Transcript Unix Linux Administration II

Unix Linux
Administration II
Class 7: Scripting conditionals.
Setting up your Certificate Authority
(CA). Scripting loops.
Agenda
 discuss
Homework.
 Unit 1: Scripting conditionals.
 Unit 2: Certificate Authority.
 Unit 3: Scripting loops.
Homework review
DNS configs.
Scripting – ping script.
Review:
basic math syntax $((expression))
most common functions available including
bitwise and logcal
White space is optional.
non-zero final expression return true.
Quoting ', ", ` and \
command subsitution user=$(grep -i $name
/etc/passwd)
Review: cont.
Positional parameters are provided by the shell
environment and automatically assign variables
to values passed into the script.
who
who | grep root
on.sh root
who | grep $1
$# = number of arguments passed to the script.
$* = reference all arguments passed to the script
$? = Stores the exit value of the script
Review:
Slave servers provide redundancy and high
availability when designed appropriately
form your domain.
The changes between slave and master are
fairly simple.
Slave poll masters by default but master can
be configured to notify slaves when
updates occur.
Slaves can be configured to store zone data
locally for backup.
Class 7, Unit 1
What we are going to cover:
 Scripting and conditionals
What you should leave this session with:
 How to add decision points to your scripts.
 How to enable debug in your scripts.
Indenting

Tabs or Spaces
 Be
consistent! (possible vimrc setting?).
Helps with legibility
 Most languages ignore white space

 Good
or Bad?
”…code is read much more often than it is written”
Python - http://www.python.org/dev/peps/pep-0008/#indentation
Exit status
Every time you run a script it produces an exit
status. Zero is successful anything else
indicates failure.
Failures can be caused for lots of reasons.
The exit value is stored in $?
echo $?
What are some ways to create a failed exit
status?
The "if" construct
"if" is one of the first conditional statements you will
probably encounter.
You can think of this as "if X then do Y and finish".
The if statement must start with "if" and end with "fi".
We will see similar constructs in other conditionals
later.
for example:
if [ -f /etc/hosts ]; then
echo "a host file exists"
fi
How to test string values.
You can test an expression for a true or false
value using the expression "test".
user=$1
if test “$user” == angus; then
echo “$user found on system”
fi
Many test operators are available such as
==, !=, -z string (string is null) –n string (string
is NOT null), string (is defined)
Test cont.
You can also test for integer values with
Returns true (0) if:
int1 -eq int2
int1 -ge int2 “great than or equal to”
int1 -gt int2 “greater than”
int1 -le int2 “less than or equal to”
int1 -lt int2 “less than”
int1 -ne int2 “not equal to”
[ “$value” -eq 0 ]
File tests
The file tests expect a single argument, the filename.
-d file
file is a directory
-e file
file exists
-f file
file is an ordinary file
-r file
file is read only
-s file
file has nonzero length
-w file
file is writable by process
-x file
file is executable
-L file
file is a symbolic link
[ -f /etc/passwd ] is this an ordinary file
[ -r /etc/passwd ] Is file readable by process.
Logical operators available.
! Used to negate the value
[ ! –r /etc/shadow ] is the file not readable
-a performs logical AND of two expressions.
[ -f /etc/passwd –a –r /etc/passwd ]
BOTH must be true.
-o performs logical OR of two expressions.
[ -f /etc/passwd –o –r /etc/shadow ]
true if EITHER are successful
Parentheses
You can use parentheses in a test to alter
the order of evaluations however the
parentheses must be escaped
[ \( “$value” –ge 0 \) –a \( $value –lt 10 \) ]
The else conditional
The else statement can expand the if
statement. If the first condition is true the
second one is skipped.
if cmd; then
command1
command2
else
command1
command2
fi
else example
# value passed in from cmd line.
user=$1
if who | grep "^$user " > /dev/null; then
echo "$user is logged on"
else
echo "$user is NOT logged on"
fi
Exit command
Exit allows you to immediately terminate a script.
You can pass exit a numeric value also if you
want, this become the status code stored by $?
if ...
else
echo "$user is NOT logged on“
exit 2
fi
Syntax for else/if = elif
If you find a need for nested if statements this can
resolved with elif statements.
If cmd ; then
cmd
elif cmd ; then
cmd
else
cmd
fi
The case statement
Case statements let you compare a value against
multiple values and execute one when a match is
found. Case statements can be very efficient.
case value in
pattern) cmd
cmd;;
pattern) cmd
cmd
cmd;;
pattern) cmd
cmd;;
esac
Sample case statement
# script expects a single variable.
case "$1” in
0) echo zero;;
1) echo one;;
2) echo two;;
3) echo three;;
*) echo "out of expected range";;
esac
Result, user enters 1 script echoes “one”
Talk about nothing, no operator
The shell representation for no operator is :
This can be used in a script when you what to check
for a value but do nothing if it is defined but return a
message if it does not exist.
If grep “userid /etc/passwd” > /dev/null; then
:
else
echo “user is not defined to system”
fi
Debug your scripts
One way to debug your scripts is to start them with
the –x option like this:
/bin/sh –x number.sh
 /bin/sh -x number.sh 2
 + case "$1" in
 + echo two
 Two
The set –x option will display command and their
arguments as they are executed.
Debug cont.
You can extend the output using –v
Enabling –v will display the shell input lines
as they are read.
Both can be enabled at the same time.
#!/bin/sh –vx
Or within the script using something like
 set –v on
 set –x on
Disable using +v or +x
Shell logical OR and logical AND
Logical OR = ||
cmd1 || cmd2
cmd2 is ONLY executed if cmd1 fails.
Logical AND = &&
cmd1 && cmd2
ONLY if cmd1 succeeds will cmd2 run.
Review: conditionals
Exit status, 0 = success, !0 = fail.
if test "$user" == “<value>”
you can also just use []
[ "$user" == “<value>” ]
File tests, such as does the file exist.
[ -e /etc/nsswitch.conf ]
logical operators
-a -o || &&
You can use parentheses to alter the order of evaluations.
if cmd; then do; else do; fi
if [ "$HOME" ]; then echo "Found home!"; else echo "shucks we are homeless!"; fi
In class lab 7a

