Create Linux User with ssh key

If you are not using configuration automation tools like Puppet or Chef on simple Linux environment, script below will definitely simplify your Linux user creation process, especially when you have more than 10 new users to create in a row.

It will also take care of ssh key insertion to user profile, the most common issues I often encounter, during user creation with ssh key, was mixing up authorized_keys file permission and ownership between root and actual user itself since some account switch is needed.

I hope the script below would help some of you out there, making your daily sysadmin jobs simpler and more fun.

#/bin/bash

while getopts u:c:s: option

do

        case "${option}"

        in

                u) USER=${OPTARG};;

                c) CERT=${OPTARG};;

                s) SUDO=${OPTARG};;

        esac

done

echo "$CERT";

adduser $USER;

if [ "$SUDO" == "y" ]

then

        touch /etc/sudoers.d/$USER;

        echo "$USER ALL=(ALL:ALL) ALL" > /etc/sudoers.d/$USER;

        echo User added to root;

fi

su -c  'mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod 700  ~/.ssh && chmod 600  ~/.ssh/authorized_keys' - $USER;

echo  "$CERT" > /home/$USER/.ssh/authorized_keys

passwd $USER;

Sample command

./adduser.sh -u myuser -s y  -c 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpjky6uTgUa9eRdG/hOxjQvWDbHzw/AVVsvJmMYxwwaLBgUtESRNXEMiF56qIxxxxxxxxxxxxlzbuOLmCrM29mlyujKdqkbr8z75aWYzhT+UIma5BuEX6kLyo9LYMm4RXGsbbnfHYrvTJo1FAnzRL/LYH8ewtmvzVTauHP/k1jYbp0Q3jQgf7p1ZDssAf5vDe1sMLwaXMGUNqNKCwjjePxOxIWzQksOCjHv/ myuser@gmail.com'


Note:
- Avoid creating user with the character dot ".", else system will fail to pickup sudoers file setting.
- Script above only tested on Redhat, Amazon Linux, CentOS but not on Debian platform.

Problem: You get this error message "chcon: can't apply partial context to unlabelled file '<file_name>'" when running "chcon -Rt svirt_sandbox_file_t <file_name>


One of a obvious reason but often been ignored, check is SELinux enabled or disabled. You will get the error message if SELinux is disabled.

Hope it will save you some time.

Linux on PCI DSS Requirement mapping

Linux and Malware

PCI DSS section 5.1 describes the need for an anti-virus solution. This subject is definitely controversial for Linux administrators(AV on Linux, you got to be kidding me), as viruses on Linux-based systems are rare. Still, the platform is not fully resistant to different forms of malware and the related threats. So depending on the particular goal of a system, one or multiple tools can be a good fit.

Open Source Tools

• Generic: ClamAV
• E-mail: ClamAV
• PHP: LMD
• Rootkit detection: chkrootkit, rkhunter

Shell

The shell is definitely one of the most common parts for Linux administrators. Like personal preferences, there are multiple shells available for Linux systems. First step is to ensure that all shells are accounted for. Determine which ones are installed and via /etc/shells which ones are allowed.

Session Timeout in Linux shells

Depending on the shells available on the system, a timeout should be configured with the appropriate value. PCI section 8.1.8 (session idle timeout) mandates that after 15 minutes, or 900 seconds, an idle session is being terminated.

One of the files to arrange this is /etc/profile. By using typeset together with the TMOUT variable, we can determine this idle session time, resulting in automatically logging out the user.

typeset -r TMOUT=900

Inactive accounts

Unused or inactive accounts on the system might be an unneeded security risk. This kind of accounts usually exists because there was a one-time need to log in, or simply forgotten after an employee left the company. PCI describes in section 8.1.4 that accounts older than 90 days and are unused, should be removed.

To determine the last time a user logged in, the last command can be used. Information is stored in /var/log/wtmp or rotated files like /var/log/wtmp.1.