Unix Linux Administration II

Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.

Agenda discuss Homework. Unit 1: Scripting conditionals. Unit 2: Certificate Authority. Unit 3: Scripting loops.

Homework review

DNS configs.

Scripting – ping script.

Review:basic math syntax $((expression))

most common functions available including bitwise and logcal

White space is optional.

non-zero final expression return true.

Quoting ', ", ` and \

command subsitution user=$(grep -i $name /etc/passwd)

Review: cont.Positional parameters are provided by the shell

environment and automatically assign variables to values passed into the script. who

who | grep root

on.sh root

who | grep $1

$# = number of arguments passed to the script.

$* = reference all arguments passed to the script

$? = Stores the exit value of the script

Review:

Slave servers provide redundancy and high availability when designed appropriately form your domain.

The changes between slave and master are fairly simple.

Slave poll masters by default but master can be configured to notify slaves when updates occur.

Slaves can be configured to store zone data locally for backup.

Class 7, Unit 1

What we are going to cover: Scripting and conditionals

What you should leave this session with: How to add decision points to your scripts. How to enable debug in your scripts.

Indenting

Tabs or SpacesBe consistent! (possible vimrc setting?).

Helps with legibility Most languages ignore white space

Good or Bad?

 ”…code is read much more often than it is written”Python - http://www.python.org/dev/peps/pep-0008/#indentation

Exit statusEvery time you run a script it produces an exit

status. Zero is successful anything else indicates failure.

Failures can be caused for lots of reasons. The exit value is stored in $?

echo $?

What are some ways to create a failed exit status?

The "if" construct"if" is one of the first conditional statements you will

probably encounter.

You can think of this as "if X then do Y and finish". The if statement must start with "if" and end with "fi". We will see similar constructs in other conditionals later.

for example:if [ -f /etc/hosts ]; then echo "a host file exists"fi

How to test string values.

You can test an expression for a true or false value using the expression "test".user=$1if test “$user” == angus; then echo “$user found on system”fi

Many test operators are available such as==, !=, -z string (string is null) –n string (string is NOT null), string (is defined)

Test cont.You can also test for integer values withReturns true (0) if:

int1 -eq int2int1 -ge int2 “great than or equal to”int1 -gt int2 “greater than”int1 -le int2 “less than or equal to”int1 -lt int2 “less than”int1 -ne int2 “not equal to”

[ “$value” -eq 0 ]

File testsThe file tests expect a single argument, the filename.

-d file file is a directory

-e file file exists

-f file file is an ordinary file

-r file file is read only

-s file file has nonzero length

-w file file is writable by process

-x file file is executable

-L file file is a symbolic link

[ -f /etc/passwd ] is this an ordinary file

[ -r /etc/passwd ] Is file readable by process.

Logical operators available.! Used to negate the value

[ ! –r /etc/shadow ] is the file not readable

-a performs logical AND of two expressions.

[ -f /etc/passwd –a –r /etc/passwd ] BOTH must be true.

-o performs logical OR of two expressions.

[ -f /etc/passwd –o –r /etc/shadow ] true if EITHER are successful

Parentheses

You can use parentheses in a test to alter the order of evaluations however the parentheses must be escaped

[ \( “$value” –ge 0 \) –a \( $value –lt 10 \) ]

The else conditional

The else statement can expand the if statement. If the first condition is true the second one is skipped.

if cmd; then command1 command2else command1 command2fi

else example# value passed in from cmd line.

user=$1

if who | grep "^$user " > /dev/null; then

echo "$user is logged on"

else

echo "$user is NOT logged on"

fi

Exit command

Exit allows you to immediately terminate a script. You can pass exit a numeric value also if you want, this become the status code stored by $?

if ...else echo "$user is NOT logged on“

exit 2fi

Syntax for else/if = elifIf you find a need for nested if statements this can

resolved with elif statements.

If cmd ; then

cmd

elif cmd ; then

cmd

else

cmd

fi

The case statementCase statements let you compare a value against

multiple values and execute one when a match is found. Case statements can be very efficient.case value in pattern) cmd

cmd;;pattern) cmd

cmdcmd;;

pattern) cmdcmd;;

esac

Sample case statement# script expects a single variable.case "$1” in 0) echo zero;; 1) echo one;; 2) echo two;; 3) echo three;; *) echo "out of expected range";;esacResult, user enters 1 script echoes “one”

Talk about nothing, no operator

The shell representation for no operator is :This can be used in a script when you what to check

for a value but do nothing if it is defined but return a message if it does not exist.

If grep “userid /etc/passwd” > /dev/null; then :else echo “user is not defined to system”fi

Debug your scripts

One way to debug your scripts is to start them with the –x option like this:

/bin/sh –x number.sh /bin/sh -x number.sh 2 + case "$1" in + echo two Two

The set –x option will display command and their arguments as they are executed.

