bash – Page 4 – Ryan Schulze

Bash snippet, verify ctrl+c

July 10, 2013August 27, 2013Ryanbash, ctrl+c, trap

Lately I’ve been working on a pair of more elaborate scripts using ncat and openssl to transfer data between hosts. I’ll get around to posting it eventually, but until then a few small snippets that people may find useful.

Today we will catch ctrl+c and ask the user if he really want’s to terminate the script.

#!/bin/bash

initialize() { #{{{

# Treat unset variables as an error

set -o nounset

trap verify_quit INT # verify ending script

trap cleanup TERM EXIT # clean up if script exits

} #}}}

verify_quit() { #{{{

local timeout=10

echo "Press ctrl+c again within ${timeout} seconds to end script"

sleep ${timeout}

[[ $? -gt 0 ]] && cleanup

} #}}}

cleanup() { #{{{

exit 0

} #}}}

initialize

while [ true ]

# do stuff

sleep 10

done

The initialize() and cleanup() are my usual function names I have in every script, making sure general settings and variables are defined and that on exit any tempfiles get deleted.
What has been added was a trap for the INT signal (ctrl+c) which calls the verify_quit() function, giving the user 10 seconds to press ctrl+c again to exit (via cleanup()) or return back to wherever we were in the code. There is one unavoidable caveat, the first ctrl+c will kill whatever the script was doing before it jumps into the verify_quit() function.

Simple “try” function for bash

May 13, 2013August 27, 2013Ryanbash

Made a nice little try() function today for simplifying checking/dealing with return codes from commands. It uses the function text() I posted earlier to colorfy output: How to easily add colored text output in bash scripts. The function accepts 2 parameters, how it should behave if a problem occurs and the command to be executed: try <silent|warn|fatal> command

silent: save the return status in the global variable command_status
warn: if the command has a return code > 0, print a warning and save the return status in the global variable command_status
fatal: if the command has a return code > 0, print an error and exit

Obviously not as versatile as a python try/except, bu streamlines verifying the command return codes.
Example Usage:

1 2	try warn false try fatal ls -al doesnotexist

Output
Warning: ‘false‘ failed with return code –1–
ls: cannot access doesnotexist: No such file or directory
Error: ‘ls -al doesnotexist‘ failed with return code –2–

File: error_handling.sh

command_status=

function try() { #{{{

if [ "$#" = "0" ]

then # not enough parameters were provided

echo "ERROR: sytnax is 'try <silent|warn|fatal> command'"

exit 1

local returncode=0

local severity=${1}

shift

local cmd="${@}"

$cmd

returncode=$?

if [[ ${returncode} -gt 0 ]]

then

case ${severity} in

silent )

command_status=${returncode}

;;

warn )

printf "%s: '%s' failed with return code -%s-\n" $(text yellow "Warning") "$(text blue "${cmd}")" $(text yellow "${returncode}")

command_status=${returncode}

;;

fatal )

printf "%s: '%s' failed with return code -%s-\n" $(text red "Error") "$(text blue "${cmd}")" $(text yellow "${returncode}")

exit ${returncode}

;;

* )

printf "%s: Wrong usage of the try() function\n" $(text red "Error")

exit 1

;;

esac

} #}}}

Script to start minion in tmux

February 15, 2013Ryanbash, minion, scripting, security, tmux

Minion is a security project from Mozilla (link). It provides a user-friendly web interface to various security scanner tools. There is a webcast demonstrating the software (link).

The software requires a few services to run, and since I like having one script take care of starting everything with the right parameters, I threw together a simple shell script that sets up a tmux session with the services started in windows with the names of the services.

#!/bin/bash

session="minion"
http="0.0.0.0:8000"

cd /opt/minion

#-------------------------------------------------------------------------------

if [[ "$(tmux list-sessions|cut -d: -f1|grep "^${session}$")" == "${session}" ]]
then
  tmux -2 attach-session -t "${session}"
  exit
fi
tmux new-session -s ${session} -d

window="${session}:1"
tmux send-keys -t "${window}" 'top' Enter

window="${session}:2"
tmux new-window -t "${window}" -n "task-engine"
tmux send-keys -t "${window}" 'source env/bin/activate' Enter
tmux send-keys -t "${window}" 'minion-task-engine --debug' Enter

window="${session}:3"
tmux new-window -t "${window}" -n "plugin-service"
tmux send-keys -t "${window}" 'source env/bin/activate' Enter
tmux send-keys -t "${window}" 'minion-plugin-service --debug' Enter

window="${session}:4"
tmux new-window -t "${window}" -n "frontend"
tmux send-keys -t "${window}" 'source env/bin/activate' Enter
tmux send-keys -t "${window}" 'cd frontend' Enter
tmux send-keys -t "${window}" 'python manage.py syncdb' Enter
tmux send-keys -t "${window}" "python manage.py runserver ${http}" Enter

tmux -2 attach-session -t "${session}"

#!/bin/bash

session="minion"

http="0.0.0.0:8000"

cd /opt/minion

#-------------------------------------------------------------------------------

if [[ "$(tmux list-sessions|cut -d: -f1|grep "^${session}$")" == "${session}" ]]

then

tmux -2 attach-session -t "${session}"

exit

tmux new-session -s ${session} -d

window="${session}:1"

tmux send-keys -t "${window}" 'top' Enter

window="${session}:2"

tmux new-window -t "${window}" -n "task-engine"

tmux send-keys -t "${window}" 'source env/bin/activate' Enter

tmux send-keys -t "${window}" 'minion-task-engine --debug' Enter

window="${session}:3"

tmux new-window -t "${window}" -n "plugin-service"

tmux send-keys -t "${window}" 'source env/bin/activate' Enter

tmux send-keys -t "${window}" 'minion-plugin-service --debug' Enter

window="${session}:4"

tmux new-window -t "${window}" -n "frontend"

tmux send-keys -t "${window}" 'source env/bin/activate' Enter

tmux send-keys -t "${window}" 'cd frontend' Enter

tmux send-keys -t "${window}" 'python manage.py syncdb' Enter

tmux send-keys -t "${window}" "python manage.py runserver ${http}" Enter

tmux -2 attach-session -t "${session}"

How to break down CIDR subnets in Bash

December 11, 2012September 27, 2014Ryanbash, cidr, ip, math, subnet

I was playing around with subnets in bash recently and needed an elegant/easy way to split up a subnet into smaller subnets. First I used 2 functions I found on stackoverflow.com to convert an IP addresse to and from an integer. After that it was just a bit of math in bash to split up any networks too big.
Any network larger than $maxSubnet gets split up.
Here the useful code:

#!/bin/bash

. functions_ip2long.sh

input='10.1.4.0/22 10.2.2.0/24 10.3.3.128/25'

output=

maxSubnet=24

for pair in ${input}

# split up the network and netmask

network=${pair%/*}

netmask=${pair#*/}

if [[ ${netmask} -ge ${maxSubnet} ]]

then # network is smaller than max. size. add it to the array

output="${output} ${network}/${netmask}"

else # network is too big. split it up into smaller chunks and add them to the array

for i in $(seq 0 $(( $(( 2 ** (${maxSubnet} - ${netmask}) )) - 1 )) )

do # convert network to long integer, add n * ${maxSubnet} and then convert back to string

output="${output} $( INET_NTOA $(( $( INET_ATON ${network} ) + $(( 2 ** ( 32 - ${maxSubnet} ) * ${i} )) )) )/${maxSubnet}"

done

echo ${output}|tr ' ' '\n'

Output of script:

10.1.4.0/24

10.1.5.0/24

10.1.6.0/24

10.1.7.0/24

10.2.2.0/24

10.3.3.128/25

How to find the fingerprints of public keys in authorized_keys

August 15, 2012September 27, 2014Ryanauth, authorized_keys, bash, fingerprint, ssh, ssh keys

If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:

/etc/ssh/sshd_config

1	LogLevel VERBOSE

That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648

Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]

Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2

Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):

#!/bin/bash

initialize() { #{{{

# Treat unset variables as an error

set -o nounset

tempfile=$(mktemp)

authorized_keys="${HOME}/.ssh/authorized_keys"

trap cleanup TERM EXIT # clean up if script exits

} #}}}

cleanup() { #{{{

rm -f ${tempfile}

exit 0

} #}}}

#===============================================================================

# Main

#===============================================================================

initialize

if [ ! -e ${authorized_keys} ]

then

echo -e "\nERROR: ${authorized_keys} file not found\n"

exit

while read line

echo "${line}" > ${tempfile}

ssh-keygen -l -f ${tempfile}

done < ${authorized_keys}