Lab notes for this session can be found
here: http://www.ulcert.uw.edu -> Class
Content -> InClass labs ->
Class 7, Unit 2
What we are going to cover:
 Certificate Authorities (CA)
What you should leave this session with:
 How public CA server work
 PKI structure
Public Certificate Authorities (CA)
So, if we want others to trust our certificate
the creation process is very similar to a self
signed certificate.
The difference is that we have a 3rd party
sign the certificate signing request (CSR)
which then becomes the public certificate.
At this point anyone that trusts that 3rd party
(Verisign, Thwart, Entrust) now implicitly
trust you.
What is a Certificate Authority (CA)
A certificate authority can be described as an
entity with policies for verifying the identity of
entities.
This verification is then manifest in the signing
of a public key provided by the requestor that
others can recognize as legitimate.
Similar in how a government issues passports
that then other governments and individuals
can use to confirm the identity of the
passport owner.
Where to find public CA certificates
Browser installs, OS installs, Java installs all
come with a keystore. The keystore
contains a selection of public key
certificates that the related organizations
have chosen to include by default.
Applications that interact with those
technologies will trust certificates signed
by the private keys for which the public
certificate is available.
Chain of trust.
The Chain of trust is based on the idea that trust is
implied by association.
With certificates we trust them because we
typically already trust the certificate that signed
them.
If we visit for example: https://www.paypal.com/
We trust this site because it was signed by:
 VeriSign Class 3 Extended Validation SSL CA
Certificate chain.
Starts with a public CA certificates such as:

VeriSign Class 3 Public Primary Certificate Authority – G5
Which in turn signed a certificate for:
 VeriSign
class 3 Extended Validation SSL SGC CA
Which signed the certificate for:

www.versign.com
Check this site to see the full chain.
Setting up a PKI instance
We will need to create a private key and
public certificate pair for our Certificate
Authority (CA).
From this key pair we can sign certificate
which will now show the relationship to the
root.
To extend this chain we can submit a CSR
from the root to the class CA and have it
signed. Now the chain has been extended.
openssl: cert signing request (csr).
If you are NOT going to sign the request but rather
have a 3rd party CA sign it then you only need to
create the request and private key.
openssl req –new –newkey rsa:1024 –nodes -keyout
cert.key –out myreq.csr
This results in one csr and one private key.
Signing the “csr”
sudo openssl ca -policy policy_anything -out
server.crt -infiles myreq.csr
Here we are defining the CA policy which for
us is wide open but can be limited.
We define the csr input and the public cert
output.
Does the private key for this request need to
be local also?
openssl certificate & key verification
Comparing your private key and public certs.


openssl rsa –noouot –modules –in ca-private-key.pem | openssl md5
openssl x509 –noout –modules –in ca-pub-cert.perm | openssl md5
Check your private key

openssl rsa –in private.key –check
Check your pubic certificate

openssl x509 –in server.crt –text –noout
Check your csr

openssl req –text –noout –verify –in server.csr
Web server configuration
Just as before we need to define a valid path
to our webserver certificates and keys.
Now we also need to define our new CA
certificate.
If we have a root and intermediate CA like
Verisign we would need to create a chain
certificate. This is basically a file with
multiple certificates.
review: /etc/pki/tls/certs/ca-bundle.crt
Review: PKI
Private keys, Public certificates and CSR
public CA
Chain of Trust
Chain certificates
PKI setup
private key, csr
signed cert.
sign other requests (CSR).
In class lab 7b

Lab notes for this session can be found
here: http://www.ulcert.uw.edu -> Class
Content -> InClass labs ->
Class 7, Unit 3
What we are going to cover:
 Scripting and loops
What you should leave this session with:
 Basics to creating loops within your scripts.
 How to enable debug in your scripts.
Loops.
Loops are blocks of code that run until
complete (they can be infinite loops)
The first example is the for loop.
for f in value1 value2 value3
do
cmd
done
For loops - body.
for letter in a b c
do
echo “found: $letter”
done.
The “Body” is the content between “do” and “done”.
When the script is executed the value for “letter” is
assigned to the first value provided after “in” and
then the body of the loop is executed. When
complete the second value is assigned to the
variable $letter and the process is repeated.
? What happens if you enclose a b c in quotes?
for loops cont.
You can leverage the shells ability for filename
substitution in loops. The shell provides for
filename substitution in the list provided to the
body of the loop.
for f in [1-3].txt
do
echo $f
done.
Just as in the other examples, echo is executed
3 times in this example
for loops cont.
you can also read in file values and feed those to
the for loop.
cat filelist.txt
1.txt
2.txt
3.Txt
for files in $(cat filelist.txt) ; do echo $files; done
or
for files in $(cat filelist.txt) ; do cat $files; done
*example of command substitutions.
Using $* in loops
$* = all arguments
echo “Number of arguments passed in $#“
for variables in $*
do
echo "$variables"
done
Replacing $* with $@
You know that $* returns all the values provided at
the command line.
However if you use $@ this is actually a comma
separated list of values
for f in “$@”
do
echo $f
done
*Best practice to place double quotes around $@
while loops
Another looping function is "while".
while cmd
do
cmd
done
“cmd” is executed and its exit status is tested. if
the exit status is zero the commands between
do and done are competed otherwise the script
exits with a non zero status code
while script
Similar to saying “while true do”
sample “while” script counting to 10
num=1
while [ "$num" -le 10 ]
do
echo $num
num=$(( num+1 ))
done
until
until - the inverse of while, meaning it will
run so long as the return code is not 0, or
not successful.
Similar to the while blocks, commands
between the do and done functions may
never be executed if the initial command
returns a successful response (zero).
Useful when checking for a status change
until cont.
# if NOT successful enter the body
until ps -ef | grep -i "named“ | grep –v grep >
/dev/null
do
echo "bind is not running"
sleep 5
done
echo "bind is running“
Break out!
Sometimes in a logic loop you want to break
out based on user input such as the user
asking to quit. Enter “break”
while true
do
read cmd
if [ "$cmd" = "quit" ]
then
break
else
echo "$cmd"
fi
done
Continue on…
The opposite of break is to continue. Sometimes you
want the loop to simply leave the current loop and
continue working through the script. This is where
you might use continue
for file
do
if [ ! –e “$file” ]
then
echo “file not found”
continue
fi
process rest of file/data
done
Sending the process to background
You can background a process using the &
after the done statement. Just as we have
done at the command line.
for file in data[1-4]
do
run $file
done &
redirection
I/O redirection on a loop can be obtained
using the < or > based on your need.
Write to file:
for i in 1 2 3 4
do
echo $i
done > data.out
Sleep and background
sleep n - where n is a numeric value. Sleep
will pause the system for the time specified
on the command line.
You can run programs in the background
using ampersand "&"
script &
output from this command will tell you the
process associated with your process.
Use fg to foreground a background process.
options
You can define options in your scripts using syntax
similar to this:
if [ "$1" = "-a" ]
then
option=TRUE
shift
else
option=FALSE
fi
echo "value for option is: $option"
getopts
The previous example is fine for simple
options but if you want more flexibility it
can become tedious to script. However
getopts is available for this purpose.
getopts works within a loop and examines
each argument to determine if it is an
option based on the existence or absence
– before the value.
getopts
The syntax of the getopts command is:
getopts optstring option
opstring – is the list of options expected
from the command line.
 option - value used to iterate over the
command line options provided.

