Text fix for error strings in last login check

if WARN then write WARN instead of OK.
Add day numbers if OK

Some minor shellscript updates

.shellcheckrc

@@ -0,0 +1,2 @@
+shell=bash
+external-sources=true

Readme.md

@@ -26,6 +26,31 @@ Inside the base folder there are
 - ssh-keygen for temporary holding the PEM/PUB files
 - zip file which holds the created user list, password and PEM/PUB files
 
+## Config
+
+### create_user.sh: create_user.cfg
+
+A `create_user.cfg` can be created to set a differen HOME_LOCATION and PASSWORD_LENGTH values
+
+eg:
+
+```ini
+HOME_LOCATION="/storage"
+PASSWORD_LENGTH=14
+```
+
+### authorized_key_location_change.sh: authorized_key_location_change.ignore
+
+For this script a `authorized_key_location_change.ignore` with a list of user names to ignore for the
+move
+
+eg:
+
+```ini
+foo_user
+bar_user
+```
+
 ## Options
 
 ### -g (go)

bin/check_last_login.sh

@@ -4,7 +4,7 @@
 # if user login >30days, remoe user from sshallow group and write log
 
 # base folder
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 # which groups holds the ssh allowed login users (outside of admin users)
 ssh_groups=('sshforward' 'sshallow' 'sshreject');
 ssh_reject_group='sshreject';
@@ -27,13 +27,14 @@ LOG="${BASE_FOLDER}/../log";
 # auth log file user;date from collect_login_data script
 AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log";
 
+error=0;
 if [ $(whoami) != "root" ]; then
 	echo "Script must be run as root user";
-	exit;
+	error=1;
 fi;
 if [ ! -d "${LOG}" ]; then
 	echo "log folder ${LOG} not found";
-	exit;
+	error=1;
 fi;
 if [ -z $(command -v curl) ]; then
 	echo "Missing curl application, aborting";
@@ -43,6 +44,9 @@ if [ -z $(command -v jq) ]; then
 	echo "Missing jq application, aborting";
 	error=1;
 fi;
+if [ $error -eq 1 ]; then
+	exit;
+fi;
 # option 1 in list
 case "${1,,}" in
 	text)
@@ -64,7 +68,7 @@ esac;
 
 # collect info via: curl http://169.254.169.254/latest/meta-data/
 instance_data=$(
-	TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` &&
+	TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") &&
 	curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document
 )
 instance_id=$(echo "${instance_data}" | jq .instanceId)
@@ -72,22 +76,22 @@ account_id=$(echo "${instance_data}" | jq .accountId)
 region=$(echo "${instance_data}" | jq .region)
 
 if [ "${OUTPUT_TARGET}" = "text" ]; then
-	LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
+	LOG="${LOG}/check_ssh_user.$(date +"%F_%H%m%S").log";
 	exec &> >(tee -a "${LOG}");
 	echo "[START] =============>";
 	echo "AWS ID             : ${account_id}";
 	echo "Region             : ${region}";
 	echo "Instance ID        : ${instance_id}";
-	echo "Hostname           : "$(hostname);
-	echo "Run date           : "$(date +"%F %T");
+	echo "Hostname           : $(hostname)";
+	echo "Run date           : $(date +"%F %T")";
 	echo "Max age last login : ${max_age_login} days";
 	echo "Warn age last login: ${warn_age_login} days";
 	echo "Max age no login   : ${max_age_create} days";
 elif [ "${OUTPUT_TARGET}" = "json" ]; then
 	echo '"Info": {'
-	echo '"AccountId": "'${account_id}'",';
-	echo '"Region": "'${region}'",';
-	echo '"InstanceId": "'${instance_id}'",';
+	echo '"AccountId": '${account_id}',';
+	echo '"Region": '${region}',';
+	echo '"InstanceId": '${instance_id}',';
 	echo '"Hostname": "'$(hostname)'",';
 	echo '"Date": "'$(date +"%F %T")'",';
 	echo '"MaxAgeLogin": '${max_age_login}',';
@@ -193,7 +197,7 @@ for ssh_group in ${ssh_groups[@]}; do
 			found=$(grep "${username};" "${AUTH_LOG}");
 		fi;
 		# always pre work account dates if they exist, but output only if text
-		if [ ! -z "${user_create_date_string}" ]; then
+		if [ -n "${user_create_date_string}" ]; then
 			user_create_date=$(echo "${user_create_date_string}" | date +"%s" -f -);
 			# if all empty, we continue with only check if user has last login date
 			# else get days since creation
@@ -201,24 +205,24 @@ for ssh_group in ${ssh_groups[@]}; do
 			account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
 			user_create_date_out=$(echo "${user_create_date_string}" | date +"%F" -f -);
 		fi;
-		if [ ! -z "${found}" ]; then
+		if [ -n "${found}" ]; then
 			last_login_date_string=$(grep "${username};" "${AUTH_LOG}" | cut -d ";" -f 2);
-			last_login_date=$(echo "${last_login_date}" | date +"%s" -f -);
+			last_login_date=$(echo "${last_login_date_string}" | date +"%s" -f -);
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
-				out_string="[!] last ssh log in ${last_login} days ago";
+				out_string="[!] Last ssh log in ${last_login} days ago";
 				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
 					lock_user=1;
 				fi;
 			elif [ ${last_login} -gt ${warn_age_login} ]; then
-				out_string="OK [last ssh login ${last_login} days ago]";
+				out_string="WARN [last ssh login ${last_login} days ago]";
 			else
-				out_string="OK [ssh]";
+				out_string="OK [ssh, ${last_login} days ago]";
 			fi;
 			login_source="ssh";
 			# rewrite to Y-M-D, aka
 			last_login_date="${last_login_date_string}"
-		elif [ ! -z "${last_login_string##*$search*}" ]; then
+		elif [ -n "${last_login_string##*$search*}" ]; then
 			# if we have "** Never logged in**" the user never logged in
 			# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
 			# awk '{for(i=4;i<=NF;++i)printf $i FS}'
@@ -226,25 +230,25 @@ for ssh_group in ${ssh_groups[@]}; do
 			# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
 			last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
 			if [ ${last_login} -gt ${max_age_login} ]; then
-				out_string="[!] last terminal log in ${last_login} days ago";
+				out_string="[!] Last terminal log in ${last_login} days ago";
 				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
 					lock_user=1;
 				fi;
 			elif [ ${last_login} -gt ${warn_age_login} ]; then
-				out_string="OK [last terminal login ${last_login} days ago]";
+				out_string="WARN [last terminal login ${last_login} days ago]";
 			else
-				out_string="OK [lastlog]";
+				out_string="OK [lastlog, ${last_login} days ago]";
 			fi;
 			login_source="lastlog";
 			last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%F %T" -f -)
-		elif [ ! -z "${user_create_date}" ]; then
+		elif [ -n "${user_create_date}" ]; then
 			if [ ${account_age} -gt ${max_age_create} ]; then
 				out_string="[!] Never logged in: account created ${account_age} days ago";
 				if [ "${ssh_group}" != "${ssh_reject_group}" ]; then
 					lock_user=1;
 				fi;
 			else
-				out_string="OK [Never logged in]";
+				out_string="OK [Never logged in, created ${account_age} days ago]";
 			fi;
 			never_logged_in="true";
 		else
@@ -291,13 +295,13 @@ for ssh_group in ${ssh_groups[@]}; do
 	done;
 done;
 if [ "${OUTPUT_TARGET}" = "text" ]; then
-	if [ ! -z "${lock_accounts}" ]; then
+	if [ -n "${lock_accounts}" ]; then
 		echo "--------------------->"
 		echo "% Run script below to move users to reject ssh group";
 		echo "";
 		echo "bin/lock_user.sh ${lock_accounts}";
 	fi;
-	if [ ! -z "${unlock_accounts}" ]; then
+	if [ -n "${unlock_accounts}" ]; then
 		echo "--------------------->"
 		echo "% Run script below to move users to allow or forward ssh group";
 		echo "";

