Re: Need detailed help on creating a Debian package (post-install configuration)
T o n g <mlist4suntong@yahoo.com> writes:
> I've successfully built a package, the building and installation was
> fine. The problem is that when people use Debian packages, they tend to
> assume that the package will work out of the box, whereas this pam-ssh-
> agent-auth PAM module need a bit of post-install configuration before it
> can be used, which I found at
> http://www.evans.io/posts/ssh-agent-for-sudo-authentication/
> I.e., it need to configure 3 system files, /etc/sudoers,
> /etc/pam.d/sudo, and /etc/ssh/sudo_authorized_keys.
> I've trying to automate the configuration as much as possible and have
> created patch files for /etc/sudoers, and /etc/pam.d/sudo:
> etc/sudoers: http://paste.debian.net/12646/
> /etc/pam.d/sudo: http://paste.debian.net/12647/
For /etc/sudoers, the Debian sudo package supports loading configuration
fragments dropped into /etc/sudoers.d. So you can just install the
configuration fragment there.
For the PAM configuration, do you have to install this module *only* for
sudo and not for any other program? Normally, in Debian, you would use
the pam-auth-update mechanism to customize common-auth, which handles
things like skipping other modules if an overriding module succeeds. But
that will of course affect common-auth for all PAM-enabled applications.
If you need to customize *only* /etc/pam.d/sudo, I'm afraid that Debian
Policy says you're not allowed to do that. Basically, configuration files
are owned by a single package, and only that package may modify it. That
package *can* provide an interface for modifications that other packages
can use, but for this sort of thing, that's probably overkill. The
typical thing to do in this sort of situation is to document the required
modification in README.Debian; it's not entirely satisfactory, but
sometimes there isn't another good option.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: