Augeas type to edit/append to /etc/pam.d/sshd

2,672 views
Skip to first unread message

luke.bigum

unread,
Oct 4, 2010, 12:00:52 PM10/4/10
to Puppet Users
Hi all,

I'm trying to do something that should be pretty simple but can't
figure it out.

I want to append a line to /etc/pam.d/sshd if a line with a certain
module doesn't exist.

What I would like to work is this:

augeas { sshd_pam_mkhomedir:
context => "/files/etc/pam.d/sshd",
changes => [
"set *[module = 'pam_mkhomedir.so']/type session",
"set *[module = 'pam_mkhomedir.so']/control required",
"set *[module = 'pam_mkhomedir.so']/module pam_mkhomedir.so",
"set *[module = 'pam_mkhomedir.so']/argument[1] umask=0022",
],
}

That "*[module = foo]" fails to match and create a new line, even in
augtool. This doesn't work either:

augtool> set /files/etc/pam.d/sshd/*[last()+1]/type session
Failed

Nor can I get an insert to work, as to do that I'd need to know the
number of entries that already exist in the file in order to create
the next one.

If no one's already got a solution to this I'll have to ask on augeas-
devel.

Thanks,

-Luke

Patrick

unread,
Oct 4, 2010, 12:26:06 PM10/4/10
to puppet...@googlegroups.com
For people trying to help, here's an example:

augtool> ls /files/etc/pam.d/sshd/
#comment[1] = PAM configuration for the Secure Shell service
#comment[2] = Read environment variables from /etc/environment and
#comment[3] = /etc/security/pam_env.conf.
1/ = (none)
#comment[4] = In Debian 4.0 (etch), locale-related environment variables were moved to
#comment[5] = /etc/default/locale, so read that as well.
2/ = (none)
#comment[6] = Standard Un*x authentication.
include[1] = common-auth
#comment[7] = Disallow non-root logins when /etc/nologin exists.
3/ = (none)

augtool> ls /files/etc/pam.d/sshd/3
type = session
control = required
module = pam_limits.so

Rob McBroom

unread,
Oct 4, 2010, 2:31:29 PM10/4/10
to puppet...@googlegroups.com
On Oct 4, 2010, at 12:00 PM, luke.bigum wrote:

> changes => [
> "set *[module = 'pam_mkhomedir.so']/type session",
> "set *[module = 'pam_mkhomedir.so']/control required",
> "set *[module = 'pam_mkhomedir.so']/module pam_mkhomedir.so",
> "set *[module = 'pam_mkhomedir.so']/argument[1] umask=0022",
> ],

Have you tried re-arranging these so the value for module is the first one set? I think you have to do it that way so the other three 'set' statements can find the path.

--
Rob McBroom
<http://www.skurfer.com/>

luke.bigum

unread,
Oct 5, 2010, 6:27:08 AM10/5/10
to Puppet Users
Hi Rob,

Thanks for the suggestion but it seems to make no difference. Even
that set command in augtool doesn't work, you get a very helpful
"failed" message and no recorded error I can find. I hoped someone had
come across this before and had an Augeas solution (would be so easy
to use an exec type to do it). I'll try ask the Augeas community and
come back with what they say.

Tim Sharpe

unread,
Oct 5, 2010, 6:43:39 AM10/5/10
to puppet...@googlegroups.com
Hi Luke,

I do something similar for a different module, give the following a try:

augeas { "mod_mkhomedir_for_pam_sshd":
context => "/files/etc/pam.d/sshd",
changes => ["ins 1000000 before *",
"set 1000000/type session",
"set 1000000/control required",
"set 1000000/module pam_mkhomedir.so",
"set 1000000/argument umask=0022"],
onlyif => "match
*[type='session'][module='pam_mkhomedir.so'][argument='umask=0022']
size == 0"
}

Cheers,
Tim

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>

luke.bigum

unread,
Oct 5, 2010, 7:21:01 AM10/5/10
to Puppet Users
Tim,

Thanks a lot, I never would have thought of trying to cludge Augeas
like that. Your specific insert line didn't work for my environment,
what did work was a slight variation:

"ins 1000000 after *[last()]"

I'll still try chase up the Augeas people to see if there is a more
elegant solution, but for now that works great and should translate to
all all Augeas lenses that present nodes as array indexes.

Thanks,

-Luke

On Oct 5, 11:43 am, Tim Sharpe <t...@sharpe.id.au> wrote:
> Hi Luke,
>
> I do something similar for a different module, give the following a try:
>
> augeas { "mod_mkhomedir_for_pam_sshd":
>     context => "/files/etc/pam.d/sshd",
>     changes => ["ins 1000000 before *",
>                     "set 1000000/type session",
>                     "set 1000000/control required",
>                     "set 1000000/module pam_mkhomedir.so",
>                     "set 1000000/argument umask=0022"],
>     onlyif => "match
> *[type='session'][module='pam_mkhomedir.so'][argument='umask=0022']
> size == 0"
>
> }
>
> Cheers,
> Tim
>

luke.bigum

unread,
Oct 19, 2010, 4:29:08 AM10/19/10
to Puppet Users
Just for the info, I've gotten the answer at why lines like these
error:

set *[module = 'pam_mkhomedir.so']/type session

or a similar example for /etc/hosts:

set /files/etc/hosts/*/ipaddr[.='10.1.1.1'] 10.1.1.1

To quote from the augeas-devel list: "The issue is where there is no
node matching /files/etc/hosts/*/ipaddr[.='10.1.1.1'], Augeas tries to
create one, but it doesn't know what to use for '*'."

To handle the cases where you don't know if a line containing an IP
address exists or not, you need to use two Augeas types; one to fix an
existing entry and one to add an entry if it doesn't exist.

There's a feature request to support conditionals in the Augeas type
here: http://projects.puppetlabs.com/issues/2696
Reply all
Reply to author
Forward
0 new messages