Merge branch 'develop' into wip/nfs-510

enrico-usai · Nov 16, 2023 · 85cbe0c · 85cbe0c
2 parents a6b1fb3 + 41e1b48
commit 85cbe0c
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -39,6 +39,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 
 **BUG FIXES**
 - Fix inconsistent scaling configuration after cluster update rollback when modifying the list of instance types declared in the Compute Resources.
+- Fix users SSH keys generation when switching users without root privilege in clusters integrated with an external LDAP server through cluster configuration files.
 
 3.7.2
 ------

diff --git a/cookbooks/aws-parallelcluster-environment/recipes/config/configure_pam_ssh_keygen.rb b/cookbooks/aws-parallelcluster-environment/recipes/config/configure_pam_ssh_keygen.rb
@@ -18,7 +18,7 @@
 pam_services = %w(sudo su sshd)
 pam_config_dir = "/etc/pam.d"
 generate_ssh_key_path = "#{node['cluster']['scripts_dir']}/generate_ssh_key.sh"
-ssh_key_generator_pam_config_line = "session    optional     pam_exec.so log=/var/log/parallelcluster/pam_ssh_key_generator.log #{generate_ssh_key_path}"
+ssh_key_generator_pam_config_line = "session    optional     pam_exec.so seteuid log=/var/log/parallelcluster/pam_ssh_key_generator.log #{generate_ssh_key_path}"
 if node['cluster']["directory_service"]["generate_ssh_keys_for_users"] == 'true'
   template generate_ssh_key_path do
     source 'directory_service/generate_ssh_key.sh.erb'
@@ -44,7 +44,7 @@
     pam_config_file = "#{pam_config_dir}/#{pam_service}"
     delete_lines "Ensure PAM service #{pam_service} is not configured to call SSH key generation script" do
       path pam_config_file
-      pattern %r{session\s+optional\s+pam_exec\.so\s+log=/var/log/parallelcluster/pam_ssh_key_generator\.log}
+      pattern %r{session\s+optional\s+pam_exec\.so\s+seteuid\s+log=/var/log/parallelcluster/pam_ssh_key_generator\.log}
       ignore_missing true
     end
   end

diff --git a/cookbooks/aws-parallelcluster-environment/test/controls/directory_service_spec.rb b/cookbooks/aws-parallelcluster-environment/test/controls/directory_service_spec.rb
@@ -78,7 +78,7 @@
   pam_services.each do |pam_service|
     describe file("/etc/pam.d/#{pam_service}") do
       it { should exist }
-      its('content') { should match %r{session\s+optional\s+pam_exec\.so\s+log=/var/log/parallelcluster/pam_ssh_key_generator\.log} }
+      its('content') { should match %r{session\s+optional\s+pam_exec\.so\s+seteuid\s+log=/var/log/parallelcluster/pam_ssh_key_generator\.log} }
     end
   end
-Original file line number
+Diff line change
@@ Expand Up @@
     **BUG FIXES**
     - Fix inconsistent scaling configuration after cluster update rollback when modifying the list of instance types declared in the Compute Resources.
+    - Fix users SSH keys generation when switching users without root privilege in clusters integrated with an external LDAP server through cluster configuration files.
 .7.2
     ------
@@ Expand Down @@