Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.
Unix Linux Administration II
Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.
Agenda discuss Homework. Unit 1: Scripting conditionals. Unit 2: Certificate Authority. Unit 3: Scripting loops.
Review:basic math syntax $((expression))
most common functions available including bitwise and logcal
White space is optional.
non-zero final expression return true.
Quoting ', ", ` and \
command subsitution user=$(grep -i $name /etc/passwd)
Review: cont.Positional parameters are provided by the shell
environment and automatically assign variables to values passed into the script. who
who | grep root
on.sh root
who | grep $1
$# = number of arguments passed to the script.
$* = reference all arguments passed to the script
$? = Stores the exit value of the script
Review:
Slave servers provide redundancy and high availability when designed appropriately form your domain.
The changes between slave and master are fairly simple.
Slave poll masters by default but master can be configured to notify slaves when updates occur.
Slaves can be configured to store zone data locally for backup.
Class 7, Unit 1
What we are going to cover: Scripting and conditionals
What you should leave this session with: How to add decision points to your scripts. How to enable debug in your scripts.
Indenting
Tabs or SpacesBe consistent! (possible vimrc setting?).
Helps with legibility Most languages ignore white space
Good or Bad?
”…code is read much more often than it is written”Python - http://www.python.org/dev/peps/pep-0008/#indentation
Exit statusEvery time you run a script it produces an exit
status. Zero is successful anything else indicates failure.
Failures can be caused for lots of reasons. The exit value is stored in $?
echo $?
What are some ways to create a failed exit status?
The "if" construct"if" is one of the first conditional statements you will
probably encounter.
You can think of this as "if X then do Y and finish". The if statement must start with "if" and end with "fi". We will see similar constructs in other conditionals later.
for example:if [ -f /etc/hosts ]; then echo "a host file exists"fi
How to test string values.
You can test an expression for a true or false value using the expression "test".user=$1if test “$user” == angus; then echo “$user found on system”fi
Many test operators are available such as==, !=, -z string (string is null) –n string (string is NOT null), string (is defined)
Test cont.You can also test for integer values withReturns true (0) if:
int1 -eq int2int1 -ge int2 “great than or equal to”int1 -gt int2 “greater than”int1 -le int2 “less than or equal to”int1 -lt int2 “less than”int1 -ne int2 “not equal to”
[ “$value” -eq 0 ]
File testsThe file tests expect a single argument, the filename.
-d file file is a directory
-e file file exists
-f file file is an ordinary file
-r file file is read only
-s file file has nonzero length
-w file file is writable by process
-x file file is executable
-L file file is a symbolic link
[ -f /etc/passwd ] is this an ordinary file
[ -r /etc/passwd ] Is file readable by process.
Logical operators available.! Used to negate the value
[ ! –r /etc/shadow ] is the file not readable
-a performs logical AND of two expressions.
[ -f /etc/passwd –a –r /etc/passwd ] BOTH must be true.
-o performs logical OR of two expressions.
[ -f /etc/passwd –o –r /etc/shadow ] true if EITHER are successful
Parentheses
You can use parentheses in a test to alter the order of evaluations however the parentheses must be escaped
[ \( “$value” –ge 0 \) –a \( $value –lt 10 \) ]
The else conditional
The else statement can expand the if statement. If the first condition is true the second one is skipped.
if cmd; then command1 command2else command1 command2fi
else example# value passed in from cmd line.
user=$1
if who | grep "^$user " > /dev/null; then
echo "$user is logged on"
else
echo "$user is NOT logged on"
fi
Exit command
Exit allows you to immediately terminate a script. You can pass exit a numeric value also if you want, this become the status code stored by $?
if ...else echo "$user is NOT logged on“
exit 2fi
Syntax for else/if = elifIf you find a need for nested if statements this can
resolved with elif statements.
If cmd ; then
cmd
elif cmd ; then
cmd
else
cmd
fi
The case statementCase statements let you compare a value against
multiple values and execute one when a match is found. Case statements can be very efficient.case value in pattern) cmd
cmd;;pattern) cmd
cmdcmd;;
pattern) cmdcmd;;
esac
Sample case statement# script expects a single variable.case "$1” in 0) echo zero;; 1) echo one;; 2) echo two;; 3) echo three;; *) echo "out of expected range";;esacResult, user enters 1 script echoes “one”
Talk about nothing, no operator
The shell representation for no operator is :This can be used in a script when you what to check
for a value but do nothing if it is defined but return a message if it does not exist.
If grep “userid /etc/passwd” > /dev/null; then :else echo “user is not defined to system”fi
Debug your scripts
One way to debug your scripts is to start them with the –x option like this:
/bin/sh –x number.sh /bin/sh -x number.sh 2 + case "$1" in + echo two Two
The set –x option will display command and their arguments as they are executed.
Debug cont.You can extend the output using –vEnabling –v will display the shell input lines
as they are read.Both can be enabled at the same time.#!/bin/sh –vxOr within the script using something like set –v on set –x onDisable using +v or +x
Shell logical OR and logical AND
Logical OR = ||
cmd1 || cmd2
cmd2 is ONLY executed if cmd1 fails.
Logical AND = &&
cmd1 && cmd2
ONLY if cmd1 succeeds will cmd2 run.
Review: conditionalsExit status, 0 = success, !0 = fail.if test "$user" == “<value>”
you can also just use [][ "$user" == “<value>” ]File tests, such as does the file exist.[ -e /etc/nsswitch.conf ]logical operators-a -o || &&You can use parentheses to alter the order of evaluations.if cmd; then do; else do; fiif [ "$HOME" ]; then echo "Found home!"; else echo "shucks we are homeless!"; fi
In class lab 7a
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Class 7, Unit 2
What we are going to cover: Certificate Authorities (CA)
What you should leave this session with: How public CA server work PKI structure
Public Certificate Authorities (CA)So, if we want others to trust our certificate
the creation process is very similar to a self signed certificate.
The difference is that we have a 3rd party sign the certificate signing request (CSR) which then becomes the public certificate.
At this point anyone that trusts that 3rd party (Verisign, Thwart, Entrust) now implicitly trust you.
What is a Certificate Authority (CA)
A certificate authority can be described as an entity with policies for verifying the identity of entities.
This verification is then manifest in the signing of a public key provided by the requestor that others can recognize as legitimate.
Similar in how a government issues passports that then other governments and individuals can use to confirm the identity of the passport owner.
Where to find public CA certificates
Browser installs, OS installs, Java installs all come with a keystore. The keystore contains a selection of public key certificates that the related organizations have chosen to include by default.
Applications that interact with those technologies will trust certificates signed by the private keys for which the public certificate is available.
Chain of trust.
The Chain of trust is based on the idea that trust is implied by association.
With certificates we trust them because we typically already trust the certificate that signed them.
If we visit for example: https://www.paypal.com/
We trust this site because it was signed by: VeriSign Class 3 Extended Validation SSL CA
Certificate chain.
Starts with a public CA certificates such as: VeriSign Class 3 Public Primary Certificate Authority – G5
Which in turn signed a certificate for: VeriSign class 3 Extended Validation SSL SGC CA
Which signed the certificate for: www.versign.com
Check this site to see the full chain.
Setting up a PKI instance
We will need to create a private key and public certificate pair for our Certificate Authority (CA).
From this key pair we can sign certificate which will now show the relationship to the root.
To extend this chain we can submit a CSR from the root to the class CA and have it signed. Now the chain has been extended.
openssl: cert signing request (csr).
If you are NOT going to sign the request but rather have a 3rd party CA sign it then you only need to create the request and private key.
openssl req –new –newkey rsa:1024 –nodes -keyout cert.key –out myreq.csr
This results in one csr and one private key.
Signing the “csr”sudo openssl ca -policy policy_anything -out
server.crt -infiles myreq.csr
Here we are defining the CA policy which for us is wide open but can be limited.
We define the csr input and the public cert output.
Does the private key for this request need to be local also?
openssl certificate & key verification
Comparing your private key and public certs. openssl rsa –noouot –modules –in ca-private-key.pem | openssl md5 openssl x509 –noout –modules –in ca-pub-cert.perm | openssl md5
Check your private key openssl rsa –in private.key –check
Check your pubic certificate openssl x509 –in server.crt –text –noout
Check your csr openssl req –text –noout –verify –in server.csr
Web server configurationJust as before we need to define a valid path
to our webserver certificates and keys.
Now we also need to define our new CA certificate.
If we have a root and intermediate CA like Verisign we would need to create a chain certificate. This is basically a file with multiple certificates.
review: /etc/pki/tls/certs/ca-bundle.crt
Review: PKI
Private keys, Public certificates and CSRpublic CAChain of Trust
Chain certificatesPKI setup
private key, csrsigned cert.
sign other requests (CSR).
In class lab 7b
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Class 7, Unit 3
What we are going to cover: Scripting and loops
What you should leave this session with: Basics to creating loops within your scripts. How to enable debug in your scripts.
Loops.Loops are blocks of code that run until
complete (they can be infinite loops)
The first example is the for loop.
for f in value1 value2 value3
do
cmd
done
For loops - body.for letter in a b c
do
echo “found: $letter”
done.
The “Body” is the content between “do” and “done”.
When the script is executed the value for “letter” is assigned to the first value provided after “in” and then the body of the loop is executed. When complete the second value is assigned to the variable $letter and the process is repeated.
? What happens if you enclose a b c in quotes?
for loops cont.
You can leverage the shells ability for filename substitution in loops. The shell provides for filename substitution in the list provided to the body of the loop.for f in [1-3].txt
do
echo $f
done.
