Remove error=1 debug set

set an error flag and check all settings before exit program

Readme.md

@@ -26,6 +26,31 @@ Inside the base folder there are
 - ssh-keygen for temporary holding the PEM/PUB files
 - zip file which holds the created user list, password and PEM/PUB files
 
+## Config
+
+### create_user.sh: create_user.cfg
+
+A `create_user.cfg` can be created to set a differen HOME_LOCATION and PASSWORD_LENGTH values
+
+eg:
+
+```ini
+HOME_LOCATION="/storage"
+PASSWORD_LENGTH=14
+```
+
+### authorized_key_location_change.sh: authorized_key_location_change.ignore
+
+For this script a `authorized_key_location_change.ignore` with a list of user names to ignore for the
+move
+
+eg:
+
+```ini
+foo_user
+bar_user
+```
+
 ## Options
 
 ### -g (go)
@@ -297,13 +322,8 @@ some.host,name_b,staff,sshallow,2021-11-15,767,2023-12-20 22:18:36,1,ssh,false,O
       "SubGroups": [
         "sudo",
         "users",
-        "ikea",
-        "harley",
-        "aeon",
-        "primaham",
-        "nisshin",
-        "nissan",
-        "pfizer"
+        "group_a",
+        "group_b",
       ],
       "AccountCreatedDate": "2021-11-15",
       "AccountAge": "767",

bin/check_last_login.sh

@@ -27,12 +27,24 @@ LOG="${BASE_FOLDER}/../log";
 # auth log file user;date from collect_login_data script
 AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
+error=0;
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
-	exit;
+	error=1;
 fi;
 if [ ! -d "${LOG}" ]; then
 	echo "log folder ${LOG} not found";
+	error=1;
+fi;
+if [ -z $(command -v curl) ]; then
+	echo "Missing curl application, aborting";
+	error=1;
+fi;
+if [ -z $(command -v jq) ]; then
+	echo "Missing jq application, aborting";
+	error=1;
+fi;
+if [ $error -eq 1 ]; then
 	exit;
 fi;
 # option 1 in list
@@ -45,25 +57,41 @@ case "${1,,}" in
 		echo "{";
 		;;
 	csv)
+		CSV_LINE="%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s\n";
 		OUTPUT_TARGET="csv";
-		echo "Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Never Logged In,Login Source,Status";
+		echo "Account ID,Region,Instance ID,Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Never Logged In,Login Source,Status";
 		;;
 	*)
 		OUTPUT_TARGET="text";
 		;;
 esac;
 
-if [ "${OUTPUT_TARGET}" == "text" ]; then
+# collect info via: curl http://169.254.169.254/latest/meta-data/
+instance_data=$(
+	TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` &&
+	curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
+)
+instance_id=$(echo "${instance_data}" | jq .instanceId)
+account_id=$(echo "${instance_data}" | jq .accountId)
+region=$(echo "${instance_data}" | jq .region)
+
+if [ "${OUTPUT_TARGET}" = "text" ]; then
 	LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
 	exec &> >(tee -a "${LOG}");
 	echo "[START] =============>";
+	echo "AWS ID             : ${account_id}";
+	echo "Region             : ${region}";
+	echo "Instance ID        : ${instance_id}";
 	echo "Hostname           : "$(hostname);
 	echo "Run date           : "$(date +"%F %T");
 	echo "Max age last login : ${max_age_login} days";
 	echo "Warn age last login: ${warn_age_login} days";
 	echo "Max age no login   : ${max_age_create} days";
-elif [ "${OUTPUT_TARGET}" == "json" ]; then
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
 	echo '"Info": {'
+	echo '"AccountId": '${account_id}',';
+	echo '"Region": '${region}',';
+	echo '"InstanceId": '${instance_id}',';
 	echo '"Hostname": "'$(hostname)'",';
 	echo '"Date": "'$(date +"%F %T")'",';
 	echo '"MaxAgeLogin": '${max_age_login}',';
@@ -73,9 +101,9 @@ elif [ "${OUTPUT_TARGET}" == "json" ]; then
 	echo '"Users": ['
 fi;
 for ssh_group in ${ssh_groups[@]}; do
-	if [ "${OUTPUT_TARGET}" == "text" ]; then
+	if [ "${OUTPUT_TARGET}" = "text" ]; then
 		echo "--------------------->"
-		if [ "${ssh_group}" == "${ssh_reject_group}" ]; then
+		if [ "${ssh_group}" = "${ssh_reject_group}" ]; then
 			echo "Showing current SSH Reject users:";
 			unlock_flag=1
 		else
@@ -106,13 +134,13 @@ for ssh_group in ${ssh_groups[@]}; do
 					echo "}";
 					;;
 				csv)
-					printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s\n" "$(hostname)" "${username}" "" "${ssh_group}" "" "" "" "" "true" "${out_string}"
+					printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "" "${ssh_group}" "" "" "" "" "true" "${out_string}"
 					;;
 			esac;
 			continue;
 		fi;
 		# for json output, we need , between outputs
-		if [ "${OUTPUT_TARGET}" == "json" ] && [ $first_run -eq 0 ]; then
+		if [ "${OUTPUT_TARGET}" = "json" ] && [ $first_run -eq 0 ]; then
 			echo ",";
 		fi;
 		first_run=0;
@@ -131,14 +159,25 @@ for ssh_group in ${ssh_groups[@]}; do
 		# check user create time, if we have set it in comment
 		user_create_date_string=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 5);
 		# if empty try last password set time
-		if [ -z "${user_create_date_string}" ]; then
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
 			# user L 11/09/2020 0 99999 7 -1
 			user_create_date_string=$(passwd -S ${username} | cut -d " " -f 3);
 		fi;
 		# last try is user home .bash_logout
-		if [ -z "${user_create_date_string}" ]; then
-			home_dir=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
-			user_create_date_string=$(stat -c %Z "${home_dir}");
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			# try logout or bash history
+			home_dir_bl=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_logout";
+			home_dir_bh=$(cat /etc/passwd | grep "${username}:" | cut -d ":" -f 6)"/.bash_history";
+			# check that this file exists
+			if [ -f "${home_dir_bl}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bl}");
+			elif [ -f "${home_dir_bh}" ]; then
+				user_create_date_string=$(stat -c %Z "${home_dir_bh}");
+			fi;
+		fi;
+		# still no date -> set empty
+		if ! [[ "${user_create_date_string}" =~ ^\d{4}-\d{2}-\{2} ]]; then
+			user_create_date_string="";
 		fi;
 
 		# below only works if the user logged in, a lot of them are just file upload
@@ -158,7 +197,7 @@ for ssh_group in ${ssh_groups[@]}; do
 			found=$(grep "${username};" "${AUTH_LOG}");
 		fi;
 		# always pre work account dates if they exist, but output only if text
-		if [ -z "${found}" ] && [ ! -z "${user_create_date_string}" ]; then
+		if [ ! -z "${user_create_date_string}" ]; then
 			user_create_date=$(echo "${user_create_date_string}" | date +"%s" -f -);
 			# if all empty, we continue with only check if user has last login date
 			# else get days since creation
@@ -172,9 +211,11 @@ for ssh_group in ${ssh_groups[@]}; do
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
 				out_string="[!] last ssh log in ${last_login} days ago";
-				lock_user=1;
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
 			elif [ ${last_login} -gt ${warn_age_login} ]; then
-				out_string="OK [last ssh login ${last_login} days ago";
+				out_string="OK [last ssh login ${last_login} days ago]";
 			else
 				out_string="OK [ssh]";
 			fi;
@@ -190,9 +231,11 @@ for ssh_group in ${ssh_groups[@]}; do
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
 				out_string="[!] last terminal log in ${last_login} days ago";
-				lock_user=1;
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
 			elif [ ${last_login} -gt ${warn_age_login} ]; then
-				out_string="OK [last terminal login ${last_login} days ago";
+				out_string="OK [last terminal login ${last_login} days ago]";
 			else
 				out_string="OK [lastlog]";
 			fi;
@@ -201,7 +244,9 @@ for ssh_group in ${ssh_groups[@]}; do
 		elif [ ! -z "${user_create_date}" ]; then
 			if [ ${account_age} -gt ${max_age_create} ]; then
 				out_string="[!] Never logged in: account created ${account_age} days ago";
-				lock_user=1;
+				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
+					lock_user=1;
+				fi;
 			else
 				out_string="OK [Never logged in]";
 			fi;
@@ -211,7 +256,7 @@ for ssh_group in ${ssh_groups[@]}; do
 			never_logged_in="true";
 		fi;
 		# build delete output
-		if [ ${lock_user} = 1 ]; then
+		if [ ${lock_user} -eq 1 ]; then
 			lock_accounts="${lock_accounts} ${username}"
 		fi;
 		case "${OUTPUT_TARGET}" in
@@ -222,7 +267,7 @@ for ssh_group in ${ssh_groups[@]}; do
 				sub_groups_string="["
 				sub_group_first=1
 				for s_group in $sub_groups; do
-					if [ "${sub_group_first}" == 0 ]; then
+					if [ "${sub_group_first}" = 0 ]; then
 						sub_groups_string="${sub_groups_string},";
 					fi;
 					sub_groups_string="${sub_groups_string}\"${s_group}\"";
@@ -244,12 +289,12 @@ for ssh_group in ${ssh_groups[@]}; do
 				echo "}";
 				;;
 			csv)
-				printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s\n" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}"
+				printf "${CSV_LINE}" "${account_id}" "${region}" "${instance_id}" "$(hostname)" "${username}" "${main_group}" "${ssh_group}" "${user_create_date_out}" "${account_age}" "${last_login_date}" "${last_login}" "${never_logged_in}" "${login_source}" "${out_string}"
 				;;
 		esac;
 	done;
 done;
-if [ "${OUTPUT_TARGET}" == "text" ]; then
+if [ "${OUTPUT_TARGET}" = "text" ]; then
 	if [ ! -z "${lock_accounts}" ]; then
 		echo "--------------------->"
 		echo "% Run script below to move users to reject ssh group";
@@ -261,13 +306,13 @@ if [ "${OUTPUT_TARGET}" == "text" ]; then
 		echo "% Run script below to move users to allow or forward ssh group";
 		echo "";
 		echo "For ALLOW:"
-		echo "bin/unlock_user.sh -s allow ${lock_accounts}";
+		echo "bin/unlock_user.sh -s allow ${unlock_accounts}";
 		echo "";
 		echo "For FORWARDONLY:"
-		echo "bin/unlock_user.sh -s forward ${lock_accounts}";
+		echo "bin/unlock_user.sh -s forward ${unlock_accounts}";
 	fi;
 	echo "[END] ===============>"
-elif [ "${OUTPUT_TARGET}" == "json" ]; then
+elif [ "${OUTPUT_TARGET}" = "json" ]; then
 	# users
 	echo "]";
 	# overall

bin/create_user.sh

@@ -87,6 +87,13 @@ if [ ! -d "${HOME_FOLDER}" ]; then
 	echo "Home folder location not found: ${HOME_FOLDER}";
 	error=1;
 fi;
+# allow 10 to 39 length for password
+if [ ! -z "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
+	echo "Password length set error, can only be a value between 10 and 39";
+	error=1;
+elif [ -z ${PASSWORD_LENGTH} ]; then
+	PASSWORD_LENGTH=14;
+fi;
 # home dir error abort
 if [ $error -eq 1 ]; then
 	exit;
@@ -309,7 +316,11 @@ while read i; do
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen 14 1));
+			password=$(printf "%s" $(pwgen ${PASSWORD_LENGTH} 1));
+		elif [ "${_password}" = "SET_NO_PASSWORD" ]; then
+			# set empty
+			echo "* No password set";
+			password="";
 		else
 			echo "! Override password set";
 			password=${_password};

bin/lock_user.sh

@@ -39,7 +39,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"

bin/unlock_user.sh

@@ -53,7 +53,7 @@ if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
 	exit;
 fi;
 ssh_allow_group="sshallow";
-ssh_forward_group="sshfoward";
+ssh_forward_group="sshforward";
 user_group_tpl="gpasswd -d %s %s\ngpasswd -a %s %s\n";
 
 echo "--------------------->"