Add Hostname to the check user data script

Logging of all output to log/ folder for check last login script user.
Also for delete, user script now outputs move from ssh allow to ssh
reject group.

bin/check_last_login.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+# Checks for last access of users in sshallow group
+# if user login >30days, remoe user from sshallow group and write log
+
+# base folder
+BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+# which group holds the ssh allowed login users (outside of admin users)
+ssh_group='sshallow';
+ssh_reject_group='sshreject';
+# date now for compare
+now=$(date +"%s");
+# max age for last login or account create without login
+max_age_login=60;
+max_age_create=30;
+# one day in seconds
+day=86400;
+# delete account strings
+delete_accounts="";
+user_group_tpl="deluser %s %s;adduser %s %s;";
+# log base folder
+LOG="${BASE_FOLDER}/../log";
+
+if [ $(whoami) != "root" ]; then
+	echo "Script must be run as root user";
+	exit;
+fi;
+if [ ! -d "${LOG}" ]; then
+	echo "log folder ${LOG} not found";
+	exit;
+fi;
+LOG="${LOG}/check_ssh_user."$(date +"%F_%H%m%S")".log";
+exec &> >(tee -a "${LOG}");
+echo "[START] =============>";
+echo "Hostname          : "$(hostname);
+echo "Run date          : "$(date +"%F %T");
+echo "Max age last login: ${max_age_login} days";
+echo "Max age no login  : ${max_age_create} days";
+for user in $(cat /etc/group|grep "${ssh_group}:" | cut -d ":" -f 4 | sed -e 's/,/ /g'); do
+# for user in clemens test42; do
+	account_age=0;
+	delete_user=0;
+	out_string="";
+	#echo "* Checking user ${user}";
+	# check user create time, if we have set it in comment
+	user_create_date=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 5);
+	# if empty try last password set time
+	if [ -z "${user_create_date}" ]; then
+		# user L 11/09/2020 0 99999 7 -1
+		user_create_date=$(passwd -S ${user} | cut -d " " -f 3);
+	fi;
+	# last try is user home .bash_logout
+	if [ -z "${user_create_date}" ]; then
+		home_dir=$(cat /etc/passwd | grep "${user}:" | cut -d ":" -f 6)"/.bash_logout";
+		user_create_date=$(stat -c %Z "${home_dir}");
+	fi;
+	# Username         Port     From             Latest
+	# user             pts/35   10.110.160.230   Wed Nov  2 09:40:35 +0900 2022
+	last_login_string=$(lastlog -u ${user} | sed 1d);
+	search="Never logged in";
+	# if we have "** Never logged in**" the user never logged in
+	if [ ! -z "${last_login_string##*$search*}" ]; then
+		# find \w{3} \w{3} [\s\d]{2} \d{2}:\d{2}:\d{2} \+\d{4} \d{4}
+		# awk '{for(i=4;i<=NF;++i)printf $i FS}'
+		last_login_date=$(echo "${last_login_string}" | awk '{for(i=4;i<=NF;++i)printf $i FS}' | date +"%s" -f -);
+		# date -d "Wed Nov  2 09:40:35 +0900 2022" +%s
+		last_login=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${last_login_date} ${day}");
+		if [ ${last_login} -gt ${max_age_login} ]; then
+			out_string="[!] last logged in ${last_login} days ago";
+			delete_user=1;
+		else
+			out_string="OK";
+		fi;
+	elif [ ! -z "${user_create_date}" ]; then
+		user_create_date=$(echo "${user_create_date}" | date +"%s" -f -);
+		# if all empty, we continue with only check if user has last login date
+		# else get days since creation
+		#account_age=$[ ($(date +"%s")-$(date -d "${user_create_date}" +"%s"))/24 ];
+		account_age=$(awk '{printf("%.0f\n",($1-$2)/$3)}' <<<"${now} ${user_create_date} ${day}");
+		if [ ${account_age} -gt ${max_age_create} ]; then
+			out_string="[!] Never logged in, account created ${account_age} days ago";
+			delete_user=1;
+		else
+			out_string="OK";
+		fi;
+	else
+		out_string="[!!!] Never logged in and we have no create date";
+	fi;
+	# build delete output
+	if [ ${delete_user} = 1 ]; then
+		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${user}" "${ssh_group}" "${user}" "${ssh_reject_group}")$'\n';
+	fi;
+	printf "* Checking user %-20s: %s\n" "${user}" "${out_string}";
+done;
+if [ ! -z "${delete_accounts}" ]; then
+	echo "--------------------->"
+	echo "% Run list below to move users to reject ssh group";
+	echo "";
+	echo "${delete_accounts}";
+fi;
+echo "[END] ===============>"
+
+# __END__

bin/user_create.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # * input file
 # user_list.txt
@@ -36,18 +36,19 @@ while getopts ":ti" opt; do
 done;
 # hostname for output file only
 host=$(hostname);
-timesamp=$(date +%Y%m%d-%H%M%S)
+timestamp=$(date +%Y%m%d-%H%M%S)
 # character to set getween info blocks
 separator="#";
 # base folder for all data
 root_folder=$(pwd)'/';
 input_file='user_list.txt';
-output_file="user_password.${timesamp}.txt";
+output_file="user_password.${timestamp}.txt";
 output_zip_folder='zip/';
-output_zip="users.${timesamp}.zip"
+output_zip="users.${timestamp}.zip"
 ssh_keygen_folder='ssh-keygen/';
 ssh_keygen_folder_created_pub='ssh-keygen-created-pub/';
 ssh_keytype='ed25519';
+ssh_group='sshallow';
 # check if ssh key folder exists
 if [ ! -d "${root_folder}${ssh_keygen_folder}" ]; then
 	mkdir "${root_folder}${ssh_keygen_folder}";
@@ -66,11 +67,17 @@ if [ ! command -v zip &> /dev/null ]; then
 	echo "Missing zip application, aborting";
 	exit;
 fi;
+# check if sshallow group exists
+if [ -z $(cat /etc/group|grep "${ssh_group}:") ]; then
+	echo "Missing ssh access group: ${ssh_group}";
+	exit;
+fi;
 # check if user list file exists
 if [ ! -f "${root_folder}${input_file}" ]; then
 	echo "Missing ${root_folder}${input_file}";
 	exit;
 fi;
+exit;
 # make sure my own folder is owned by root and 600 (except for testing)
 if [ $(stat -c %a .) != "600" ]; then
 	echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
@@ -95,7 +102,8 @@ while read i; do
 	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
-	sub_group_opt="";
+	# sshallow group is always added
+	sub_group_opt=" -G ${ssh_group}";
 	# check if "," inside and extract sub groups
 	if [ -z "${_group##*,*}" ]; then
 		sub_group=$(echo "${_group}" | cut -d "," -f 2-);
@@ -136,7 +144,7 @@ while read i; do
 		if getent passwd ${user} > /dev/null 2>&1; then
 			echo -n ", User exists";
 		fi;
-		if [ -f "${ssh_keyfile_pub}" ]; then
+		if [ -f "${ssh_keyfile_check_pub}" ]; then
 			echo -n ", SSH Pub key OK";
 		fi;
 		# line break
@@ -158,7 +166,8 @@ while read i; do
 	else
 		echo "++ Create '${user}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
-			useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
+			# comment is user create time
+			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -m ${user};
 		else
 			echo "$> useradd -s /bin/bash -g ${group}${sub_group_opt} -m ${user}";
 		fi;
@@ -255,3 +264,5 @@ else
 	echo "$> rm ${root_folder}${output_file}";
 	echo "$> rm ${root_folder}${ssh_keygen_folder}*";
 fi;
+
+# __END__

log/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore