ScriptsCollections/ServerUserCreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c801ef40b432cd38bd3a275ae8d2cc8a45ea78d8
ServerUserCreate/Readme.md
Clemens Schwaighofer c801ef40b4 Switch from lastlogin to lsogins 
Debian 13 dropped lastlogin, replaced with lastlogin2 which is an extra install.
Switch to lslogins, which also makes parsing much easier
2025-09-12 10:16:05 +09:00

364 lines
12 KiB
Markdown
Raw Blame History

# User creation on AWS Servers
Two files to create new user entries with an SSH key and zip all the data for download
## Setup
The application **pwgen** and **zip** must be installed.
Checkout the scripts from git into the `/root/` folder or any other folder.
The folder holding the script must be owned by *root* and have *600* permissions
```sh
cd /root/
git clone <UrlToGitRepository> users
chown root. users
chgrp 600 users
```
## Folders
Inside the base folder there are
- auth-log/: access logs from users for the last login check
- bin/: scripts folder
- backup/: for removed users home directories
- config/: config settings (eg alternative home base folder
- log/: user creation and other action logs
- ssh-keygen/: PEM keys are stored here during creation and then zip-ed into the zip folder
- ssh-keygen-created-pub/: Public keys are stored here and stay here (used for checking)
- user_list.txt: users that should exist on this server with various settings
- [user_password.YYYYMMDD-HHmmss.txt] temporary file with username and password, zip-ed into the zip folder
- zip/: after user creation the password and PEM files are stored in here
## Config
### create_user.sh: create_user.cfg
A `create_user.cfg` can be created to set a differen HOME_LOCATION and PASSWORD_LENGTH values
eg:
```ini
HOME_LOCATION="/storage"
PASSWORD_LENGTH=14
```
### authorized_key_location_change.sh: authorized_key_location_change.ignore
For this script a `authorized_key_location_change.ignore` with a list of user names to ignore for the
move
eg:
```ini
foo_user
bar_user
```
## Options
### -g (go)
If not set, the script will not run.
### -t (test)
Run in test mode. This will *NOT* create any groups or users. Nor will it create any ssh key files.
`user_password` output file will be written with `.TEST` extension
### -i (info)
Do not created anything at all, just print out info strings
## User list creation
In the `/root/users/` folder there needs to be a file called '*user_list.txt*'
This is a CSV type file with the following layout
ID | Username | Group and Sub Group | SSH Access Type and No Login flag | Optional Password | Override host name | Override ssh key type
-|-|-|-|-|-|-
1: The ID, Username and Group column must be filled.
2: For sub groups add them with a MASTER_GROUP,SUB_GROUP_A,SUB_GROUP_B,... The first group is the master group
3: SSH Access type as: allow/forward. allow is default, additional separated by | can be a "no_login" to set a no login shell, else bash shell will be set
4: If the password column is filled, the string from here will be used as the PEM Key password.
5: If a override hostname is set it will be used instead of `hostname`
6: If the ssh key type is set, it will override the default *ed25519* type. Only *rsa* is allowed. This is for setting up backwards compatible lists. Change is not recommended
The ID can be any string in any form.
It can also be left empty. It is not used at the moment
The file can hold comments. The first character in the line must be a *#*
Example file
```csv
#user_id;user_name;group,subgroup;ssh access type|no login flag;override password;override hostname;override ssh type
user1;some.name;group-a;allow;;hostname;
user2;othername;group-a;allow;;;
# I am a comment
;username;groupC;allow;setpassword;;
;username_c;groupC;allow|no_login;;;
...
```
### User with existing PEM key
If we want to create a user that already has a PEM key or we want to have the user use the same PEM key for login we can copy the existing pub key into the ssh key folder `ssh-keygen-created-pub`
The public PEM key file format is as followed
**hostname**#**main group name**#**user name**#**ssh key type**.pem.pub
In the example above for *user1* the file name would be for **some.name** and **group-a**
`hostname#group-a#some.name#ssh-keytype.pem.pub`
Copy this file into the ssh-keygen folder and add the user to the '*user_list.txt*' file.
