search

cloudposse / bastion

🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
https://cloudposse.com/accelerate
Apache License 2.0
640 stars 112 forks source link

Updated rootfs/etc/pam.d/duo #40

Closed paulcalabro closed 5 years ago

paulcalabro commented 5 years ago

Fixes #38

osterman commented 5 years ago

@paulcalabro - we did some necessary refactoring a number of months ago to facilitate long-term maintenance of this Dockerfile. In the process, it looks like we dropped something: ln -s /lib /lib64

What I like about the ln "fix" is that it addresses this class of problems, without needing to hardcode paths in the configs.

https://github.com/cloudposse/bastion/commit/8411230e466decf3a069fa3a5185c94bd5028d75#diff-3254677a7917c6c01f55212f86c57fbfR10

Would you mind giving this a shot and seeing it that fixes it?

osterman commented 5 years ago

We removed it in this commit by accident https://github.com/cloudposse/bastion/commit/e85859e513b67efc02fde9a67b20505c9f9b6177#diff-3254677a7917c6c01f55212f86c57fbfL10

paulcalabro commented 5 years ago

@osterman I actually came across the ln fix when I was reviewing the git blame history. The reason why I hard coded it was because it's already set explicitly to lib64 here:

https://github.com/cloudposse/bastion/blob/6f980527ebe77c9ac892a22e710909b0d9691713/Dockerfile#L19-L24

It looks like in a later stage, it's copied to lib64 as well.

I reviewed the change log, but I'm a little unsure as to why the symlink is preferred if the module will always be located in this folder. Could you please clarify?

I'll test out the symlink fix later today.

osterman commented 5 years ago

I reviewed the change log, but I'm a little unsure as to why the symlink is preferred if the module will always be located in this folder. Could you please clarify?

I don't have a strong opinion on this.

My experience has been that I spend more time fixing these kinds of problems than I need to, so the general fix of symlinking /lib64 to /lib eliminates this whole class of problems. On the other hand, editing the file itself with the explicit path, fixes it only for this one occurance. I find when installing precompiled binaries built on other distros, that I need to add this symlink anyways, which is why my bias exists towards the symlink.

paulcalabro commented 5 years ago

Thanks for the explanation as well as merging the PR! Cheers!

osterman commented 5 years ago

@paulcalabro thanks for taking the time to contribute the PR! =)

paulcalabro commented 5 years ago

Thanks for sharing this image. It's pretty awesome!