LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-09-2010, 06:02 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
automate script for VPN keys


I'm trying to automate a script so that VPN keys can be sent out automatically.
The problem is that when I invoke the script, I have to keep pressing return for each of the OpenVPN key creation arguments.
When the nail command is fired, I also have to press Ctrl D to send the email.
Is there a way to program round this in bash?

Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd

Last edited by qwertyjjj; 01-10-2010 at 04:49 AM.
 
Old 01-10-2010, 04:49 AM   #2
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Is there a way to respond to promopts from within a bash script?
 
Old 01-10-2010, 04:54 AM   #3
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hello,

Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Code:
yourscript < answerfile
Or look into expect and autoexpect.

Kind regards,

Eric
 
Old 01-10-2010, 05:15 AM   #4
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hello,

Yes there is. You can use an auto answer file, which is basically nothing more than a file that contains the answers you want to give. Then redirect it into the script when executing, like this:
Code:
yourscript < answerfile
Or look into expect and autoexpect.

Kind regards,

Eric
Sounds good. I created an auto script with autoexpect but was just thinking, the bash script above has 2 separate parts.
This: ./build-key $usern requires input
and this: nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd requires input.

Do I add a script after each separate command?
So,
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < myRESPONSES1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < myRESPONSES2.exp
Auto expect records the responses all as one file, yet maybe I should split it into 2?
 
Old 01-10-2010, 05:18 AM   #5
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

Logically I would say that yes, you'll have to have two answer files. So split the generated file in two and see how it goes.

Kind regards,

Eric

Last edited by EricTRA; 01-10-2010 at 05:20 AM.
 
Old 01-10-2010, 05:30 AM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Ok, my script now looks like this:
Quote:
#!/bin/bash
emailadd="aaa@gmail.com"
usern="aaa"
#echo $mydate
cd /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
./build-key $usern < /usr/local/sbin/myscripts/vpn_responses1.exp
cd keys/
zip $usern.zip ca.crt ca.key $usern.crt $usern.csr $usern.key client.ovpn
nail -r aaa@aaa.co.uk -s "VPN Keys" -a $usern.zip $emailadd < /usr/local/sbin/myscripts/vpn_responses2.exp
Almost there but it seems autoexpect doesn't record the entries correctly:
Quote:
[root@server88-xxx-xxx-198 myscripts]# /usr/local/sbin/myscripts/send_vpn_keys.sh
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Generating a 1024 bit RSA private key
.............................................++++++
...............++++++
writing new private key to 'aaa.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [GB]:State or Province Name (full name) [LND]:Locality Name (eg, city) [LONDON]:Organization Name (eg, company) [aaa]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [aaa]:Email Address [aaa@aaa.co.uk]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:string is too long, it needs to be less than 20 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:string is too short, it needs to be at least 4 bytes long
A challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'GB'
stateOrProvinceName :T61STRING:'set force_conservative 0 ;# set to 1 to force conservative mode even if'
localityName :T61STRING:'^I^I^I ;# script wasn't run conservatively originally'
organizationName :T61STRING:'if {$force_conservative} {'
organizationalUnitName:T61STRING:'^Iset send_slow {1 .1}'
commonName :T61STRING:'^Iproc send {ignore arg} {'
emailAddress :IA5STRING:'^I^Isleep .1'
Certificate is to be certified until Jan 8 10:29:03 2020 GMT (3650 days)
Sign the certificate? [y/n]:CERTIFICATE WILL NOT BE CERTIFIED
updating: ca.crt (deflated 38%)
updating: ca.key (deflated 22%)
updating: aaa.crt (stored 0%)
updating: aaa.csr (deflated 26%)
updating: aaa.key (deflated 22%)
updating: client.ovpn (deflated 54%)
[root@server88-xxx-xxx-198 myscripts]#
This is the expect file:
Quote:
#!/usr/bin/expect -f
set force_conservative 0 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}

