Add login shell type select (bash login or no login), fix ssh base groups

no ssh allow/forward/reject base group was set if an optional sub group was set

Add possibility to chose no login when setting the ssh access type to "...|no_login"

.shellcheckrc

@@ -0,0 +1,2 @@
+shell=bash
+external-sources=true

bin/create_user.sh

@@ -2,13 +2,14 @@
 
 # * input file
 # user_list.txt
-# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>;[override password];[override hostname];[override ssh key type]
+# <ignored id>;<user name>;<group>[,sub group,sub group];<ssh access type>|<no login flag>;[override password];[override hostname];[override ssh key type]
 # lines with # are skipped
 # already created users are skipped
 # Mandatory: <ignored id>;<user name>;<group>;<ssh access type>
 # <ssh access type> can be
 # allow (full login access)
 # forward (forward/jump host only)
+# if in this column with pipe (|) the flag "no_login" is set then the default shell will change to "/sbin/nologin"
 # * output file
 # <date>;<target connect host name>;<hostname>;<username>;<password>;<ssh access type>
 # If already existing PEM key is used then <password> is [ALREADY SET]
@@ -111,6 +112,10 @@ ssh_keytype='';
 # sshallow or sshforward
 ssh_group='';
 ssh_forward_ok=0;
+# login shells
+login_shell="/bin/bash";
+no_login_shell="/sbin/nologin";
+user_login_shell="";
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
@@ -202,8 +207,21 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	# POS 4: ssh access type
-	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	# POS 4: ssh access type and no login flag
+	# no login flag
+	no_login_flag="";
+	# if there is a pipe, check, else ignore
+	if echo "${i}" | cut -d ";" -f 4 | grep -q "|"; then
+		no_login_flag=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 2);
+	fi;
+	# anything set in no login shell flag, we set no login shell
+	if [ -n "${no_login_flag}" ]; then
+		user_login_shell="${no_login_shell}";
+	else
+		user_login_shell="${login_shell}";
+	fi;
+	# ssh access type
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | cut -d "|" -f 1 | tr A-Z a-z | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -221,7 +239,7 @@ while read i; do
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
-		sub_group_opt=" -G ${sub_group}";
+		sub_group_opt=" -G ${ssh_group},${sub_group}";
 	fi;
 	# POS 5: do we have a password preset
 	_password=$(echo "${i}" | cut -d ";" -f 5);
@@ -299,9 +317,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
+			useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
+			echo "$> useradd -c `date +"%F"` -s "${user_login_shell}" -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
 		fi;
 	fi;
 	# set the auth file
@@ -421,14 +439,24 @@ done;
 if [ ${INFO} -eq 1 ]; then
 	exit;
 fi;
+# check if there are any files in the SSH_KEYGEN_FOLDER, else skip zip file creation and file move
+has_pem_files=0;
+if (shopt -s nullglob dotglob; f=("${SSH_KEYGEN_FOLDER}"*".pem"*); ((${#f[@]}))); then
+	has_pem_files=1;
+fi;
 # zip everything and remove data in ssh key folder, delete output file with passwords
 if [ ${TEST} -eq 0 ]; then
-	zip -r \
-		"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
-		"${input_file}" \
-		"${output_file}" \
-		"${SSH_KEYGEN_FOLDER}" \
-		-x\*.gitignore;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		zip -r \
+			"${ROOT_FOLDER}${output_zip_folder}${output_zip}" \
+			"${input_file}" \
+			"${output_file}" \
+			"${SSH_KEYGEN_FOLDER}" \
+			-x\*.gitignore;
+		echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
+	else
+		echo "Skip ZIP file creation, no pem files";
+	fi;
 else
 	echo "zip -r \\"
 	echo "${ROOT_FOLDER}${output_zip_folder}${output_zip} \\"
@@ -436,15 +464,19 @@ else
 	echo "${output_file} \\"
 	echo "${SSH_KEYGEN_FOLDER} \\"
 	echo "-x\*.gitignore;"
+	echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 fi;
-echo "Download: ${ROOT_FOLDER}${output_zip_folder}${output_zip}";
 # cleam up user log file and ssh keys
 if [ ${TEST} -eq 0 ]; then
-	# move pub to created folders
-	mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
-	# delete the rest
-	rm "${ROOT_FOLDER}${output_file}";
-	rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	if [ "${has_pem_files}" -eq 1 ]; then
+		# move pub to created folders
+		mv "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*.pub "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB}";
+		# delete the rest
+		rm "${ROOT_FOLDER}${output_file}";
+		rm "${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}"*;
+	else
+		echo "Skip pub file move and cleanup, no pem files";
+	fi;
 else
 	echo "$> mv ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER}*.pub ${ROOT_FOLDER}${SSH_KEYGEN_FOLDER_CREATED_PUB};";
 	echo "$> rm ${ROOT_FOLDER}${output_file}";

user_list.txt-sample

@@ -1 +1 @@
-#user_id;user_name;group,subgroup;ssh access type;override password;override hostname;override ssh type
+#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type