Debug cont.You can extend the output using –vEnabling –v will display the shell input lines

as they are read.Both can be enabled at the same time.#!/bin/sh –vxOr within the script using something like set –v on set –x onDisable using +v or +x

Shell logical OR and logical AND

Logical OR = ||

cmd1 || cmd2

cmd2 is ONLY executed if cmd1 fails.

Logical AND = &&

cmd1 && cmd2

ONLY if cmd1 succeeds will cmd2 run.

Review: conditionalsExit status, 0 = success, !0 = fail.if test "$user" == “<value>”

you can also just use [][ "$user" == “<value>” ]File tests, such as does the file exist.[ -e /etc/nsswitch.conf ]logical operators-a -o || &&You can use parentheses to alter the order of evaluations.if cmd; then do; else do; fiif [ "$HOME" ]; then echo "Found home!"; else echo "shucks we are homeless!"; fi

In class lab 7a

Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Class 7, Unit 2

What we are going to cover: Certificate Authorities (CA)

What you should leave this session with: How public CA server work PKI structure

Public Certificate Authorities (CA)So, if we want others to trust our certificate

the creation process is very similar to a self signed certificate.

The difference is that we have a 3rd party sign the certificate signing request (CSR) which then becomes the public certificate.

At this point anyone that trusts that 3rd party (Verisign, Thwart, Entrust) now implicitly trust you.

What is a Certificate Authority (CA)

A certificate authority can be described as an entity with policies for verifying the identity of entities.

This verification is then manifest in the signing of a public key provided by the requestor that others can recognize as legitimate.

Similar in how a government issues passports that then other governments and individuals can use to confirm the identity of the passport owner.

Where to find public CA certificates

Browser installs, OS installs, Java installs all come with a keystore. The keystore contains a selection of public key certificates that the related organizations have chosen to include by default.

Applications that interact with those technologies will trust certificates signed by the private keys for which the public certificate is available.

Chain of trust.

The Chain of trust is based on the idea that trust is implied by association.

With certificates we trust them because we typically already trust the certificate that signed them.

If we visit for example: https://www.paypal.com/

We trust this site because it was signed by: VeriSign Class 3 Extended Validation SSL CA

Certificate chain.

Starts with a public CA certificates such as: VeriSign Class 3 Public Primary Certificate Authority – G5

Which in turn signed a certificate for: VeriSign class 3 Extended Validation SSL SGC CA

Which signed the certificate for: www.versign.com

Check this site to see the full chain.

Setting up a PKI instance

We will need to create a private key and public certificate pair for our Certificate Authority (CA).

From this key pair we can sign certificate which will now show the relationship to the root.

To extend this chain we can submit a CSR from the root to the class CA and have it signed. Now the chain has been extended.

openssl: cert signing request (csr).

If you are NOT going to sign the request but rather have a 3rd party CA sign it then you only need to create the request and private key.

openssl req –new –newkey rsa:1024 –nodes -keyout cert.key –out myreq.csr

This results in one csr and one private key.

Signing the “csr”sudo openssl ca -policy policy_anything -out

server.crt -infiles myreq.csr

Here we are defining the CA policy which for us is wide open but can be limited.

We define the csr input and the public cert output.

Does the private key for this request need to be local also?

openssl certificate & key verification

Comparing your private key and public certs. openssl rsa –noouot –modules –in ca-private-key.pem | openssl md5 openssl x509 –noout –modules –in ca-pub-cert.perm | openssl md5

Check your private key openssl rsa –in private.key –check

Check your pubic certificate openssl x509 –in server.crt –text –noout

Check your csr openssl req –text –noout –verify –in server.csr

Web server configurationJust as before we need to define a valid path

to our webserver certificates and keys.

Now we also need to define our new CA certificate.

If we have a root and intermediate CA like Verisign we would need to create a chain certificate. This is basically a file with multiple certificates.

review: /etc/pki/tls/certs/ca-bundle.crt

Review: PKI

Private keys, Public certificates and CSRpublic CAChain of Trust

Chain certificatesPKI setup

private key, csrsigned cert.

sign other requests (CSR).

In class lab 7b

Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Class 7, Unit 3

What we are going to cover: Scripting and loops

What you should leave this session with: Basics to creating loops within your scripts. How to enable debug in your scripts.

Loops.Loops are blocks of code that run until

complete (they can be infinite loops)

The first example is the for loop.

for f in value1 value2 value3

do

cmd

done

For loops - body.for letter in a b c

do

echo “found: $letter”

done.

The “Body” is the content between “do” and “done”.

When the script is executed the value for “letter” is assigned to the first value provided after “in” and then the body of the loop is executed. When complete the second value is assigned to the variable $letter and the process is repeated.

? What happens if you enclose a b c in quotes?

for loops cont.

You can leverage the shells ability for filename substitution in loops. The shell provides for filename substitution in the list provided to the body of the loop.for f in [1-3].txt

do

echo $f

done.

Just as in the other examples, echo is executed 3 times in this example

for loops cont.you can also read in file values and feed those to

the for loop.cat filelist.txt

1.txt

2.txt

3.Txt

for files in $(cat filelist.txt) ; do echo $files; done

or

for files in $(cat filelist.txt) ; do cat $files; done

*example of command substitutions.

Using $* in loops

$* = all arguments

echo “Number of arguments passed in $#“

for variables in $*

do

echo "$variables"

done

Replacing $* with $@You know that $* returns all the values provided at

the command line. However if you use $@ this is actually a comma

separated list of values

for f in “$@”do

echo $fdone

*Best practice to place double quotes around $@

while loopsAnother looping function is "while".

while cmd

do

cmd

done

“cmd” is executed and its exit status is tested. if the exit status is zero the commands between do and done are competed otherwise the script exits with a non zero status code

while script

Similar to saying “while true do”sample “while” script counting to 10

num=1

while [ "$num" -le 10 ]

do

echo $num

num=$(( num+1 ))

done

until

until - the inverse of while, meaning it will run so long as the return code is not 0, or not successful.

Similar to the while blocks, commands between the do and done functions may never be executed if the initial command returns a successful response (zero).

Useful when checking for a status change

until cont.# if NOT successful enter the body

until ps -ef | grep -i "named“ | grep –v grep > /dev/null

do

echo "bind is not running"

sleep 5

done

echo "bind is running“

Break out!Sometimes in a logic loop you want to break

out based on user input such as the user asking to quit. Enter “break”

while truedoread cmdif [ "$cmd" = "quit" ] then break else echo "$cmd"fidone

Continue on…The opposite of break is to continue. Sometimes you

want the loop to simply leave the current loop and continue working through the script. This is where you might use continuefor filedo

if [ ! –e “$file” ]then echo “file not found”continuefi

process rest of file/datadone

Sending the process to background

You can background a process using the & after the done statement. Just as we have done at the command line.

for file in data[1-4]

do

run $file

done &

redirection

I/O redirection on a loop can be obtained using the < or > based on your need.

Write to file:

for i in 1 2 3 4

do

echo $i

done > data.out

Sleep and background

sleep n - where n is a numeric value. Sleep will pause the system for the time specified on the command line.

You can run programs in the background using ampersand "&"

script &

output from this command will tell you the process associated with your process.

Use fg to foreground a background process.

optionsYou can define options in your scripts using syntax

similar to this:if [ "$1" = "-a" ]then option=TRUE

shiftelse option=FALSEfiecho "value for option is: $option"

getoptsThe previous example is fine for simple

options but if you want more flexibility it can become tedious to script. However getopts is available for this purpose.

getopts works within a loop and examines each argument to determine if it is an option based on the existence or absence – before the value.

getopts

The syntax of the getopts command is:  getopts optstring option

opstring – is the list of options expected from the command line. option - value used to iterate over the command line options provided.

getopts cont.You can stack your options or pass them

individually. Meaning –abc or –a –b -c

If your option needs an argument add “:”

getopts a:bc name

Now a valid command line looks like:

script.sh –a braeburn –b –c

script.sh –a braeburn

script.sh –b –c

getopts cont.OPTARG used when an option requires an

argument, e.g. –a braeburn

OPTIND is a special variable used by getops which is set to 1 by default and is updated each time getopts complete a loop.

If you reset $OPTIND to 1 at the end of the loop it is possible to use getops again in the same script.

Impact of “:”When an option character not contained in optstring is found, or an option found does not have the required option-argument:

If optstring does NOT begin with a : (colon)

1.Option will be set to a ?

2.OPTARG. will be unset

3.A diagnostic message WILL be written to standard error.

Impact of “:”Alternatively if optstring DOES begin with a : (colon)

1.option will be set to a ? character for an unknown option or to a : (colon) character for a missing required option.

2.OPTARG. will be set to the option character found.

3.no output will be written to standard error.

getopts samplewhile getopts ":ab:c" option; do case $option in a) echo received -a ;; b) echo received -b with $OPTARG ;; c) echo received -c ;; :) echo "option -$OPTARG needs and an ARG" ;; *) echo "invalid option -$OPTARG" ;; esac done

Review: loops and breaksFor loops:for f in a b c; do echo "found: $f"; donefor f in $(cat filelist.txt); do echo $f; donefor f in $(cat filelist.txt); do cat $f; done

$* vs $@, $@ provides a comma separated listUntil and While:while loops, if the exit status is zero the loop is entered.until, if the exit status is NOT zero the loop is entered.Break and continue are used to manipulate the loop behavior.

Review: Options and GETOPTS

Passing options to your script manually.if [ "$1" = "-a" ]then option=TRUE

shift

GETOPTS is a built-in shell function. GETOPTS loops through arguments looking for a “-” before any arguments and determines if it is a valid option.

If arguments are required with the options then you simple add a “:” after the option in your script the GETOPTS will require one.

In class lab 7c

Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

Homework

homework for this week posted later tonight.