set timeout -1

#spawn ./build-key aaa
match_max 100000
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) \[GB\]:"
send -- "\r"
expect -exact "\r
State or Province Name (full name) \[LND\]:"
send -- "\r"
expect -exact "\r
Locality Name (eg, city) \[LONDON\]:"
send -- "\r"
expect -exact "\r
Organization Name (eg, company) \[aaa\]:"
send -- "\r"
expect -exact "\r
Organizational Unit Name (eg, section) \[\]:"
send -- "\r"
expect -exact "\r
Common Name (eg, your name or your server's hostname) \[aaa\]:"
send -- "\r"
expect -exact "\r
Email Address \[aaa@aaa.co.uk\]:"
send -- "\r"
expect -exact "\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password \[\]:"
send -- "\r"
expect -exact "\r
An optional company name \[\]:"
send -- "\r"
expect -exact "\r
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf\r
Check that the request matches the signature\r
Signature ok\r
The Subject's Distinguished Name is as follows\r
countryName :PRINTABLE:'GB'\r
stateOrProvinceName :PRINTABLE:'LND'\r
localityName :PRINTABLE:'LONDON'\r
organizationName :PRINTABLE:'aaa'\r
commonName :PRINTABLE:'aaa'\r
emailAddress :IA5STRING:'aaa@aaa.co.uk'\r
Certificate is to be certified until Jan 8 10:21:56 2020 GMT (3650 days)\r
Sign the certificate? \[y/n\]:"
send -- "y\r"
expect -exact "y\r
\r
\r
1 out of 1 certificate requests certified, commit? \[y/n\]"
send -- "y\r"
expect eof


Last edited by qwertyjjj; 01-10-2010 at 05:55 AM.
 
Old 01-10-2010, 05:41 AM   #7
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run
Code:
ssh-keygen -q
to avoid all those questions being asked and thus simplifying the process.

Kind regards,

Eric
 
Old 01-10-2010, 05:45 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hi,

Seems like most of the problems you're having are concerning the creation of your ssh key. How do you generate your keys? Is that part of the OpenVPN suite or a script you wrote that uses the ssh-keygen command? If it's the ssh-keygen command then you can set your defaults in the openssl.cnf and run
Code:
ssh-keygen -q
to avoid all those questions being asked and thus simplifying the process.

Kind regards,

Eric
No, the keys are generated fine when run manually but something in the auto responses file isn't sending the input correctly and am not sure what.
The key creation is part of the OpenVPN suite.
Responses file added as above.
 
Old 01-10-2010, 06:05 AM   #9
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.

Kind regards,

Eric
 
Old 01-10-2010, 06:51 AM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hi,

Just had a look at it but cannot find anything out of the ordinary, so don't know why it doesn't do what it's supposed to do.

Kind regards,

Eric
Could it be something to do with this:
Quote:
expect -exact "Generating a 1024 bit RSA private key\r
........++++++\r
....................................................++++++\r
writing new private key to 'aaa.key'\r
-----\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
Can I skip these parts and just go straight to the expect parts with actual prompts?
 
Old 01-10-2010, 06:55 AM   #11
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.

Kind regards,

Eric
 
Old 01-10-2010, 12:07 PM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hi,

You could try but I think it'll generate other errors. I'd first look into a possibility of running the key generation script 'silent' so it doesn't ask that much questions, since you don't seem to put anything in. What I mean is, check if you can run the script in a silent mode like the '-q' option for ssh-keygen.

Kind regards,

Eric
I'm looking into using openssl to create the certificates rather than ./build-ca as it requires too much input and autoexpect isn't working for this method.

On a separate note is there a way to manually write files on the fly?
I need to create a new client.ovpn for each customer/certificate.
Each .ovpn file has a section for:
certname.crt
certname.key

I need to rewrite these each time a new certificate is generated and then save the file, then email it.
 
Old 01-10-2010, 12:14 PM   #13
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?

Kind regards,

Eric
 
Old 01-10-2010, 12:53 PM   #14
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hi,

If you know exactly what to rewrite then yes, you can rewrite a file on the fly using a script file that holds all the commands. Can you post an example of what you have in one of those ovpn files and what parts need to be rewritten?

Kind regards,

Eric
The file looks like this

Quote:
client
dev tun
proto tcp
remote 88.xxx.xxx.xx9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert adminuser.crt
key adminuser.key
ns-cert-type server
comp-lzo
verb 4
Each time I create a new certificate in my script using $usern, I also need to change the parts in bold above. Instead of adminuser it would be whatever the username is in $usern
 
Old 01-10-2010, 01:05 PM   #15
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295Reputation: 1295
Hi,

You could use sed to substitute those references by whatever you want.
Code:
sed -i 's/regex/replacement/' yourfile.ovpn
Kind regards,

Eric
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to automate minicom using script ? kashyap88anirudh Linux - Newbie 1 03-04-2008 02:39 PM
LXer: Speaking Unix, Part 6: Automate, automate, automate! LXer Syndicated Linux News 0 01-04-2007 10:54 AM
Script to automate tasks immortaltechnique Red Hat 2 10-08-2006 11:46 PM
Automate SSH Script Gentoo20 Linux - General 11 03-22-2006 07:21 PM
automate script w/ cron viniosity Linux - Newbie 5 02-02-2005 04:13 PM


All times are GMT -5. The time now is 12:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration