keymaker-create-account-for-iam-user path incompatible with pam.d/sshd config

[thisdougb]

I am using the AWS AMI ami-0fbac225f3afdf632 (eu-central-1, Amazon Linux 2, ECS optimised, etc). The file keymaker-create-account-for-iam-user is installed in /usr/bin by pip. However the pam.d/sshd configuration created by Keymaker (pam_config_line) looks for it in /usr/local/bin.

Workaround is a symlink, created after installing Keymaker:

# yum install -y python2-pip 
# pip install keymaker
# keymaker install
# type keymaker-create-account-for-iam-user 
keymaker-create-account-for-iam-user is /usr/bin/keymaker-create-account-for-iam-user
# ln -s /usr/bin/keymaker-create-account-for-iam-user /usr/local/bin/keymaker-create-account-for-iam-user

but out of the box it's not working.

[kislyuk]

Thanks for reporting! Yes, this is definitely a bug. /usr/local/bin should not be hardcoded but instead inferred at install time.

[thisdougb]

@kislyuk want me to do a PR, a function along these lines? There's two places the '/usr/local/bin' is hardcoded.

import os

def get_absolute_path(target_file):
    if 'PATH' in os.environ:
      for p in os.environ['PATH'].split(':'):
        test_path = "{0}/{1}".format(p, target_file)
        if os.path.isfile(test_path):
          absolute_path = os.path.abspath(test_path)
          return absolute_path

    return None

keymaker_create_account_path = get_absolute_path("keymaker-create-account-for-iam-user")
if keymaker_create_account_path:
    pam_config_line = "auth optional pam_exec.so stdout {0}".format(keymaker_create_account_path)
else:
    print("error: keymaker-create-account-for-iam-user missing")
    # err_exit()