Just as in the other examples, echo is executed 3 times in this example
for loops cont.you can also read in file values and feed those to
the for loop.cat filelist.txt
1.txt
2.txt
3.Txt
for files in $(cat filelist.txt) ; do echo $files; done
or
for files in $(cat filelist.txt) ; do cat $files; done
*example of command substitutions.
Using $* in loops
$* = all arguments
echo “Number of arguments passed in $#“
for variables in $*
do
echo "$variables"
done
Replacing $* with $@You know that $* returns all the values provided at
the command line. However if you use $@ this is actually a comma
separated list of values
for f in “$@”do
echo $fdone
*Best practice to place double quotes around $@
while loopsAnother looping function is "while".
while cmd
do
cmd
done
“cmd” is executed and its exit status is tested. if the exit status is zero the commands between do and done are competed otherwise the script exits with a non zero status code
while script
Similar to saying “while true do”sample “while” script counting to 10
num=1
while [ "$num" -le 10 ]
do
echo $num
num=$(( num+1 ))
done
until
until - the inverse of while, meaning it will run so long as the return code is not 0, or not successful.
Similar to the while blocks, commands between the do and done functions may never be executed if the initial command returns a successful response (zero).
Useful when checking for a status change
until cont.# if NOT successful enter the body
until ps -ef | grep -i "named“ | grep –v grep > /dev/null
do
echo "bind is not running"
sleep 5
done
echo "bind is running“
Break out!Sometimes in a logic loop you want to break
out based on user input such as the user asking to quit. Enter “break”
while truedoread cmdif [ "$cmd" = "quit" ] then break else echo "$cmd"fidone
Continue on…The opposite of break is to continue. Sometimes you
want the loop to simply leave the current loop and continue working through the script. This is where you might use continuefor filedo
if [ ! –e “$file” ]then echo “file not found”continuefi
process rest of file/datadone
Sending the process to background
You can background a process using the & after the done statement. Just as we have done at the command line.
for file in data[1-4]
do
run $file
done &
redirection
I/O redirection on a loop can be obtained using the < or > based on your need.
Write to file:
for i in 1 2 3 4
do
echo $i
done > data.out
Sleep and background
sleep n - where n is a numeric value. Sleep will pause the system for the time specified on the command line.
You can run programs in the background using ampersand "&"
script &
output from this command will tell you the process associated with your process.
Use fg to foreground a background process.
optionsYou can define options in your scripts using syntax
similar to this:if [ "$1" = "-a" ]then option=TRUE
shiftelse option=FALSEfiecho "value for option is: $option"
getoptsThe previous example is fine for simple
options but if you want more flexibility it can become tedious to script. However getopts is available for this purpose.
getopts works within a loop and examines each argument to determine if it is an option based on the existence or absence – before the value.
getopts
The syntax of the getopts command is: getopts optstring option
opstring – is the list of options expected from the command line. option - value used to iterate over the command line options provided.
getopts cont.You can stack your options or pass them
individually. Meaning –abc or –a –b -c
If your option needs an argument add “:”
getopts a:bc name
Now a valid command line looks like:
script.sh –a braeburn –b –c
script.sh –a braeburn
script.sh –b –c
getopts cont.OPTARG used when an option requires an
argument, e.g. –a braeburn
OPTIND is a special variable used by getops which is set to 1 by default and is updated each time getopts complete a loop.
If you reset $OPTIND to 1 at the end of the loop it is possible to use getops again in the same script.
Impact of “:”When an option character not contained in optstring is found, or an option found does not have the required option-argument:
If optstring does NOT begin with a : (colon)
1.Option will be set to a ?
2.OPTARG. will be unset
3.A diagnostic message WILL be written to standard error.
Impact of “:”Alternatively if optstring DOES begin with a : (colon)
1.option will be set to a ? character for an unknown option or to a : (colon) character for a missing required option.
2.OPTARG. will be set to the option character found.
3.no output will be written to standard error.
getopts samplewhile getopts ":ab:c" option; do case $option in a) echo received -a ;; b) echo received -b with $OPTARG ;; c) echo received -c ;; :) echo "option -$OPTARG needs and an ARG" ;; *) echo "invalid option -$OPTARG" ;; esac done
Review: loops and breaksFor loops:for f in a b c; do echo "found: $f"; donefor f in $(cat filelist.txt); do echo $f; donefor f in $(cat filelist.txt); do cat $f; done
$* vs $@, $@ provides a comma separated listUntil and While:while loops, if the exit status is zero the loop is entered.until, if the exit status is NOT zero the loop is entered.Break and continue are used to manipulate the loop behavior.
Review: Options and GETOPTS
Passing options to your script manually.if [ "$1" = "-a" ]then option=TRUE
shift
GETOPTS is a built-in shell function. GETOPTS loops through arguments looking for a “-” before any arguments and determines if it is a valid option.
If arguments are required with the options then you simple add a “:” after the option in your script the GETOPTS will require one.
In class lab 7c
Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->