This must be with the same name and group as set in the PEM public key.
Example:
PEM public key file is `hostname#Bgroup#foobar#ed25519.pem.pub`
Then the line for the '*user_list.txt*' must be
`[some user id];foobar;Bgroup;;`
Note that *[some user id]* can be any string or left empty
## Script run
The current directory **MUST** be the directory where '*user_list.txt*' is stored.
`$> cd /root/users`
Then run the script without any options
`$> /root/bin/create_user.sh`
Sample output for above example file
```txt
++ Create 'some.name:group-a'
> Create ssh key-pair '/root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem'
Generating public/private rsa key pair.
Your identification has been saved in /root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.
Your public key has been saved in /root/users/ssh-keygen/hostname#group-a#some.name#ed25519.pem.pub.
The key fingerprint is:
SHA256:Ufalh41IRLJTHZlsaEJVK5N7cOYhxRdqf3fCDxhHdCA egrp10070.globalad.org: some.name@group-a
The key's randomart image is:
+---[RSA 3072]----+
| .o+O*E=*o.|
| .Bo=B@.. |
| +oB.&.+ |
| o @ O |
| S . + = +|
| . =o|
| .|
| |
| |
+----[SHA256]-----+
> Create .ssh folder
> Add public into authorized_keys
> Secure folder .ssh and authorized_keys file
```
If the public pem file is already provided the output will be a bit different
```txt
++ Create 'some.name:group-a'
< Use existing public ssh key '/root/users/ssh-keygen-created-pub/hostname#group-a#some.name#ed25519.pem.pub'
> Create .ssh folder
> Add public into authorized_keys
> Secure folder .ssh and authorized_keys file
```
There is no SSH key generate output but *Use existing public ssh key* information line
If the user has been created, the creating will be skipped
```txt
-- Skip 'some.name:group-a'
```
## Script output
The generated users and the passwords are stored in the '*user_password.YYYYMMDD-hhmmss.txt*' file
For above the output will be
```csv
2020-11-27 13:51:01;sever.hostname.org;hostname;some.name;Aeh9uph8Oo
2020-11-27 13:51:02;sever.hostname.org;;othername;AePejoo9ch
2020-11-27 13:51:02;sever.hostname.org;;username;setpassword
```
Note that the *sever.hostname.org* is set from the hostname of the server where the script is run
The name *hostname* is set if the hostname field in hser `user_list.txt` file is set
If a existing pem public key is used, the entry for a new user will be
```csv
2020-11-27 13:53:18;sever.hostname.org;;some.name;[ALREADY SET]
```
Not that the password field has now *[ALREADY SET]*
## Get the user data
In the `zip/` folder there is a file named `users.YYYYMMDD-hhmmss.zip`;
This file should be copied localy and then removed from the server
**NOTE** Do not remove the public key data in `ssh-keygen-created-pub/` or the script will create new keys for users in the `user_list.txt` file
## SSH helper
change password or extract public key from pem file
### PEM key password reset
The SSH PEM key password can be reset or changed with
`$> ssh-keygen -p -f [PEM].pem -P old_passphrase -N new_passphrase`
To remove the password use this `-N ""`
> [!notice]
> If the command is used like this it will be stored in the history file.
> For scurity reason it is recommended to not give the -P and -N options when changing the password
### Missing PUB key
The public key part can be extracted from the SSH PEM key with
`$> ssh-keygen -y -f [PEM].pem > [PEM].pem.pub`
`[PEM]` is the placeholder for the filename
## Lock and unlock uses
If a user should be stopped from logging in via ssh the user needs to be removed from the sshallow or sshforward groups. Note that the sshforward group only exists on jump hosts and can normally be ignored.
Default 100% ignored users are 'root', 'ec2-user', 'admin', 'ubuntu'
### Lock users
`bin/lock_users.sh -t <user 1> <user 2> ...`
The `-t` flag is for test run.
If the user is not in the sshallow or sshreject group the change will be skipped.
Locked users will be moved to the sshreject group
### Unlock users
If a user exists in the sshreject group the user can be unlocked
`bin/unlock_uses.sh -t -s <allow|forward> <user 1> <user 2> ...`
Like the lock user script it will only work on users in the sshreject group. But here the target allow / forward group must be selected.
If not set it defaults to allow, if a user_list.txt file with this user exist it will try to extract this data if the `-s` option is not set
## Last login check scripts
There are two scripts that can be user to check if and when the user has logged in the last time.
Because of users who do not open shells (for example sftp users) we cannot rely on lslogins, so a script called `collect_login_data.sh` exists that parses the systemd logind info or /var/log/secure for user authentication data.
Data is stored in `auth-log/user_auth.log` folder as `user;last login date`
This script should be run every day via crontab as root:
```crontab
0 1 * * * root /root/users/bin/collect_login_data.sh
```
The script `check_last_login.sh` will go through the ssh allow groups (sshallow/sshforward) users and flag out those that have not logged in, in the last 60 days and recommend to lock them. The script will also check for user accounts that never logged in and where created in the last 30 days and recomment to lock them too.
This script will first check the `auth-log/user_auth.log` file, then lslogins output and finally check for creation time in passwd file or home director for when the user was created.
Currently only information is printed out and no action is done itself.
The script can be put into the crontab and run once a month, it prints to STDOUT so a mail pipe with a proper subject is recommended
```crontab
0 2 1 * * root /root/users/bin/check_last_login.sh | mail -s "User Account check: $(hostname)"
```
For processable output there is a "csv" and "json" option to output the data in CSV or JSON format
Example csv
```csv
Hostname,Username,Main Group,SSH Group,Account Created Date,Account Age,Last Login Date,Last Login Age,Login Source,Never Logged In,Status
some.host,name_a,staff,sshallow,2021-11-18,764,,,,true,[!] Never logged in: account created 764 days ago
some.host,name_b,staff,sshallow,2021-11-15,767,2023-12-20 22:18:36,1,ssh,false,OK [ssh]
...
```
```json
{
"Info": {
"Hostname": "host.name",
"Date": "2023-12-21 13:11:45",
"MaxAgeLogin": 90,
"MaxAgeCreate": 30
},
"Users": [
{
"Username": "name_a",
"SshGroup": "sshallow",
"MainGroup": "staff",
"SubGroups": [],
"AccountCreatedDate": "2021-11-18",
"AccountAge": "764",
"LastLoginDate": "",
"LastLoginAge": "",
"LoginSource": "",
"NeverLoggedIn": true,
"Status": "[!] Never logged in: account created 764 days ago"
},
{
"Username": "name_b",
"SshGroup": "sshallow",
"MainGroup": "staff",
"SubGroups": [
"sudo",
"users",
"group_a",
"group_b",
],
"AccountCreatedDate": "2021-11-15",
"AccountAge": "767",
"LastLoginDate": "2023-12-20 22:18:36",
"LastLoginAge": "1",
"LoginSource": "ssh",
"NeverLoggedIn": false,
"Status": "OK [ssh]"
},
]
}
```
## Delete users
`bin/delete_user.sh -t -b <user 1> <user 2> ...`
Deletes one or more users
- `-t` test, no action done
- `-b` do not create a backup
Unless `-b` is set the home folder and public key in /etc/ssh will be backed up.
Flags user with #DELETED-YYYYMMDD_HHmmss:id;... in the user_list.txt file
## Rename user
`bin/rename_user.sh -t -o <current user name> -n <new user name>`
Renames a user including the home directory, public key files and any other connected data.
Also updates the user_list.txt
Reference in New Issue View Git Blame Copy Permalink