search

jupyterhub / systemdspawner

Spawn JupyterHub single-user notebook servers with systemd
BSD 3-Clause "New" or "Revised" License
92 stars 45 forks source link

PAM authentication fails in pam_loginuid.so #104

Open lukas-koschmieder opened 1 year ago

lukas-koschmieder commented 1 year ago

On my SystemdSpawner-based JupyterHub, PAM authentication fails with the following warning:

Mär 27 13:46:07 vm3 python[8780]: pam_loginuid(login:session): Error writing /proc/self/loginuid: Operation not permitted
Mär 27 13:46:07 vm3 python[8780]: pam_loginuid(login:session): set_loginuid failed

/var/log/auth.log:

Mar 27 13:46:07 vm3 python: pam_loginuid(login:session): Error writing /proc/self/loginuid: Operation not permitted
Mar 27 13:46:07 vm3 python: pam_loginuid(login:session): set_loginuid failed
Mar 27 13:46:07 vm3 python: pam_unix(login:session): session opened for user lukas by (uid=0)
Mar 27 13:46:07 vm3 systemd: pam_unix(systemd-user:session): session opened for user lukas by (uid=0)

JupyterHub runs as root on Ubuntu 20.04 LTS, and it has been installed via Miniconda3-py39_4.9.2-Linux-x86_64:

conda install -y jupyterhub=1.4.1 jupyter_core=4.9.1 jupyter_server=1.4.1 jupyter_client=7.0.1 ipykernel=6.4.1 notebook=6.4.0 oauthlib-3.1.1 ipython=7.29.0
conda install -c conda-forge -y jupyterhub-systemdspawner=0.15.0

It's worth adding that I have a similar setup (same operating system, same Miniconda version, same Conda packages), on which PAM authentication does work.

Both machines use the same PAM/Audit shared libraries (libpam0g 1.3.1, libaudit1 2.8.5) and the same Python wrapper (pamela 1.0.0). Also the PAM config in /etc/pam.d is identical on both machines.

I have temporarily disabled AppArmor to make sure that it does not interfer with the login procedure. SELinux is not installed.

As far as I can tell, the only difference between the two setups is the Linux Kernel: 5.4 (working setup) vs. 5.15 (brokensetup). However, I cannot find anything in the Linux kernel's changelog that would indicate any significant PAM-related changes.

Are you aware of issues related to PAM authentication?

welcome[bot] commented 1 year ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada: