This repository has been archived by the owner on Nov 8, 2021. It is now read-only.
Fixed typo, described import every 10 mins #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks! |
michaelwittig
pushed a commit
that referenced
this pull request
Dec 7, 2017
* Support Multiple init daemons and service programs (#1) * Add test to determine init system for sshd restart In the install file, I've added a simple test to determine what init system is currently on the system, and to select the correct restart command for sshd that is required. This is tested on the following OSes in EC2: * Amazon Linux 2017.09 (using upstart) * Ubuntu 16.04.3 LTS (using systemd) * SUSE Enterprise Server 12 SP3 (using systemd) * RHEL 7.3 (using systemd) * Hush the stderr message when systemd doesn't exist This is to ensure that the output for a user is the same as it is when using the standard codebase. Message is successfully suppressed on Amazon Linux 2017.09 * Add useradd(1) arg to force user group creation By default on most distros, `USERGROUPS_ENAB` is set to `yes` which causes `useradd(1)` to create a group for a user that is added. There is an implicit dependency on line 179 of the `import_users.sh` script. I've altered the `useradd(1)` argument set to include `-U/--user-group` to force this on systems where `USERGROUPS_ENAB` is set to `no` This is needed to support SUSE Linux Enterprise Server on EC2. * Add check to not spam the sshd_config file The `install.sh` script currently checks if there is a line that reads `AuthorizedKeysCommand none` and then changes it. Old behaviour was to simply append the line on the end of the file is this line didn't exist. There is now a check to see if the correct line that we want already exists, so we don't spam the end of the configuration file. * Add SELinux support to install script If we have the `getenforce` command available to us, and we find that it returns the value `Enforcing` (meaning SELinux will block our access to AWS when called by `sshd`), we enable the `nis_enabled` boolean persistently in SELinux to inform SELinux that it should expect outbound access from sshd and other login programs (like PAM) to remote servers to get user account information. This allows `sshd` to call the script to get the user's public key from IAM. I also cleaned up the `systemd` conditional in the script to use the simpler way to check if commands exist. * Revert the supposedly clever way of command checks Chaining the command check with the return value failed miserably. Reverting this to be normal again. * Allow which(1) to exit and the script to continue We use `which(1)` to determine if a command is available to us. According to the man page, `which(1)` will return a return code `1` if the command is not found. Since the script is run with `-e` as an option in the shebang, this causes the script to exit prematurely. I've wrapped the `which(1)` calls in `set +e/set -e` wrappers so that the script continues gracefully. * Adjust which(1) pipelines to return valid exit codes On systems where `which(1)` doesn't find a given command, it will return exit code `1`. This will cause the script to abort under the `-e` option in the shebang. I've changed the pipeline to capture the return value of which on the other side of a logical OR, which does work correctly, and thus the pipeline gets a 0 return code (making `-e` happy), and I get the return value which tells me whether or not the command exists. Which makes me happy. * Adjust which(1) blocks to account for shortcircuit eval I forgot about shortcircuit evaluation. So I've added the success code in the variable before calling `which(1)`. This means that if the command is found, the 0 retval will get used in the test. The only time that it would change that to a non-zero status would be if something wasn't found. Like before, the whole command pipeline will return success, so `-e` stays happy as a clam.
ebmeierj
pushed a commit
to ebmeierj/aws-ec2-ssh
that referenced
this pull request
Dec 20, 2017
* Support Multiple init daemons and service programs (widdix#1) * Add test to determine init system for sshd restart In the install file, I've added a simple test to determine what init system is currently on the system, and to select the correct restart command for sshd that is required. This is tested on the following OSes in EC2: * Amazon Linux 2017.09 (using upstart) * Ubuntu 16.04.3 LTS (using systemd) * SUSE Enterprise Server 12 SP3 (using systemd) * RHEL 7.3 (using systemd) * Hush the stderr message when systemd doesn't exist This is to ensure that the output for a user is the same as it is when using the standard codebase. Message is successfully suppressed on Amazon Linux 2017.09 * Add useradd(1) arg to force user group creation By default on most distros, `USERGROUPS_ENAB` is set to `yes` which causes `useradd(1)` to create a group for a user that is added. There is an implicit dependency on line 179 of the `import_users.sh` script. I've altered the `useradd(1)` argument set to include `-U/--user-group` to force this on systems where `USERGROUPS_ENAB` is set to `no` This is needed to support SUSE Linux Enterprise Server on EC2. * Add check to not spam the sshd_config file The `install.sh` script currently checks if there is a line that reads `AuthorizedKeysCommand none` and then changes it. Old behaviour was to simply append the line on the end of the file is this line didn't exist. There is now a check to see if the correct line that we want already exists, so we don't spam the end of the configuration file. * Add SELinux support to install script If we have the `getenforce` command available to us, and we find that it returns the value `Enforcing` (meaning SELinux will block our access to AWS when called by `sshd`), we enable the `nis_enabled` boolean persistently in SELinux to inform SELinux that it should expect outbound access from sshd and other login programs (like PAM) to remote servers to get user account information. This allows `sshd` to call the script to get the user's public key from IAM. I also cleaned up the `systemd` conditional in the script to use the simpler way to check if commands exist. * Revert the supposedly clever way of command checks Chaining the command check with the return value failed miserably. Reverting this to be normal again. * Allow which(1) to exit and the script to continue We use `which(1)` to determine if a command is available to us. According to the man page, `which(1)` will return a return code `1` if the command is not found. Since the script is run with `-e` as an option in the shebang, this causes the script to exit prematurely. I've wrapped the `which(1)` calls in `set +e/set -e` wrappers so that the script continues gracefully. * Adjust which(1) pipelines to return valid exit codes On systems where `which(1)` doesn't find a given command, it will return exit code `1`. This will cause the script to abort under the `-e` option in the shebang. I've changed the pipeline to capture the return value of which on the other side of a logical OR, which does work correctly, and thus the pipeline gets a 0 return code (making `-e` happy), and I get the return value which tells me whether or not the command exists. Which makes me happy. * Adjust which(1) blocks to account for shortcircuit eval I forgot about shortcircuit evaluation. So I've added the success code in the variable before calling `which(1)`. This means that if the command is found, the 0 retval will get used in the test. The only time that it would change that to a non-zero status would be if something wasn't found. Like before, the whole command pipeline will return success, so `-e` stays happy as a clam.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Nothing major, just a typo fix and some details around the import every 10 mins "feature".