location_change.sh: authorized_key_location_change.ignore
+
+For this script a `authorized_key_location_change.ignore` with a list of user names to ignore for the
+move
+
+eg:
+
+```ini
+foo_user
+bar_user
+```
+
 ## Options
 
 ### -g (go)
@@ -257,6 +282,61 @@ The script can be put into the crontab and run once a month, it prints to STDOUT
 0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
 ```
 
+For processable output there is a "csv" and "json" option to output the data in CSV or JSON format
+
+Example csv
+
+```csv
+Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Login Source,Never Logged In,Status
+some.host,name_a,staff,sshallow,2021-11-18,764,,,,true,[!] Never logged in: account created 764 days ago
+some.host,name_b,staff,sshallow,2021-11-15,767,2023-12-20 22:18:36,1,ssh,false,OK [ssh]
+...
+```
+
+```json
+{
+  "Info": {
+    "Hostname": "host.name",
+    "Date": "2023-12-21 13:11:45",
+    "MaxAgeLogin": 90,
+    "MaxAgeCreate": 30
+  },
+  "Users": [
+    {
+      "Username": "name_a",
+      "SshGroup": "sshallow",
+      "MainGroup": "staff",
+      "SubGroups": [],
+      "AccountCreatedDate": "2021-11-18",
+      "AccountAge": "764",
+      "LastLoginDate": "",
+      "LastLoginAge": "",
+      "LoginSource": "",
+      "NeverLoggedIn": true,
+      "Status": "[!] Never logged in: account created 764 days ago"
+    },
+    {
+      "Username": "name_b",
+      "SshGroup": "sshallow",
+      "MainGroup": "staff",
+      "SubGroups": [
+        "sudo",
+        "users",
+        "group_a",
+        "group_b",
+      ],
+      "AccountCreatedDate": "2021-11-15",
+      "AccountAge": "767",
+      "LastLoginDate": "2023-12-20 22:18:36",
+      "LastLoginAge": "1",
+      "LoginSource": "ssh",
+      "NeverLoggedIn": false,
+      "Status": "OK [ssh]"
+    },
+  ]
+}
+```
+
 ## Delete users
 
 `bin/delete_user.sh -t -b <user 1> <user 2> ...`

bin/check_last_login.sh

@@ -4,63 +4,180 @@
 # if user login >30days, remoe user from sshallow group and write log
 
 # base folder
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 # which groups holds the ssh allowed login users (outside of admin users)
-ssh_groups=('sshforward' 'sshallow');
+ssh_groups=('sshforward' 'sshallow' 'sshreject');
 ssh_reject_group='sshreject';
 # date now for compare
 now=$(date +"%s");
 # max age for last login or account create without login
-max_age_login=60;
+max_age_login=90;
+warn_age_login=80;
 max_age_create=30;
 # one day in seconds
 day=86400;
 # delete account strings
 lock_accounts="";
+unlock_flag=0;
+unlock_accounts="";
+# only needed for json output
+first_run=1;
 # log base folder
 LOG="${BASE_FOLDER}/../log";
 # auth log file user;date from collect_login_data script
 AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
+error=0;
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
-	exit;
+	error=1;
 fi;
 if [ ! -d "${LOG}" ]; then
 	echo "log folder ${LOG} not found";
+	error=1;
+fi;
+if [ -z $(command -v curl) ]; then
+	echo "Missing curl application, aborting";
+	error=1;
+fi;
+if [ -z $(command -v jq) ]; then
+	echo "Missing jq application, aborting";
+	error=1;
+fi;
+if [ $error -eq 1 ]; then
 	exit;
 fi;
-LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
-exec &> >(tee -a "${LOG}");
-echo "[START] =============>";
-echo "Hostname          : "$(hostname);
-echo "Run date          : "$(date +"%F %T");
-echo "Max age last login: ${max_age_login} days";
-echo "Max age no login  : ${max_age_create} days";
+# option 1 in list
+case "${1,,}" in
+	text)
+		OUTPUT_TARGET="text";
+		;;
+	json)
+		OUTPUT_TARGET="json";
+		echo "{";
+		;;
+	csv)
+		CSV_LINE="%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s\n";
+		OUTPUT_TARGET="csv";
+		echo "Account ID,Region,Instance ID,Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Never Logged In,Login Source,Status";
+		;;
+	*)
+		OUTPUT_TARGET="text";
+		;;
+esac;
+
+# collect info via: curl http://169.254.169.254/latest/meta-data/
+instance_data=$(
+	TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") &&
+	curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
+)
+instance_id=$(echo "${instance_data}" | jq .instanceId)
