bash – Page 5 – Ryan Schulze

How to find the fingerprints of public keys in authorized_keys

August 15, 2012September 27, 2014Ryanauth, authorized_keys, bash, fingerprint, ssh, ssh keys

If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:

/etc/ssh/sshd_config

LogLevel VERBOSE

1	LogLevel VERBOSE

That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648
Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]
Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c
Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2
Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648

Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth]

Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c

Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2

Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0)

Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):

#!/bin/bash 
initialize() { #{{{
	# Treat unset variables as an error
	set -o nounset
	tempfile=$(mktemp)
	authorized_keys="${HOME}/.ssh/authorized_keys"
	trap cleanup TERM EXIT # clean up if script exits
} #}}}

cleanup() { #{{{
	rm -f ${tempfile}
	exit 0
} #}}}

#===============================================================================
# Main
#===============================================================================
initialize

if [ ! -e ${authorized_keys} ]
then
	echo -e "\nERROR: ${authorized_keys} file not found\n"
	exit 
fi

while read line
do 
	echo "${line}" &gt;  ${tempfile}
	ssh-keygen -l -f ${tempfile}
done &lt; ${authorized_keys}

#!/bin/bash

initialize() { #{{{

# Treat unset variables as an error

set -o nounset

tempfile=$(mktemp)

authorized_keys="${HOME}/.ssh/authorized_keys"

trap cleanup TERM EXIT # clean up if script exits

} #}}}

cleanup() { #{{{

rm -f ${tempfile}

exit 0

} #}}}

#===============================================================================

# Main

#===============================================================================

initialize

if [ ! -e ${authorized_keys} ]

then

echo -e "\nERROR: ${authorized_keys} file not found\n"

exit

while read line

echo "${line}" > ${tempfile}

ssh-keygen -l -f ${tempfile}

done < ${authorized_keys}

How to check if a IP (ipv4) address is valid in pure Bash

July 25, 2012August 26, 2013Ryanbash, ipv4

Here is a small bash function to check if a IP is valid (4 octets, each octet < 256). I find it somewhat elegant since instead of using a lot of case/if/then constructs or a crazy long regex it splits the IP into each octet (and stores them in an array, and then uses a combination of regex and bit shifting to check each octet.

is_valid_ipv4() {
  local -a octets=( ${1//\./ } )
  local RETURNVALUE=0

  # return an error if the IP doesn't have exactly 4 octets
  [[ ${#octets[@]} -ne 4 ]] &amp;&amp; return 1

  for octet in ${octets[@]}
  do
    if [[ ${octet} =~ ^[0-9]{1,3}$ ]]
    then # shift number by 8 bits, anything larger than 255 will be > 0
      ((RETURNVALUE += octet>>8 ))
    else # octet wasn't numeric, return error
      return 1
    fi
  done
  return ${RETURNVALUE}
}

is_valid_ipv4() {

local -a octets=( ${1//\./ } )

local RETURNVALUE=0

# return an error if the IP doesn't have exactly 4 octets

[[ ${#octets[@]} -ne 4 ]] && return 1

for octet in ${octets[@]}

if [[ ${octet} =~ ^[0-9]{1,3}$ ]]

then # shift number by 8 bits, anything larger than 255 will be > 0

((RETURNVALUE += octet>>8 ))

else # octet wasn't numeric, return error

return 1

done

return ${RETURNVALUE}

}

The function will return 0 if the IP is valid, and 1 or higher if it encountered an error (you can check with the $? variable directly after calling the function)
Example:

is_valid_ipv4 ${ip}
if [[ $? -gt 0 ]]
then 
	echo "invalid IP"
else
	echo "valid IP"
fi

is_valid_ipv4 ${ip}

if [[ $? -gt 0 ]]

then

echo "invalid IP"

else

echo "valid IP"

How to use Cluster SSH (cssh) and Mosh together

May 7, 2012May 7, 2012Ryanbash, cssh, mosh

A colleague told me about mosh today, just saying “it’s an alternative to SSH that addresses many of the problems” doesn’t do it credit. Go look at the page and have a look, don’t worry it’s a nice page and I’ll still be here waiting when you come back. I do a lot of work on servers across the globe, and believe me, although subtle, the difference between a 10ms connection and a 100+ ms connection is definitely noticeable 😉 That lag all but disappears with mosh. Mosh doesn’t support X11/SSH-Agent forwarding yet, but it’s on their roadmap.

Back to topic, I also use cssh for working on multiple servers simultaneously. I’d recommend making a copy of your .cshrc file (cp -a ~/.csshrc ~/.csshrc_mosh) and working on the copy. Edit the ~/.csshrc_mosh and change the lines ssh= and ssh_args= (diff of my files):

$ diff .csshrc .csshrc_mosh 
27,28c27,28
&lt; ssh=/usr/bin/ssh
&lt; ssh_args= -x -o ConnectTimeout=5
---
&gt; ssh=/usr/bin/mosh
&gt; ssh_args=

$ diff .csshrc .csshrc_mosh

27,28c27,28

< ssh=/usr/bin/ssh

< ssh_args= -x -o ConnectTimeout=5

---

> ssh=/usr/bin/mosh

> ssh_args=

You will have to remove any parameters in ssh_args= and move them to your ~/.ssh/config due to the difference in command line parameters between mosh and ssh. Now all you have to do is call cssh with the new config file, e.g. with an alias to make things easier alias mcssh=”cssh -C ${HOME}/.csshrc_mosh” And your done.

New Virtualbox version, script for easy update of extension pack

March 14, 2012March 14, 2012Ryan2 Commentsbash, extpack, virtualbox

VirtualBox 4.1.10 was released yesterday with a few nice things in the changelog. Updating virtualbox itself is easy, just download the package and update it. Since I seem to stumble over the update of the extension pack every time (on my headless system) I thought I’d write a small script this time so I don’t have to rethink it next time (automatically downloads and installs the current extpack):

#!/bin/bash
URL="$(wget -qO - https://www.virtualbox.org/wiki/Downloads|grep "Oracle VM VirtualBox Extension Pack"|sed "s/.\+\(http:\/\/download.virtualbox.org.\+.vbox-extpack\).\+/\1/")"
File=${URL##*/}

if [[ "${URL}" != "" &amp;&amp; "${File}" != "" ]]
then
  echo "Downloading and installing ${File}" &amp;&amp; \
  wget -qO ${File} ${URL} &amp;&amp; \
  VBoxManage extpack install --replace ${File}
fi

#!/bin/bash

URL="$(wget -qO - https://www.virtualbox.org/wiki/Downloads|grep "Oracle VM VirtualBox Extension Pack"|sed "s/.\+$http:\/\/download.virtualbox.org.\+.vbox-extpack$.\+/\1/")"

File=${URL##*/}

if [[ "${URL}" != "" && "${File}" != "" ]]

then

echo "Downloading and installing ${File}" && \

wget -qO ${File} ${URL} && \

VBoxManage extpack install --replace ${File}

How to add locking to a shell script (the easy way)

February 14, 2012February 18, 2012Ryanbash, flock

I haven’t posted anything with bash here for a while, so today I’ll throw in a little snippet to use flock to make sure a script is only running once. This is very handy in cron jobs that you want to run often, but there shouldn’t be multiple instances of the script running at the same time.
Since it is small and easy I’d recommend adding it to any code you don’t want running multiple times since “that script” you just wrote, that runs 10 minutes now, might turn into a monster in 6 months and run 45 minutes when things change (data grows, more stuff to do). Better safe than sorry.

Basically we rely on flock to do the heavy lifting and we just add some logic around it:

trap cleanup INT TERM EXIT # call cleanup() if script exits

cleanup() {
	  flock -u 200
}

exec 200&gt;/var/lock/my_script.lock

flock -xn 200 || exit 1 # exit if a lock exists

trap cleanup INT TERM EXIT # call cleanup() if script exits

cleanup() {

flock -u 200

}

exec 200>/var/lock/my_script.lock

flock -xn 200 || exit 1 # exit if a lock exists

man flock will show you more details to the parameters used and even some examples. Basically it will use trap to make sure the lock is released if the script ends in any way. 200 is a random file descriptor I chose for this example, it can be anything numeric. flock -xn means it will attempt to acquire an exclusive lock, and if that fails it will exit with an error.

Putting this somewhere at the top of your script will simply end the script if it finds an existing lock. flock has a few other options like -wait or nor using -n that allow you to not exit but wait for the lock to end (with wait a variable amount of seconds). And thus with a bit of creativity enabling you to only lock specific parts of the code (e.g. database calls, file changes, …) and handling failed lock attempts more gracefully than an exit.