Operating Systems and Systems Integration Tutorial on Shell, and the Secure Shell — Solutions 1 Shell Programming 1. What will this shell script do? Disuss the purpose of this script. #! /bin/sh if ! grep nickl /etc/passwd > /dev/null 2>&1 then useradd -c ’Nick (local)’ nickl fi if ! grep nickl /etc/sudoers > /dev/null 2>&1 then echo ’nickl ALL=(ALL) ALL’ >> /etc/sudoers fi i Solution: This does the following: • if a local account for the user nickl does not exist, create it; • if the user nickl does not exist in the sudoers file, then add that user so that the user has full administrative access to the machine. Note that this script does not enable the account; no password has been created. 2. What will the output of this shell script be? #! /bin/sh i=2 for j in 2 4 6 do j=‘expr $i \* $j‘ i=‘expr $i + 1‘ done echo "i=$i j=$j" i Solution: $ ./for-loop-question i=5 j=24 3. Rewrite the script from question 2 above using a while loop. i Solution: This kind of problem is much easier to solve using a for loop rather than with a while loop. Here is one solution: ver. 1.2 Nick Urbanik Solutions Tutorial on Shell, and the Secure Shell Operating Systems and Systems Integration 2 #! /bin/sh i=2 j=0 k=0 while [ $k -lt 6 ] do k=‘expr $k + 2‘ j=‘expr $i $k‘ i=‘expr $i + 1‘ done echo "i=$i j=$j" 4. Write a shell script to print all its parameters, each one on a line by itself. i Solution: This is one solution: #! /bin/sh for parameter do echo $parameter done 5. Write a shell script to read a text file in a format like this: nicku:Nick Urbanik fred:Freddy Wong albert:Albert Ho and create user accounts for each user. Here is a strong hint towards getting a solution: $ cat reading-line-by-line-and-splitting #! /bin/sh while read line do echo "This is a line: $line" IFS=: for part in $line do echo This is part of the line: $part done done $ reading-line-by-line-and-splitting < ~/account-info.txt This is a line: nicku:Nick Urbanik Nick Urbanik ver. 1.2 Solutions Tutorial on Shell, and the Secure Shell Operating Systems and Systems Integration 3 This This This This This This This This i is is is is is is is is part of part of a line: part of part of a line: part of part of the line: nicku the line: Nick Urbanik fred:Freddy Wong the line: fred the line: Freddy Wong albert:Albert Ho the line: albert the line: Albert Ho Solution: There are many ways of doing this. What I have done is to use echo to test my programs. If they print the right command, then to use it, I just remove the echo. This is good practice when a system administrator writes shell scripts. Here is one solution: #! /bin/sh IFS=: while read line do i=1 for part in $line do [ "$i" -eq 1 ] && uid=$part [ "$i" -eq 2 ] && name=$part i=‘expr $i + 1‘ done echo useradd -c ¨$name"¨ $uid " done Here is another solution that uses set: #! /bin/sh IFS=: while read line do set $line uid=$1 name="$2" echo useradd -c ¨$name"¨ $uid " done Here is another that uses the awk programming language: #! /bin/sh while read line do awk -F: ’print "useradd -c " "’"$2"’ " $1’ done Nick Urbanik ver. 1.2 Solutions Tutorial on Shell, and the Secure Shell Operating Systems and Systems Integration 4 2 Secure Shell 1. The user keys are stored in ∼/.ssh/id rsa, ∼/.ssh/id rsa.pub and ∼/.ssh/authorized keys2. (a) Are these user keys required for ssh to enable remote log in? If not all, and if some are required, list the ones that are required. i Solution: None of these keys are required for ssh to enable remote log in. The user keys support authentication but are not involved in establishing the encrypted connection. The system administrator can still authenticate using user name and password even if none of the above three keys exist. (b) What is the purpose of each one of these key files? i Solution: ∼/.ssh/id rsa is the user’s private key, that works together with its matching public key in ∼/.ssh/authorized keys2, to allow the administrator to connect to their account on the server. ∼/.ssh/id rsa.pub takes no direct part in the authentication process, but the administrator must append a copy of this public key to the file ∼/.ssh/authorized keys2 in their account on the server. ∼/.ssh/authorized keys2 This file contains the public keys of all users who are authorised to log into this account on the server. Be very careful what keys you put here, as it means that that user has full access to this account on the server. (c) How do you create them, and if we have one client and one server computer, which keys are required where? i Solution: ∼/.ssh/id rsa is the user’s private key, that is created together with ∼/.ssh/id rsa.pub in the system administrator’s client workstation, using the command $ ssh-keygen -t dsa The adminstrator must enter a passphrase when generating their keys, or otherwise another user can impersonate the administrator if they get a copy of their private key. ∼/.ssh/id rsa.pub is the user’s public key; it is created together with ∼/.ssh/id rsa, as described above, in the home directory on the client workstation, from where the administrator will administrer the computer. It is not used directly by the software, but the administrator copies (appends) it to ∼/.ssh/authorized keys2 in the administrator’s user account on the server. ∼/.ssh/authorized keys2 contains the public keys of the administrator. The administrator manually appends their public key, ∼/.ssh/authorized keys2, from their account on their client workstation, to ∼/.ssh/authorized keys2 in their account on the server. The administrator could transfer these over the network without exposing themselves to a man-in-the-middle attack. ver. 1.2 Nick Urbanik Solutions Tutorial on Shell, and the Secure Shell Operating Systems and Systems Integration 5 2. The host keys are stored in /etc/ssh/ssh host rsa key, /etc/ssh/ssh host rsa key.pub, ∼/.ssh/known hosts2 and /etc/ssh/ssh known hosts2. (a) Are all these host keys required for ssh to enable remote log in? If not all, and if some are required, list the ones that are required. i Solution: The server’s host public key is required in either ∼/.ssh/known hosts2 or /etc/ssh/ssh known hosts2 on the client workstation. The host private key /etc/ssh/ssh host rsa key must be present for rsa based encryption. (b) List two purposes of all of these key files. i Solution: /etc/ssh/ssh host rsa key Together with the public host key in the file /etc/ssh/ssh known hosts2 on the client, it: • authenticates the server to the client, to prevent any man in the middle attack; • it is used to initiate encryption. A secret session key is generated at each end using an algorithm called the Diffie-Hillman key exchange. /etc/ssh/ssh host rsa key.pub This public key on the server does not take any active part in the ssh protocol unless the client has no copy of the public key in its known hosts files. In this case, the key is transferred in clear text over the network. If you agree to this automatic transfer, you are exposing yourself to a man in the middle attack. Simple, easy to use tools are freely available for unskilled people to perform this attack. If the server holds data of any value, it is better to transfer this key /etc/ssh/ssh host rsa key.pub manually (say on a floppy), and append it to the /etc/ssh/ssh known hosts2 file. ∼/.ssh/known hosts2 This holds copies of the host public keys on the client machine. Usually these have been transferred automatically by the user requesting the transfer. Letting the transfer occur automatically exposes the connection to the man in the middle attack described elsewhere here. Together with the private host key on the server, it: • authenticates the server to the client, to prevent any man in the middle attack; • it is used to initiate encryption. A secret session key is generated at each end using an algorithm called the Diffie-Hillman key exchange. /etc/ssh/ssh known hosts2 Holds the public key from the server on the client workstation. Together with the private host key on the server, it: • authenticates the server to the client, to prevent any man in the middle attack; • it is used to initiate encryption. A secret session key is generated at each end using an algorithm called the Diffie-Hillman key exchange. (c) How do you create them, and if we have one client and one server computer, which keys are required where? i Nick Urbanik ver. 1.2 Solutions Tutorial on Shell, and the Secure Shell Operating Systems and Systems Integration 6 Solution: /etc/ssh/ssh host rsa key This key is created together at the same time as the public part of the key /etc/ssh/ssh host rsa key.pub on the server by the command $ ssh-keygen -t rsa and then interactively fill in the blanks, but do not specify a passphrase. The file /etc/init.d/sshd used to start the secure shell server uses this command to create the host public and private keys: $ ssh-keygen -t rsa -f /etc/ssh/ssh host rsa key -N ’’ if they do not already exist. /etc/ssh/ssh host rsa key.pub This key is created at the same time as the private part of the key /etc/ssh/ssh host rsa key as shown above, on the server. This key is required when there is no copy of it in either of the knkown hosts files on the client workstation, so that the file is automatically transferred from the server to one of the two known hosts files on the client. However, depending on this automatic transfer of the host public key from the server to the ∼/.ssh/known hosts2 file exposes the connection to the man in the middle attack, which allows a (bad intentioned) third party to read all the session. ∼/.ssh/known hosts2 This file contains copies of public host keys, usually automatically transferred over the network. It is possible to put the copy of the public key there manually, which avoids the problem of man in hte middle attack described above. /etc/ssh/ssh known hosts2 This file contains copies of public host keys, and is created manually by the system administrator, often by transferrring the public host key from the server to the workstation on a floppy disk. This is important when managing critical servers, since the simple tools to automate the man in the middle attack on the ssh session will not work. Nick Urbanik ver. 1.2