PAM Authentication failed

scruel commented 1 year ago

Bug description

Tried to run jupyterhub without root user by wiki instructions: https://github.com/jupyterhub/jupyterhub/wiki/Using-sudo-to-run-JupyterHub-without-root-privileges Different part is that we used conda to install jupyterhub rather than root by this article: https://medium.com/swlh/how-to-install-jupyterhub-using-conda-without-runing-as-root-and-make-it-a-service-59b843fead12

But for other users, we always get "Invalid username or password" error while logging in. Also, tried to execute commend in "selinux" section, but still not helpful, also, IMO, modify semodule is not a good idea -- it's a dirty work: https://github.com/jupyterhub/jupyterhub/issues/323#issuecomment-1309801303

Expected behaviour

Other users can log in the hub.

Actual behaviour

Only the user who is running the hub can log in.

How to reproduce

create user rhea
add user rhea to shadow and confirm read rights for /ect/shadow file
install miniconda
edit sudoers file (username and sudospawner path replaced)
create user jupyter and set password
run jupyterhub with config file
login with jupyter and its password -> auth failed
login with rhea and its password -> auth successful

Your personal set up

OS: ubuntu 22.04.1 LTS
Version(s): jupyterhub 3.0.0, python 3.11.0

sudoers File

``` Runas_Alias JUPYTER_USERS = rhea, jupyter Cmnd_Alias JUPYTER_CMD = /home/rhea/miniconda/envs/jupyter_only/bin/sudospawner rhea ALL=(JUPYTER_USERS) NOPASSWD:JUPYTER_CMD ```

Full environment

``` # packages in environment at /home/rhea/mambaforge/envs/jupyter_only: # # Name Version Build Channel _libgcc_mutex 0.1 conda_forge conda-forge _openmp_mutex 4.5 2_gnu conda-forge alembic 1.8.1 pyhd8ed1ab_0 conda-forge anyio 3.6.2 pyhd8ed1ab_0 conda-forge argon2-cffi 21.3.0 pyhd8ed1ab_0 conda-forge argon2-cffi-bindings 21.2.0 py311hd4cff14_3 conda-forge asttokens 2.1.0 pyhd8ed1ab_0 conda-forge async_generator 1.10 py_0 conda-forge attrs 22.1.0 pyh71513ae_1 conda-forge babel 2.11.0 pyhd8ed1ab_0 conda-forge backcall 0.2.0 pyh9f0ad1d_0 conda-forge backports 1.0 py_2 conda-forge backports.functools_lru_cache 1.6.4 pyhd8ed1ab_0 conda-forge beautifulsoup4 4.11.1 pyha770c72_0 conda-forge bleach 5.0.1 pyhd8ed1ab_0 conda-forge blinker 1.5 pyhd8ed1ab_0 conda-forge brotlipy 0.7.0 py311hd4cff14_1005 conda-forge bzip2 1.0.8 h7f98852_4 conda-forge c-ares 1.18.1 h7f98852_0 conda-forge ca-certificates 2022.9.24 ha878542_0 conda-forge certifi 2022.9.24 pyhd8ed1ab_0 conda-forge certipy 0.1.3 py_0 conda-forge cffi 1.15.1 py311h409f033_2 conda-forge charset-normalizer 2.1.1 pyhd8ed1ab_0 conda-forge configurable-http-proxy 4.5.3 he2f69ee_3 conda-forge cryptography 38.0.3 py311h42a1071_0 conda-forge debugpy 1.6.3 py311ha362b79_1 conda-forge decorator 5.1.1 pyhd8ed1ab_0 conda-forge defusedxml 0.7.1 pyhd8ed1ab_0 conda-forge entrypoints 0.4 pyhd8ed1ab_0 conda-forge executing 1.2.0 pyhd8ed1ab_0 conda-forge flit-core 3.8.0 pyhd8ed1ab_0 conda-forge greenlet 2.0.1 py311ha362b79_0 conda-forge icu 70.1 h27087fc_0 conda-forge idna 3.4 pyhd8ed1ab_0 conda-forge importlib-metadata 5.0.0 pyha770c72_1 conda-forge importlib_resources 5.10.0 pyhd8ed1ab_0 conda-forge ipykernel 6.17.1 pyh210e3f2_0 conda-forge ipython 8.6.0 pyh41d4057_1 conda-forge ipython_genutils 0.2.0 py_1 conda-forge jedi 0.18.1 pyhd8ed1ab_2 conda-forge jinja2 3.1.2 pyhd8ed1ab_1 conda-forge json5 0.9.5 pyh9f0ad1d_0 conda-forge jsonschema 4.17.0 pyhd8ed1ab_0 conda-forge jupyter_client 7.4.4 pyhd8ed1ab_0 conda-forge jupyter_core 5.0.0 py311h38be061_0 conda-forge jupyter_server 1.23.1 pyhd8ed1ab_0 conda-forge jupyter_telemetry 0.1.0 pyhd8ed1ab_1 conda-forge jupyterhub 3.0.0 pyh2a2186d_1 conda-forge jupyterhub-base 3.0.0 pyh2a2186d_1 conda-forge jupyterlab 3.5.0 pyhd8ed1ab_0 conda-forge jupyterlab_pygments 0.2.2 pyhd8ed1ab_0 conda-forge jupyterlab_server 2.16.2 pyhd8ed1ab_0 conda-forge keyutils 1.6.1 h166bdaf_0 conda-forge krb5 1.19.3 h08a2579_0 conda-forge ld_impl_linux-64 2.39 hc81fddc_0 conda-forge libcurl 7.86.0 h2283fc2_1 conda-forge libedit 3.1.20191231 he28a2e2_2 conda-forge libev 4.33 h516909a_1 conda-forge libffi 3.4.2 h7f98852_5 conda-forge libgcc-ng 12.2.0 h65d4601_19 conda-forge libgomp 12.2.0 h65d4601_19 conda-forge libnghttp2 1.47.0 hff17c54_1 conda-forge libnsl 2.0.0 h7f98852_0 conda-forge libsodium 1.0.18 h36c2ea0_1 conda-forge libsqlite 3.39.4 h753d276_0 conda-forge libssh2 1.10.0 hf14f497_3 conda-forge libstdcxx-ng 12.2.0 h46fd767_19 conda-forge libuuid 2.32.1 h7f98852_1000 conda-forge libuv 1.44.2 h166bdaf_0 conda-forge libzlib 1.2.13 h166bdaf_4 conda-forge mako 1.2.3 pyhd8ed1ab_0 conda-forge