Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.

Agenda discuss Homework. Unit 1: Scripting conditionals. Unit 2: Certificate Authority. Unit 3: Scripting loops.

Homework review DNS configs. Scripting – ping script.

Review: basic math syntax $((expression)) most common functions available including bitwise and logcal White space is optional. non-zero final expression return true. Quoting ', ", ` and \ command subsitution user=$(grep -i $name /etc/passwd)

Review: cont. Positional parameters are provided by the shell environment and automatically assign variables to values passed into the script. who who | grep root on.sh root who | grep $1 $# = number of arguments passed to the script. $* = reference all arguments passed to the script $? = Stores the exit value of the script

Review: Slave servers provide redundancy and high availability when designed appropriately form your domain. The changes between slave and master are fairly simple. Slave poll masters by default but master can be configured to notify slaves when updates occur. Slaves can be configured to store zone data locally for backup.

Class 7, Unit 1 What we are going to cover: Scripting and conditionals What you should leave this session with: How to add decision points to your scripts. How to enable debug in your scripts.

Indenting Tabs or Spaces  Be consistent! (possible vimrc setting?). Helps with legibility Most languages ignore white space  Good or Bad? ” …code is read much more often than it is written ” Python - http://www.python.org/dev/peps/pep-0008/#indentation

Exit status Every time you run a script it produces an exit status. Zero is successful anything else indicates failure. Failures can be caused for lots of reasons. The exit value is stored in $? echo $? What are some ways to create a failed exit status?

The "if" construct "if" is one of the first conditional statements you will probably encounter. You can think of this as "if X then do Y and finish". The if statement must start with "if" and end with "fi". We will see similar constructs in other conditionals later. for example: if [ -f /etc/hosts ]; then echo "a host file exists" fi

How to test string values. You can test an expression for a true or false value using the expression "test". user=$1 if test “$user” == angus; then echo “$user found on system” fi Many test operators are available such as ==, !=, -z string (string is null) –n string (string is NOT null), string (is defined)

Test cont. You can also test for integer values with Returns true (0) if: int1 -eq int2 int1 -ge int2 “great than or equal to” int1 -gt int2 “greater than” int1 -le int2 “less than or equal to” int1 -lt int2 “less than” int1 -ne int2 “not equal to” [ “$value” -eq 0 ]

File tests The file tests expect a single argument, the filename. -d filefile is a directory -e filefile exists -f file file is an ordinary file -r filefile is read only -s filefile has nonzero length -w filefile is writable by process -x file file is executable -L filefile is a symbolic link [ -f /etc/passwd ] is this an ordinary file [ -r /etc/passwd ] Is file readable by process.

Logical operators available. ! Used to negate the value [ ! –r /etc/shadow ] is the file not readable -a performs logical AND of two expressions. [ -f /etc/passwd –a –r /etc/passwd ] BOTH must be true. -o performs logical OR of two expressions. [ -f /etc/passwd –o –r /etc/shadow ] true if EITHER are successful

Parentheses You can use parentheses in a test to alter the order of evaluations however the parentheses must be escaped [ $ “$value” –ge 0 $ –a $ $value –lt 10 $ ]

The else conditional The else statement can expand the if statement. If the first condition is true the second one is skipped. if cmd; then command1 command2 else command1 command2 fi

else example # value passed in from cmd line. user=$1 if who | grep "^$user " > /dev/null; then echo "$user is logged on" else echo "$user is NOT logged on" fi

Exit command Exit allows you to immediately terminate a script. You can pass exit a numeric value also if you want, this become the status code stored by $? if... else echo "$user is NOT logged on“ exit 2 fi

Syntax for else/if = elif If you find a need for nested if statements this can resolved with elif statements. If cmd ; then cmd elif cmd ; then cmd else cmd fi

The case statement Case statements let you compare a value against multiple values and execute one when a match is found. Case statements can be very efficient. case value in pattern) cmd cmd;; pattern)cmd cmd cmd;; pattern)cmd cmd;; esac

Sample case statement # script expects a single variable. case "$1” in 0) echo zero;; 1) echo one;; 2) echo two;; 3) echo three;; *) echo "out of expected range";; esac Result, user enters 1 script echoes “one”

Talk about nothing, no operator The shell representation for no operator is : This can be used in a script when you what to check for a value but do nothing if it is defined but return a message if it does not exist. If grep “userid /etc/passwd” > /dev/null; then : else echo “user is not defined to system” fi

Debug your scripts One way to debug your scripts is to start them with the –x option like this: /bin/sh –x number.sh /bin/sh -x number.sh 2 + case "$1" in + echo two Two The set –x option will display command and their arguments as they are executed.

Debug cont. You can extend the output using –v Enabling –v will display the shell input lines as they are read. Both can be enabled at the same time. #!/bin/sh –vx Or within the script using something like set –v on set –x on Disable using +v or +x

Shell logical OR and logical AND Logical OR = || cmd1 || cmd2 cmd2 is ONLY executed if cmd1 fails. Logical AND = && cmd1 && cmd2 ONLY if cmd1 succeeds will cmd2 run.

Review: conditionals Exit status, 0 = success, !0 = fail. if test "$user" == “ ” you can also just use [] [ "$user" == “ ” ] File tests, such as does the file exist. [ -e /etc/nsswitch.conf ] logical operators -a -o || && You can use parentheses to alter the order of evaluations. if cmd; then do; else do; fi if [ "$HOME" ]; then echo "Found home!"; else echo "shucks we are homeless!"; fi

In class lab 7a Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu

Class 7, Unit 2 What we are going to cover: Certificate Authorities (CA) What you should leave this session with: How public CA server work PKI structure

Public Certificate Authorities (CA) So, if we want others to trust our certificate the creation process is very similar to a self signed certificate. The difference is that we have a 3 rd party sign the certificate signing request (CSR) which then becomes the public certificate. At this point anyone that trusts that 3 rd party (Verisign, Thwart, Entrust) now implicitly trust you.

What is a Certificate Authority (CA) A certificate authority can be described as an entity with policies for verifying the identity of entities. This verification is then manifest in the signing of a public key provided by the requestor that others can recognize as legitimate. Similar in how a government issues passports that then other governments and individuals can use to confirm the identity of the passport owner.

Where to find public CA certificates Browser installs, OS installs, Java installs all come with a keystore. The keystore contains a selection of public key certificates that the related organizations have chosen to include by default. Applications that interact with those technologies will trust certificates signed by the private keys for which the public certificate is available.

Chain of trust. The Chain of trust is based on the idea that trust is implied by association. With certificates we trust them because we typically already trust the certificate that signed them. If we visit for example: https://www.paypal.com/https://www.paypal.com/ We trust this site because it was signed by: VeriSign Class 3 Extended Validation SSL CA

Certificate chain. Starts with a public CA certificates such as: VeriSign Class 3 Public Primary Certificate Authority – G5 Which in turn signed a certificate for:  VeriSign class 3 Extended Validation SSL SGC CA Which signed the certificate for: www.versign.com Check this site to see the full chain.

Setting up a PKI instance We will need to create a private key and public certificate pair for our Certificate Authority (CA). From this key pair we can sign certificate which will now show the relationship to the root. To extend this chain we can submit a CSR from the root to the class CA and have it signed. Now the chain has been extended.

openssl: cert signing request (csr). If you are NOT going to sign the request but rather have a 3 rd party CA sign it then you only need to create the request and private key. openssl req –new –newkey rsa:1024 –nodes -keyout cert.key –out myreq.csr This results in one csr and one private key.

Signing the “csr” sudo openssl ca -policy policy_anything -out server.crt -infiles myreq.csr Here we are defining the CA policy which for us is wide open but can be limited. We define the csr input and the public cert output. Does the private key for this request need to be local also?

openssl certificate & key verification Comparing your private key and public certs. openssl rsa –noouot –modules –in ca-private-key.pem | openssl md5 openssl x509 –noout –modules –in ca-pub-cert.perm | openssl md5 Check your private key openssl rsa –in private.key –check Check your pubic certificate openssl x509 –in server.crt –text –noout Check your csr openssl req –text –noout –verify –in server.csr

Web server configuration Just as before we need to define a valid path to our webserver certificates and keys. Now we also need to define our new CA certificate. If we have a root and intermediate CA like Verisign we would need to create a chain certificate. This is basically a file with multiple certificates. review: /etc/pki/tls/certs/ca-bundle.crt

Review: PKI Private keys, Public certificates and CSR public CA Chain of Trust Chain certificates PKI setup private key, csr signed cert. sign other requests (CSR).

In class lab 7b Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu

Class 7, Unit 3 What we are going to cover: Scripting and loops What you should leave this session with: Basics to creating loops within your scripts. How to enable debug in your scripts.

Loops. Loops are blocks of code that run until complete (they can be infinite loops) The first example is the for loop. for f in value1 value2 value3 do cmd done

For loops - body. for letter in a b c do echo “found: $letter” done. The “Body” is the content between “do” and “done”. When the script is executed the value for “letter” is assigned to the first value provided after “in” and then the body of the loop is executed. When complete the second value is assigned to the variable $letter and the process is repeated. ? What happens if you enclose a b c in quotes?

for loops cont. You can leverage the shells ability for filename substitution in loops. The shell provides for filename substitution in the list provided to the body of the loop. for f in [1-3].txt do echo $f done. Just as in the other examples, echo is executed 3 times in this example

for loops cont. you can also read in file values and feed those to the for loop. cat filelist.txt 1.txt 2.txt 3.Txt for files in $(cat filelist.txt) ; do echo $files; done or for files in $(cat filelist.txt) ; do cat $files; done *example of command substitutions.