getopts cont.
You can stack your options or pass them
individually. Meaning –abc or –a –b -c
If your option needs an argument add “:”
getopts a:bc name
Now a valid command line looks like:
script.sh –a braeburn –b –c
script.sh –a braeburn
script.sh –b –c
getopts cont.
OPTARG used when an option requires an
argument, e.g. –a braeburn
OPTIND is a special variable used by
getops which is set to 1 by default and is
updated each time getopts complete a
loop.
If you reset $OPTIND to 1 at the end of the
loop it is possible to use getops again in
the same script.
Impact of “:”
When an option character not contained in
optstring is found, or an option found does
not have the required option-argument:
If optstring does NOT begin with a : (colon)
1. Option will be set to a ?
2. OPTARG. will be unset
3. A diagnostic message WILL be written to
standard error.
Impact of “:”
Alternatively if optstring DOES begin with a :
(colon)
1. option will be set to a ? character for an
unknown option or to a : (colon) character
for a missing required option.
2. OPTARG. will be set to the option
character found.
3. no output will be written to standard error.
getopts sample
while getopts ":ab:c" option;
do
case $option in
a) echo received -a ;;
b) echo received -b with $OPTARG ;;
c) echo received -c ;;
:) echo "option -$OPTARG needs and an ARG" ;;
*) echo "invalid option -$OPTARG" ;;
esac
done
Review: loops and breaks
For loops:
 for f in a b c; do echo "found: $f"; done
 for f in $(cat filelist.txt); do echo $f; done
 for f in $(cat filelist.txt); do cat $f; done
$* vs $@, $@ provides a comma separated list
Until and While:
 while loops, if the exit status is zero the loop is
entered.
 until, if the exit status is NOT zero the loop is
entered.
Break and continue are used to manipulate the loop
behavior.
Review: Options and GETOPTS
Passing options to your script manually.
if [ "$1" = "-a" ]
then
option=TRUE
shift
GETOPTS is a built-in shell function. GETOPTS
loops through arguments looking for a “-” before any
arguments and determines if it is a valid option.
If arguments are required with the options then you
simple add a “:” after the option in your script the
GETOPTS will require one.
In class lab 7c

Lab notes for this session can be found
here: http://www.ulcert.uw.edu -> Class
Content -> InClass labs ->
Homework
homework for this week posted later tonight.