after updating to 1.0.8 pam.d not updated

[thisdougb]

I've just updated to the latest keymaker, to get the file path fix, and pam.d/sshd isn't being updated. sshd file timestamp is untouched.

[root@ip-10-30-29-7 ~]# ls -l /etc/ssh/sshd_config 
-rw------- 1 root root 4066 Jul 10 11:04 /etc/ssh/sshd_config
[root@ip-10-30-29-7 ~]# ls -l /etc/pam.d/sshd 
-rw-r--r-- 1 root root 904 May 22 20:22 /etc/pam.d/sshd
[root@ip-10-30-29-7 ~]# keymaker --version
1.0.8
[root@ip-10-30-29-7 ~]# 
[root@ip-10-30-29-7 ~]# head /etc/pam.d/sshd 
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth

I checked the new find_executable function, and it's working fine on the host (this just prints the result of the function):

[root@ip-10-30-29-7 ~]# python test.py 
/usr/bin/keymaker-create-account-for-iam-user
/usr/bin/keymaker

[kislyuk]

Are you expecting the package update to automatically update the config files? You have to re-run keymaker install for that to happen. Python package updates are expected not to touch system global state.

[kislyuk]

Also, I have not published 5b795c1 in a release on PyPI yet. 1.0.8 does not have it.

[thisdougb]

yeah, I do an install:

# Keymaker install
yum install -y python2-pip
pip install keymaker
keymaker install

I just re-ran it manually, and it does update. odd that sshd_config was updated first time round. I'll do another few tests and then just close this issue if it all works out.

[kislyuk]

Released v1.0.9 on PyPI with this change, please test.

[thisdougb]

yes, strange. consistently a partial installation, sshd_config is updated but not pam.d, when installing via the ec2 launch configuration. but when I manually execute keymaker install after logging in, the installation is fully complete.

# keymaker --version
1.0.9

# tail /etc/ssh/sshd_config 
AuthorizedKeysCommand /usr/sbin/keymaker-get-public-keys
AuthorizedKeysCommandUser keymaker
ChallengeResponseAuthentication yes
AuthenticationMethods publickey keyboard-interactive:pam,publickey

# head /etc/pam.d/sshd 
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin

# keymaker install

# head /etc/pam.d/sshd 
auth optional pam_exec.so stdout /usr/bin/keymaker-create-account-for-iam-user
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin

# keymaker install
# head /etc/pam.d/sshd 
auth optional pam_exec.so stdout /usr/bin/keymaker-create-account-for-iam-user
auth	   required	pam_sepermit.so
auth       substack     password-auth

OK, just tested on a different AMI and it's working fine out of the box:

# keymaker --version
1.0.9
# more /etc/pam.d/sshd 
#%PAM-1.0
auth       optional     pam_exec.so stdout /usr/bin/keymaker-create-account-for-iam-user
auth	   required	pam_sepermit.so

very weird. they keymaker install (around pam.d) is fairly straightforward, but I'm trying to workout if anything may cause it to install but skip that file update.

[thisdougb]

this is also not written:

# more /etc/cron.d/keymaker-group-sync
more: stat of /etc/cron.d/keymaker-group-sync failed: No such file or directory

so perhaps the sshd section fails, as the pam.d and the cron file are the next things in the install process.

[thisdougb]

weird, it's now working ok. maybe AWS weirdness... thanks for the executable path update, that's working great.