Using $* in loops $* = all arguments echo “Number of arguments passed in $#“ for variables in $* do echo "$variables" done

Replacing $* with $@ You know that $* returns all the values provided at the command line. However if you use $@ this is actually a comma separated list of values for f in “$@” do echo $f done *Best practice to place double quotes around $@

while loops Another looping function is "while". while cmd do cmd done “cmd” is executed and its exit status is tested. if the exit status is zero the commands between do and done are competed otherwise the script exits with a non zero status code

while script Similar to saying “while true do” sample “while” script counting to 10 num=1 while [ "$num" -le 10 ] do echo $num num=$(( num+1 )) done

until until - the inverse of while, meaning it will run so long as the return code is not 0, or not successful. Similar to the while blocks, commands between the do and done functions may never be executed if the initial command returns a successful response (zero). Useful when checking for a status change

until cont. # if NOT successful enter the body until ps -ef | grep -i "named“ | grep –v grep > /dev/null do echo "bind is not running" sleep 5 done echo "bind is running“

Break out! Sometimes in a logic loop you want to break out based on user input such as the user asking to quit. Enter “break” while true do read cmd if [ "$cmd" = "quit" ] then break else echo "$cmd" fi done

Continue on… The opposite of break is to continue. Sometimes you want the loop to simply leave the current loop and continue working through the script. This is where you might use continue for file do if [ ! –e “$file” ] then echo “file not found” continue fi process rest of file/data done

Sending the process to background You can background a process using the & after the done statement. Just as we have done at the command line. for file in data[1-4] do run $file done &

redirection I/O redirection on a loop can be obtained using the based on your need. Write to file: for i in 1 2 3 4 do echo $i done > data.out

Sleep and background sleep n - where n is a numeric value. Sleep will pause the system for the time specified on the command line. You can run programs in the background using ampersand "&" script & output from this command will tell you the process associated with your process. Use fg to foreground a background process.

options You can define options in your scripts using syntax similar to this: if [ "$1" = "-a" ] then option=TRUE shift else option=FALSE fi echo "value for option is: $option"

getopts The previous example is fine for simple options but if you want more flexibility it can become tedious to script. However getopts is available for this purpose. getopts works within a loop and examines each argument to determine if it is an option based on the existence or absence – before the value.

getopts The syntax of the getopts command is: getopts optstring option opstring – is the list of options expected from the command line. option - value used to iterate over the command line options provided.

getopts cont. You can stack your options or pass them individually. Meaning –abc or –a –b -c If your option needs an argument add “:” getopts a:bc name Now a valid command line looks like: script.sh –a braeburn –b –c script.sh –a braeburn script.sh –b –c

getopts cont. OPTARG used when an option requires an argument, e.g. –a braeburn OPTIND is a special variable used by getops which is set to 1 by default and is updated each time getopts complete a loop. If you reset $OPTIND to 1 at the end of the loop it is possible to use getops again in the same script.

Impact of “:” When an option character not contained in optstring is found, or an option found does not have the required option-argument: If optstring does NOT begin with a : (colon) 1. Option will be set to a ? 2. OPTARG. will be unset 3. A diagnostic message WILL be written to standard error.

Impact of “:” Alternatively if optstring DOES begin with a : (colon) 1. option will be set to a ? character for an unknown option or to a : (colon) character for a missing required option. 2. OPTARG. will be set to the option character found. 3. no output will be written to standard error.

getopts sample while getopts ":ab:c" option; do case $option in a) echo received -a ;; b) echo received -b with $OPTARG ;; c) echo received -c ;; :) echo "option -$OPTARG needs and an ARG" ;; *) echo "invalid option -$OPTARG" ;; esac done

Review: loops and breaks For loops: for f in a b c; do echo "found: $f"; done for f in $(cat filelist.txt); do echo $f; done for f in $(cat filelist.txt); do cat $f; done $* vs $@, $@ provides a comma separated list Until and While: while loops, if the exit status is zero the loop is entered. until, if the exit status is NOT zero the loop is entered. Break and continue are used to manipulate the loop behavior.

Review: Options and GETOPTS Passing options to your script manually. if [ "$1" = "-a" ] then option=TRUE shift GETOPTS is a built-in shell function. GETOPTS loops through arguments looking for a “-” before any arguments and determines if it is a valid option. If arguments are required with the options then you simple add a “:” after the option in your script the GETOPTS will require one.

In class lab 7c Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->http://www.ulcert.uw.edu

Homework homework for this week posted later tonight.

Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.

Similar presentations

Presentation on theme: "Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops.

Similar presentations

Presentation on theme: "Unix Linux Administration II Class 7: Scripting conditionals. Setting up your Certificate Authority (CA). Scripting loops."— Presentation transcript:

Similar presentations

About project

Feedback