#!/usr/bin/env bash # check if we need to move the users authorized keys to the central location TEST=0; SKIP_USERS=(); while getopts ":tis:" opt; do case "${opt}" in t|test) TEST=1; ;; s|skip) SKIP_USERS+=("${OPTARG}"); ;; \?) echo -e "\n Option does not exist: ${OPTARG}\n"; echo "Use -t for test and -s for users to skip"; exit 1; ;; esac; done; # check if authorized keys is actually enabled # detect ssh authorized_keys setting SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=''; SSH_AUTHORIZED_FILE=''; for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do if [ ! -z $(echo "${cf}" | grep "%u") ]; then SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//'); if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; exit; fi; fi; done; if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then echo "No central authorized_keys file detected, no change check needed"; exit; fi; echo "SSH Authorized Files folder: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}"; PRINTF_INFO="%-8s [%3s]: %-25s: %s\n"; # list of user accounts we will never touch NO_ACTION=(root admin ec2-user ubuntu); # loop over passwd file # if not in no action then check if .ssh/authorized_keys file exists cat /etc/passwd | cut -d ":" -f 1,6 | while read user_home; do username=$(echo "${user_home}" | cut -d ":" -f 1); # skip admin usernames if [[ " ${NO_ACTION[*]} " =~ " ${username} " ]]; then printf "${PRINTF_INFO}" "NO ACT" "!" "${username}" "user in NO ACTION list"; continue; fi; if [[ " ${SKIP_USERS[*]} " =~ " ${username} " ]]; then printf "${PRINTF_INFO}" "SKIP" "*" "${username}" "skip forced via command line"; continue; fi; home_folder=$(echo "${user_home}" | cut -d ":" -f 2); # skip no .ssh/authorized_ekys if [ ! -f "${home_folder}/.ssh/authorized_keys" ]; then # but do we have an auth folder, if yes -> exist skip if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then printf "${PRINTF_INFO}" "DONE" "." "${username}" "already moved"; else printf "${PRINTF_INFO}" "IGNORE" "?" "${username}" "no authorized_keys file"; fi; continue; fi; # check if this user public key(s) exist in AuthorizedKeysFile target if [ -f "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}" ]; then ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); if [ -z "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "REMOVE" "-" "${username}" ".ssh/authorized_keys"; if [ ${TEST} -eq 0 ]; then rm "${home_folder}/.ssh/authorized_keys"; else echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; fi; continue; fi; # No update, alert printf "${PRINTF_INFO}" "DIFF" "???" "${username}" "Different authorized keys in home dir, SKIPPED"; continue; fi; printf "${PRINTF_INFO}" "MOVE" ">" "${username}" "Move SSH Key to central location"; # move public keys over if [ ${TEST} -eq 0 ]; then cat "${home_folder}/.ssh/authorized_keys" > "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; # secure new folder: chown/chmod/chattr chown ${username} "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chmod 400 "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; chattr +i "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"; # confirm ssh_key_diff=$(diff -u "${home_folder}/.ssh/authorized_keys" "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}"); if [ ! -z "${ssh_key_diff}" ]; then printf "${PRINTF_INFO}" "ERROR" "!!!" "${username}" "Move problem ${ssh_key_diff}"; break; fi; # remove home .ssh/authorized_keys (do not remove folder) rm "${home_folder}/.ssh/authorized_keys"; else echo "[START] ====>"; echo "$> cat \"${home_folder}/.ssh/authorized_keys\" > \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chown ${username} \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chmod 400 \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> chattr +i \"${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}/${username}\""; echo "$> rm \"${home_folder}/.ssh/authorized_keys\""; echo "[END ] ====>"; fi; done; # __END__