+account_id=$(echo "${instance_data}" | jq .accountId)
+region=$(echo "${instance_data}" | jq .region)
+
+if [ "${OUTPUT_TARGET}" = "text" ]; then
+	LOG="${LOG}/check_ssh_user.$(date +"%F_%H%m%S").log";
+	exec &> >(tee -a "${LOG}");
+	echo "[START] =============>";
+	echo "AWS ID             : ${account_id}";
+	echo "Region             : ${region}";
+	echo "Instance ID        : ${instance_id}";
+	echo "Hostname           : $(hostname)";
+	echo "Run date           : $(date +"%F %T")";
+	echo "Max age last login : ${max_age_login} days";
+	echo "Warn age last login: ${warn_age_login} days";
+	echo "Max age no login   : ${max_age_create} days";
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
+	echo '"Info": {'
+	echo '"AccountId": '${account_id}',';
+	echo '"Region": '${region}',';
+	echo '"InstanceId": '${instance_id}',';
+	echo '"Hostname": "'$(hostname)'",';
+	echo '"Date": "'$(date +"%F %T")'",';
+	echo '"MaxAgeLogin": '${max_age_login}',';
+	echo '"WarnAgeLogin": '${warn_age_login}',';
+	echo '"MaxAgeCreate": '${max_age_create}'';
+	echo '},'
+	echo '"Users": ['
+fi;
 for ssh_group in ${ssh_groups[@]}; do
-echo "--------------------->"
-echo "Checking Group    : ${ssh_group}";
+	if [ "${OUTPUT_TARGET}" = "text" ]; then
+		echo "--------------------->"
+		if [ "${ssh_group}" = "${ssh_reject_group}" ]; then
+			echo "Showing current SSH Reject users:";
+			unlock_flag=1
+		else
+			echo "Checking Group    : ${ssh_group}";
+		fi;
+	fi;
 	for username in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
 		# check that user exists in passwd
 		if ! id "${username}" &>/dev/null; then
-			echo "[!] User $username does not exists in /etc/passwd file";
+			out_string="[!] User $username does not exists in /etc/passwd file";
+			case "${OUTPUT_TARGET}" in
+				text)
+					echo "${out_string}";
+					;;
+				json)
+					echo "{";
+					echo '"Username": "'${username}'",';
+					echo '"SshGroup": "'${ssh_group}'",';
+					echo '"MainGroup": "",';
+					echo '"SubGroups": [],';
+					echo '"AccountCreatedDate": "",';
+					echo '"AccountAge": "",';
+					echo '"LastLoginDate": "",';
+					echo '"LastLoginAge": "",';
+					echo '"LoginSource": "",';
+					echo '"NeverLoggedIn": true,';
+					echo '"Status": "'${out_string}'"';
+					echo "}";
+					;;
+				csv)
+					printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "" "${ssh_group}" "" "" "" "" "true" "${out_string}"
+					;;
+			esac;
 			continue;
 		fi;
+		# for json output, we need , between outputs
+		if [ "${OUTPUT_TARGET}" = "json" ] && [ $first_run -eq 0 ]; then
+			echo ",";
+		fi;
+		first_run=0;
+		# unlock lis of users
+		if [ $unlock_flag -eq 1 ]; then
+			unlock_accounts="${unlock_accounts} ${username}"
+		fi;
 		account_age=0;
 		lock_user=0;
 		out_string="";
+		# get the main group for this user
+		main_group=$(id -gn "${username}")
+		# get all the sub groups for this user, and remove the main groups
+		sub_groups=$(id -Gn "${username}" | sed -e "s/${main_group}//" | sed -e "s/${ssh_group}//")
 		#echo "* Checking user ${username}";
 		# check user create time, if we have set it in comment
-		user_create_date=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
+		user_create_date_string=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
 		# if empty try last password set time
-		if [ -z "${user_create_date}" ]; then
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
 			# user L 11/09/2020 0 99999 7 -1
-			user_create_date=$(passwd -S ${username} | cut -d " " -f 3);
+			user_create_date_string=$(passwd -S ${username} | cut -d " " -f 3);
 		fi;
 		# last try is user home .bash_logout
-		if [ -z "${user_create_date}" ]; then
-			home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
-			user_create_date=$(stat -c %Z "${home_dir}");
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			# try logout or bash history
+			home_dir_bl=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
+			home_dir_bh=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_history";
+			# check that this file exists
+			if [ -f "${home_dir_bl}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bl}");
+			elif [ -f "${home_dir_bh}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bh}");
+			fi;
+		fi;
+		# still no date -> set empty
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			user_create_date_string="";
 		fi;
 
 		# below only works if the user logged in, a lot of them are just file upload
@@ -69,21 +186,43 @@ echo "Checking Group    : ${ssh_group}";
 		# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
 		last_login_string=$(lastlog -u ${username} | sed 1d);
 		search="Never logged in";
+		never_logged_in="false";
 		found="";
+		login_source="";
+		last_login_date="";
+		account_age="";
+		last_login="";
 		# problem with running rep check in if
 		if [ -f "${AUTH_LOG}" ]; then
 			found=$(grep "${username};" "${AUTH_LOG}");
 		fi;
-		if [ ! -z "${found}" ]; then
-			last_login_date=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2 | date +"%s" -f -);
+		# always pre work account dates if they exist, but output only if text
+		if [ -n "${user_create_date_string}" ]; then
+			user_create_date=$(echo "${user_create_date_string}" | date +"%s" -f -);
+			# if all empty, we continue with only check if user has last login date
+			# else get days since creation
+			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
+			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+			user_create_date_out=$(echo "${user_create_date_string}" | date +"%F" -f -);
+		fi;
+		if [ -n "${found}" ]; then
+			last_login_date_string=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2);
+			last_login_date=$(echo "${last_login_date_string}" | date +"%s" -f -);
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
-				out_string="[!] last ssh log in ${last_login} days ago";
-				lock_user=1;
+				out_string="[!] Last ssh log in ${last_login} days ago";
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
+			elif [ ${last_login} -gt ${warn_age_login} ]; then
+				out_string="WARN [last ssh login ${last_login} days ago]";
 			else
-				out_string="OK [ssh]";
+				out_string="OK [ssh, ${last_login} days ago]";
 			fi;
-		elif [ ! -z "${last_login_string##*$search*}" ]; then
+			login_source="ssh";
+			# rewrite to Y-M-D, aka
+			last_login_date="${last_login_date_string}"
+		elif [ -n "${last_login_string##*$search*}" ]; then
 			# if we have "** Never logged in**" the user never logged in
 			# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
 			# awk '{for(i=4;i<=NF;++i)printf $i FS}'
@@ -91,44 +230,93 @@ echo "Checking Group    : ${ssh_group}";
 			# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
-				out_string="[!] last terminal log in ${last_login} days ago";
-				lock_user=1;
+				out_string="[!] Last terminal log in ${last_login} days ago";
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
+			elif [ ${last_login} -gt ${warn_age_login} ]; then
+				out_string="WARN [last terminal login ${last_login} days ago]";
 			else
-				out_string="OK [lastlog]";
+				out_string="OK [lastlog, ${last_login} days ago]";
 			fi;
-		elif [ ! -z "${user_create_date}" ]; then
-			user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
-			# if all empty, we continue with only check if user has last login date
-			# else get days since creation
-			#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
-			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+			login_source="lastlog";
+			last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%F %T" -f -)
+		elif [ -n "${user_create_date}" ]; then
 			if [ ${account_age} -gt ${max_age_create} ]; then
-				out_string="[!] Never logged in, account created ${account_age} days ago";
-				lock_user=1;
+				out_string="[!] Never logged in: account created ${account_age} days ago";
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
 			else
-				out_string="OK [first login]";
+				out_string="OK [Never logged in, created ${account_age} days ago]";
 			fi;
+			never_logged_in="true";
 		else
 			out_string="[!!!] Never logged in and we have no create date";
+			never_logged_in="true";
 		fi;
 		# build delete output
-		if [ ${lock_user} = 1 ]; then
+		if [ ${lock_user} -eq 1 ]; then
 			lock_accounts="${lock_accounts} ${username}"
 		fi;
-		printf "* Checking user %-20s: %s\n" "${username}" "${out_string}";
+		case "${OUTPUT_TARGET}" in
+			text)
+				printf "* Checking user %-20s (%-20s): %s\n" "${username}" "${main_group}" "${out_string}";
+				;;
+			json)
+				sub_groups_string="["
+				sub_group_first=1
+				for s_group in $sub_groups; do
+					if [ "${sub_group_first}" = 0 ]; then
+						sub_groups_string="${sub_groups_string},";
+					fi;
+					sub_groups_string="${sub_groups_string}\"${s_group}\"";
+					sub_group_first=0;
+				done;
+				sub_groups_string="${sub_groups_string}]";
+				echo "{";
+				echo '"Username": "'${username}'",';
+				echo '"SshGroup": "'${ssh_group}'",';
+				echo '"MainGroup": "'${main_group}'",';
+				echo '"SubGroups": '${sub_groups_string}',';
+				echo '"AccountCreatedDate": "'${user_create_date_out}'",';
+				echo '"AccountAge": "'${account_age}'",';
+				echo '"LastLoginDate": "'${last_login_date}'",';
+				echo '"LastLoginAge": "'${last_login}'",';
+				echo '"LoginSource": "'${login_source}'",';
+				echo '"NeverLoggedIn": '${never_logged_in}',';
+				echo '"Status": "'${out_string}'"';
+				echo "}";
+				;;
+			csv)
+				printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}"
+				;;
+		esac;
 	done;
 done;
-echo "--------------------->"
-echo "Showing current SSH Reject users:"
-for user in $(cat /etc/group|grep "${ssh_reject_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
-	echo "${user}";
-done;
-if [ ! -z "${lock_accounts}" ]; then
-	echo "--------------------->"
-	echo "% Run script below to move users to reject ssh group";
-	echo "";
-	echo "bin/lock_user.sh ${lock_accounts}";
+if [ "${OUTPUT_TARGET}" = "text" ]; then
+	if [ -n "${lock_accounts}" ]; then
+		echo "--------------------->"
+		echo "% Run script below to move users to reject ssh group";
+		echo "";
+		echo "bin/lock_user.sh ${lock_accounts}";
+	fi;
+	if [ -n "${unlock_accounts}" ]; then
+		echo "--------------------->"
+		echo "% Run script below to move users to allow or forward ssh group";
+		echo "";
+		echo "For ALLOW:"
+		echo "bin/unlock_user.sh -s allow ${unlock_accounts}";
+		echo "";
+		echo "For FORWARDONLY:"
+		echo "bin/unlock_user.sh -s forward ${unlock_accounts}";
+	fi;
+	echo "[END] ===============>"
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
+	# users
+	echo "]";
+	# overall
+	echo "}";
 fi;
-echo "[END] ===============>"
 
 # __END__

bin/collect_login_data.sh

@@ -61,7 +61,8 @@ function parseLog()
 	if [ "${logger}" = "systemd" ]; then
 		# 2022-11-18T20:04:08+0900
 		auth_date=$(echo "${line}" | cut -d " " -f 1);
-		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1);
+		# Note, instead of cut with dot, remove last dot in line
+		auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | sed -e "s/\.$//");
 	else
 		auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15);
 		auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);

bin/create_user.sh

@@ -2,13 +2,14 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>|<no login flag>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
 # Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
 # <ssh access type> can be
 # allow (full login access)
 # forward (forward/jump host only)
+# if in this column with pipe (|) the flag "no_login" is set then the default shell will change to "/sbin/nologin"
 # * output file
 # <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
@@ -27,7 +28,7 @@
 # SET TO 1 to TEST [will not create user/group/folder]
 TEST=0; # no actions will be run
 INFO=0; # no creation of anything, just print info strings
-GO=1; # without this flag the script will exit with an info box
+GO=0; # without this flag the script will exit with an info box
 while getopts ":gtih:" opt; do
 	case "${opt}" in
 		g|go)
@@ -87,6 +88,13 @@ if [ ! -d "${HOME_FOLDER}" ]; then
 	echo "Home folder location not found: ${HOME_FOLDER}";
 	error=1;
 fi;
+# allow 10 to 39 length for password
+if [ ! -z "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
+	echo "Password length set error, can only be a value between 10 and 39";
+	error=1;
+elif [ -z ${PASSWORD_LENGTH} ]; then
+	PASSWORD_LENGTH=14;
+fi;
 # home dir error abort
 if [ $error -eq 1 ]; then
 	exit;
@@ -104,6 +112,10 @@ ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# login shells
+login_shell="/bin/bash";
+no_login_shell="/sbin/nologin";
+user_login_shell="";
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
@@ -195,8 +207,21 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	# POS 4: ssh access type
-	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	# POS 4: ssh access type and no login flag
+	# no login flag
+	no_login_flag="";
+	# if there is a pipe, check, else ignore
+	if echo "${i}" | cut -d ";" -f 4 | grep -q "|"; then
+		no_login_flag=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 2);
+	fi;
+	# anything set in no login shell flag, we set no login shell
+	if [ -n "${no_login_flag}" ]; then
+		user_login_shell="${no_login_shell}";
+	else
+		user_login_shell="${login_shell}";
+	fi;
+	# ssh access type
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr A-Z a-z | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -214,7 +239,7 @@ while read i; do
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
-		sub_group_opt=" -G ${sub_group}";
+		sub_group_opt=" -G ${ssh_group},${sub_group}";
 	fi;
 	# POS 5: do we have a password preset
 	_password=$(echo "${i}" | cut -d ";" -f 5);
@@ -292,9 +317,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
+			useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
 	# set the auth file
@@ -309,7 +334,11 @@ while read i; do
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen 14 1));
+			password=$(printf "%s" $(pwgen ${PASSWORD_LENGTH} 1));
+		elif [ "${_password}" = "SET_NO_PASSWORD" ]; then
+			# set empty
+			echo "* No password set";
+			password="";
 		else
 			echo "! Override password set";
 			password=${_password};
@@ -348,7 +377,7 @@ while read i; do
 		else
 			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
-		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_allow_type} >> ${create_output_file};
+		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_access_type} >> ${create_output_file};
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
 		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
@@ -410,14 +439,24 @@ done;
 if [ ${INFO} -eq 1 ]; then
 	exit;
 fi;
+# check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move
+has_pem_files=0;
+if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then
+	has_pem_files=1;
+fi;
 # zip everything and remove data in ssh key folder, delete output file with passwords
 if [ ${TEST} -eq 0 ]; then
-	zip -r \
-		"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
-		"${input_file}" \
-		"${output_file}" \
-		"${SSH_KEYGEN_FOLDER}" \
-		-x\*.gitignore;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		zip -r \
+			"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
+			"${input_file}" \
+			"${output_file}" \
+			"${SSH_KEYGEN_FOLDER}" \
+			-x\*.gitignore;
+		echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
+	else
+		echo "Skip ZIP file creation, no pem files";
+	fi;
 else
 	echo "zip -r \\"
 	echo "${ROOT_FOLDER}${output_zip_folder}${output_zip} \\"
@@ -425,15 +464,19 @@ else
 	echo "${output_file} \\"
 	echo "${SSH_KEYGEN_FOLDER} \\"
 	echo "-x\*.gitignore;"
+	echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 fi;
-echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 # cleam up user log file and ssh keys
 if [ ${TEST} -eq 0 ]; then
-	# move pub to created folders
-	mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
-	# delete the rest
-	rm "${ROOT_FOLDER}${output_file}";
-	rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		# move pub to created folders
+		mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
+		# delete the rest
+		rm "${ROOT_FOLDER}${output_file}";
+		rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	else
+		echo "Skip pub file move and cleanup, no pem files";
+	fi;
 else
 	echo "$> mv ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*.pub ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB};";
 	echo "$> rm ${ROOT_FOLDER}${output_file}";

bin/lock_user.sh

@@ -39,7 +39,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"

bin/unlock_user.sh

@@ -53,7 +53,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type