bin/create_user.sh

@@ -2,13 +2,14 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>|<no login flag>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
 # Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
 # <ssh access type> can be
 # allow (full login access)
 # forward (forward/jump host only)
+# if in this column with pipe (|) the flag "no_login" is set then the default shell will change to "/sbin/nologin"
 # * output file
 # <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
@@ -87,6 +88,13 @@ if [ ! -d "${HOME_FOLDER}" ]; then
 	echo "Home folder location not found: ${HOME_FOLDER}";
 	error=1;
 fi;
+# allow 10 to 39 length for password
+if [ ! -z "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
+	echo "Password length set error, can only be a value between 10 and 39";
+	error=1;
+elif [ -z ${PASSWORD_LENGTH} ]; then
+	PASSWORD_LENGTH=14;
+fi;
 # home dir error abort
 if [ $error -eq 1 ]; then
 	exit;
@@ -104,6 +112,10 @@ ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# login shells
+login_shell="/bin/bash";
+no_login_shell="/sbin/nologin";
+user_login_shell="";
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
@@ -195,8 +207,21 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	# POS 4: ssh access type
-	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	# POS 4: ssh access type and no login flag
+	# no login flag
+	no_login_flag="";
+	# if there is a pipe, check, else ignore
+	if echo "${i}" | cut -d ";" -f 4 | grep -q "|"; then
+		no_login_flag=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 2);
+	fi;
+	# anything set in no login shell flag, we set no login shell
+	if [ -n "${no_login_flag}" ]; then
+		user_login_shell="${no_login_shell}";
+	else
+		user_login_shell="${login_shell}";
+	fi;
+	# ssh access type
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr A-Z a-z | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -214,7 +239,7 @@ while read i; do
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
-		sub_group_opt=" -G ${sub_group}";
+		sub_group_opt=" -G ${ssh_group},${sub_group}";
 	fi;
 	# POS 5: do we have a password preset
 	_password=$(echo "${i}" | cut -d ";" -f 5);
@@ -292,9 +317,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
+			useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
 	# set the auth file
@@ -309,7 +334,11 @@ while read i; do
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen 14 1));
+			password=$(printf "%s" $(pwgen ${PASSWORD_LENGTH} 1));
+		elif [ "${_password}" = "SET_NO_PASSWORD" ]; then
+			# set empty
+			echo "* No password set";
+			password="";
 		else
 			echo "! Override password set";
 			password=${_password};
@@ -410,14 +439,24 @@ done;
 if [ ${INFO} -eq 1 ]; then
 	exit;
 fi;
+# check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move
+has_pem_files=0;
+if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then
+	has_pem_files=1;
+fi;
 # zip everything and remove data in ssh key folder, delete output file with passwords
 if [ ${TEST} -eq 0 ]; then
-	zip -r \
-		"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
-		"${input_file}" \
-		"${output_file}" \
-		"${SSH_KEYGEN_FOLDER}" \
-		-x\*.gitignore;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		zip -r \
+			"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
+			"${input_file}" \
+			"${output_file}" \
+			"${SSH_KEYGEN_FOLDER}" \
+			-x\*.gitignore;
+		echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
+	else
+		echo "Skip ZIP file creation, no pem files";
+	fi;
 else
 	echo "zip -r \\"
 	echo "${ROOT_FOLDER}${output_zip_folder}${output_zip} \\"
@@ -425,15 +464,19 @@ else
 	echo "${output_file} \\"
 	echo "${SSH_KEYGEN_FOLDER} \\"
 	echo "-x\*.gitignore;"
+	echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 fi;
-echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 # cleam up user log file and ssh keys
 if [ ${TEST} -eq 0 ]; then
-	# move pub to created folders
-	mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
-	# delete the rest
-	rm "${ROOT_FOLDER}${output_file}";
-	rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		# move pub to created folders
+		mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
+		# delete the rest
+		rm "${ROOT_FOLDER}${output_file}";
+		rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	else
+		echo "Skip pub file move and cleanup, no pem files";
+	fi;
 else
 	echo "$> mv ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*.pub ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB};";
 	echo "$> rm ${ROOT_FOLDER}${output_file}";

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type