markupsafe 2.1.1 py311hd4cff14_2 conda-forge matplotlib-inline 0.1.6 pyhd8ed1ab_0 conda-forge mistune 2.0.4 pyhd8ed1ab_0 conda-forge nbclassic 0.4.8 pyhd8ed1ab_0 conda-forge nbclient 0.7.0 pyhd8ed1ab_0 conda-forge nbconvert 7.2.4 pyhd8ed1ab_0 conda-forge nbconvert-core 7.2.4 pyhd8ed1ab_0 conda-forge nbconvert-pandoc 7.2.4 pyhd8ed1ab_0 conda-forge nbformat 5.7.0 pyhd8ed1ab_0 conda-forge ncurses 6.3 h27087fc_1 conda-forge nest-asyncio 1.5.6 pyhd8ed1ab_0 conda-forge nodejs 18.12.1 h8839609_0 conda-forge notebook 6.5.2 pyha770c72_1 conda-forge notebook-shim 0.2.2 pyhd8ed1ab_0 conda-forge oauthlib 3.2.2 pyhd8ed1ab_0 conda-forge openssl 3.0.7 h166bdaf_0 conda-forge packaging 21.3 pyhd8ed1ab_0 conda-forge pamela 1.0.0 py_0 conda-forge pandoc 2.19.2 h32600fe_1 conda-forge pandocfilters 1.5.0 pyhd8ed1ab_0 conda-forge parso 0.8.3 pyhd8ed1ab_0 conda-forge pexpect 4.8.0 pyh1a96a4e_2 conda-forge pickleshare 0.7.5 py_1003 conda-forge pip 22.3.1 pyhd8ed1ab_0 conda-forge pkgutil-resolve-name 1.3.10 pyhd8ed1ab_0 conda-forge platformdirs 2.5.2 pyhd8ed1ab_1 conda-forge prometheus_client 0.15.0 pyhd8ed1ab_0 conda-forge prompt-toolkit 3.0.32 pyha770c72_0 conda-forge psutil 5.9.4 py311hd4cff14_0 conda-forge ptyprocess 0.7.0 pyhd3deb0d_0 conda-forge pure_eval 0.2.2 pyhd8ed1ab_0 conda-forge pycparser 2.21 pyhd8ed1ab_0 conda-forge pycurl 7.45.1 py311hae980a4_3 conda-forge pygments 2.13.0 pyhd8ed1ab_0 conda-forge pyjwt 2.6.0 pyhd8ed1ab_0 conda-forge pyopenssl 22.1.0 pyhd8ed1ab_0 conda-forge pyparsing 3.0.9 pyhd8ed1ab_0 conda-forge pyrsistent 0.19.2 py311hd4cff14_0 conda-forge pysocks 1.7.1 pyha2e5f31_6 conda-forge python 3.11.0 ha86cf86_0_cpython conda-forge python-dateutil 2.8.2 pyhd8ed1ab_0 conda-forge python-fastjsonschema 2.16.2 pyhd8ed1ab_0 conda-forge python-json-logger 2.0.1 pyh9f0ad1d_0 conda-forge python_abi 3.11 2_cp311 conda-forge pytz 2022.6 pyhd8ed1ab_0 conda-forge pyzmq 24.0.1 py311ha4b6469_1 conda-forge readline 8.1.2 h0f457ee_0 conda-forge requests 2.28.1 pyhd8ed1ab_1 conda-forge ruamel.yaml 0.17.21 py311hd4cff14_2 conda-forge ruamel.yaml.clib 0.2.7 py311hd4cff14_0 conda-forge send2trash 1.8.0 pyhd8ed1ab_0 conda-forge setuptools 65.5.1 pyhd8ed1ab_0 conda-forge six 1.16.0 pyh6c4a22f_0 conda-forge sniffio 1.3.0 pyhd8ed1ab_0 conda-forge soupsieve 2.3.2.post1 pyhd8ed1ab_0 conda-forge sqlalchemy 1.4.43 py311hd4cff14_0 conda-forge stack_data 0.6.0 pyhd8ed1ab_0 conda-forge sudospawner 0.5.2 py_1 conda-forge terminado 0.17.0 pyh41d4057_0 conda-forge tinycss2 1.2.1 pyhd8ed1ab_0 conda-forge tk 8.6.12 h27826a3_0 conda-forge tomli 2.0.1 pyhd8ed1ab_0 conda-forge tornado 6.2 py311hd4cff14_1 conda-forge traitlets 5.5.0 pyhd8ed1ab_0 conda-forge typing_extensions 4.4.0 pyha770c72_0 conda-forge tzdata 2022f h191b570_0 conda-forge urllib3 1.26.11 pyhd8ed1ab_0 conda-forge wcwidth 0.2.5 pyh9f0ad1d_2 conda-forge webencodings 0.5.1 py_1 conda-forge websocket-client 1.4.2 pyhd8ed1ab_0 conda-forge wheel 0.38.4 pyhd8ed1ab_0 conda-forge xz 5.2.6 h166bdaf_0 conda-forge zeromq 4.3.4 h9c3ff4c_1 conda-forge zipp 3.10.0 pyhd8ed1ab_0 conda-forge zlib 1.2.13 h166bdaf_4 conda-forge ```

