1

How can I either comment out or remove the "@include common-auth" line in /etc/pam.d/sshd? The default content is:

...

# Standard Un*x authentication.
@include common-auth

...

The lens documentation isn't all that helpful. I'm new to Augeas and don't quite know how path expressions work yet.

I'm trying to do this with augtool, as part of a Dockerfile, to be specific. I have naively tried the following command, but it didn't work:

augtool --autosave 'rm /files/etc/pam.d/sshd/@include common-auth'

I resorted to doing this with sed, and the following did the job for me:

sed -i 's/@include common-auth/#@include common-auth/' /etc/pam.d/sshd

But I'm still trying to find out if there's a way to do it with augtool, because I'm doing all the other configuration changes in my Dockerfile using augtool, and uniformity would be nice.

Ates Goral
  • 57
  • 1
  • 9
  • What have you tried thus far? What worked? What didn't work as expected. Look, we want to help you, but this isn't a script-writing service. We expect that, before getting help here, that you show us what you've tried and give evidence that you've tried to solve the problem on your own. – EEAA Feb 18 '17 at 14:39
  • @EEAA Couldn't even get to trying much because I don't exactly know what I should be trying. I've tried Googling for documentation. Looked at existing Augeas-related Q&A on Server Fault. I'm asking for pointers to documentation/methods which I couldn't immediately find myself. I'm trying to avoid spending 1 hour reading the entire Augeas documentation to learn about its internals. Not looking for script/code per se. – Ates Goral Feb 18 '17 at 14:46
  • 1
    Also, you may consider that augtool isn't the right tool for the job. Sometimes standard unix tools like `awk` and `sed` are the right tool. – EEAA Feb 18 '17 at 14:46
  • I naively tried this, but didn't work: `augtool --autosave 'rm /files/etc/pam.d/sshd/@include common-auth'` – Ates Goral Feb 18 '17 at 14:47
  • @EEAA, I totally agree! I can probably just do this with `sed`, but the curious monkey in me is trying to see if there's a way to do this with `augtool`. – Ates Goral Feb 18 '17 at 14:48
  • 1
    I added the attempted command to the question, and as an Augeas developer I feel there's enough information for me to answer it. Could it be re-opened please? – Dominic Cleal Feb 19 '17 at 18:22
  • @DominicCleal It has been reopened. – Ates Goral Feb 20 '17 at 17:34

1 Answers1

1

The most important thing to do when trying to work out which node to edit/delete is to look at the current tree using augtool's print command:

$ augtool
augtool> print /files/etc/pam.d/sshd
/files/etc/pam.d/sshd
/files/etc/pam.d/sshd/#comment[1] = "PAM configuration for the Secure Shell service"
/files/etc/pam.d/sshd/#comment[2] = "Standard Un*x authentication."
/files/etc/pam.d/sshd/include[1] = "common-auth"
/files/etc/pam.d/sshd/#comment[3] = "Disallow non-root logins when /etc/nologin exists."
/files/etc/pam.d/sshd/1
/files/etc/pam.d/sshd/1/type = "account"
[..]

This shows that the @include common-auth line has the path /files/etc/pam.d/ssh/include[1], so this would delete it:

augtool -s 'rm /files/etc/pam.d/sshd/include[1]'

Instead of hardcoding the index (1), you can use a path expression to match the value "common-auth", ensuring you delete the correct @include entry if it exists.

augtool -s 'rm /files/etc/pam.d/sshd/include[. = "common-auth"]'

The . means the value of the node (the right hand side of the print output). Anything within the [] is a path expression. The Augeas wiki has lots more info about path expressions.

Dominic Cleal
  • 3,160
  • 19
  • 16