Configuration

``` c = get_config() # noqa c.LocalProcessSpawner.shell_cmd = ["bash", "-l", "-c"] c.JupyterHub.ip = "0.0.0.0" c.Spawner.args = ["--KernelSpecManager.ensure_native_kernel=False"] c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner' c.Authenticator.admin_users = {'rhea'} ```

Logs

``` [I 2022-11-10 14:10:30.387 JupyterHub app:2775] Running JupyterHub version 3.0.0 [I 2022-11-10 14:10:30.387 JupyterHub app:2805] Using Authenticator: jupyterhub.auth.PAMAuthenticator-3.0.0 [I 2022-11-10 14:10:30.387 JupyterHub app:2805] Using Spawner: sudospawner.spawner.SudoSpawner [I 2022-11-10 14:10:30.387 JupyterHub app:2805] Using Proxy: jupyterhub.proxy.ConfigurableHTTPProxy-3.0.0 [I 2022-11-10 14:10:30.390 JupyterHub app:1614] Loading cookie_secret from /home/rhea/jupyterhub_cookie_secret [I 2022-11-10 14:10:30.423 JupyterHub proxy:559] Generating new CONFIGPROXY_AUTH_TOKEN [I 2022-11-10 14:10:30.432 JupyterHub app:1934] Not using allowed_users. Any authenticated user will be allowed. [I 2022-11-10 14:10:30.445 JupyterHub app:2844] Initialized 0 spawners in 0.002 seconds [W 2022-11-10 14:10:30.447 JupyterHub proxy:750] Running JupyterHub without SSL. I hope there is SSL termination happening somewhere else... [I 2022-11-10 14:10:30.447 JupyterHub proxy:754] Starting proxy @ http://0.0.0.0:8000/ 14:10:30.645 [ConfigProxy] info: Proxying http://0.0.0.0:8000 to (no default) 14:10:30.647 [ConfigProxy] info: Proxy API at http://127.0.0.1:8001/api/routes 14:10:30.804 [ConfigProxy] info: 200 GET /api/routes [I 2022-11-10 14:10:30.804 JupyterHub app:3093] Hub API listening on http://127.0.0.1:8081/hub/ 14:10:30.805 [ConfigProxy] info: 200 GET /api/routes [I 2022-11-10 14:10:30.806 JupyterHub proxy:480] Adding route for Hub: / => http://127.0.0.1:8081 14:10:30.807 [ConfigProxy] info: Adding route / -> http://127.0.0.1:8081 14:10:30.808 [ConfigProxy] info: Route added / -> http://127.0.0.1:8081 14:10:30.808 [ConfigProxy] info: 201 POST /api/routes/ [I 2022-11-10 14:10:30.808 JupyterHub app:3160] JupyterHub is now running at http://0.0.0.0:8000/ [I 2022-11-10 14:10:39.065 JupyterHub log:186] 200 GET /hub/login?next= (@172.20.160.1) 25.69ms [W 2022-11-10 14:10:47.767 JupyterHub auth:1113] PAM Authentication failed (jupyter@172.20.160.1): [PAM Error 7] Authentication failure [W 2022-11-10 14:10:47.768 JupyterHub base:816] Failed login for jupyter [I 2022-11-10 14:10:47.770 JupyterHub log:186] 200 POST /hub/login?next= (@172.20.160.1) 3050.85ms 14:15:30.815 [ConfigProxy] info: 200 GET /api/routes 14:20:30.816 [ConfigProxy] info: 200 GET /api/routes jupyte^C[C 2022-11-10 14:22:49.979 JupyterHub app:3251] Received signal SIGINT, initiating shutdown... [I 2022-11-10 14:22:49.980 JupyterHub app:2896] Cleaning up single-user servers... [I 2022-11-10 14:22:49.980 JupyterHub proxy:824] Cleaning up proxy[2332]... [I 2022-11-10 14:22:49.981 JupyterHub app:2928] ...done 14:22:49.982 [ConfigProxy] warn: Terminated ```

Little advice: we recommend that you can update the wiki to indicate that which user is running those commends, for example:

root$ groupadd jupyterhub

rather than just:

$ groupadd jupyterhub

For user rhea, we will get error when we try to run PAM check:

rhea$ sudo -u rhea python3 -c "import pamela, getpass; print(pamela.authenticate('$USER', getpass.getpass()))"
Sorry, user rhea is not allowed to execute '/usr/bin/python3 -c import pamela, getpass; print(pamela.authenticate('rhea', getpass.getpass()))' as rhea on ubuntu.localmachine.

welcome[bot] commented 1 year ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

minrk commented 1 year ago

This suggests rhea doesn't in fact have permission to check other users' passwords. It's possible selinux is interfering, I'm not sure.

For the password check, you can try sudo -u rhea -s first.

jupyterhub / jupyterhub