search

nickjer / singularity-rstudio

RStudio Server in a Singularity container
https://singularity-hub.org/collections/463
MIT License
54 stars 41 forks source link

PAM authentication #1

Closed nhoffman closed 6 years ago

nhoffman commented 6 years ago

Hi - thanks a lot for putting this out there!

I'm wondering if you have attempted to implement PAM authentication - at least, I think that's the mechanism that allows authentication with the user's system credentials. I tried starting the server using 

singularity run singularity-rstudio.simg --auth-validate-users 1 --auth-encrypt-password 1

But visiting localhost:8787 didn't require a password prompt.

After reading https://support.rstudio.com/hc/en-us/articles/226868627-PAM-authentication-in-RStudio-Connect I also tried defining a config file:

% cat ~/rstudio.conf
[Authentication]
Provider = pam

[PAM]
Service = rstudio-connect

But now I get an error

% singularity run singularity-rstudio.simg --auth-validate-users 1 --auth-encrypt-password 1 --config-file ~/rstudio.conf
Error reading /home/local/AMC/ngh2/rstudio.conf: unrecognised option 'Authentication.Provider'

Before I forge ahead, I thought I'd ask if you had already attempted this.

Thanks!

nickjer commented 6 years ago

Unfortunately, I have not used the host PAM authentication module before.

Basically, I generate a random password for the user and store it in an environment variable. I then launch RStudio Server with (simplified the code a bit):

RSTUDIO_PASSWORD="password" singularity run singularity-rstudio.simg \
  --auth-none 0 \
  --auth-pam-helper-path "/path/to/pam_override.sh"

where I override the PAM authentication with a script that looks like this:

#!/usr/bin/env bash

# Confirm username is supplied
if [[ $# -ne 1 ]]; then
  echo "Usage: auth USERNAME"
  exit 1
fi
USERNAME="${1}"

# Confirm password environment variable exists
if [[ -z ${RSTUDIO_PASSWORD} ]]; then
  echo "The environment variable RSTUDIO_PASSWORD is not set"
  exit 1
fi

# Read in the password from user
read -s -p "Password: " PASSWORD
echo ""

if [[ ${USERNAME} == ${USER} && ${PASSWORD} == ${RSTUDIO_PASSWORD} ]]; then
  echo "Successful authentication"
  exit 0
else
  echo "Invalid authentication"
  exit 1
fi

In other words RStudio will launch the PAM helper script with the username as the first argument, and feed in the password through STDIN. I just compare the first argument to the current user, and read in STDIN for the password and compare it to the RSTUDIO_PASSWORD that was passed in when launching the Singularity image.

nhoffman commented 6 years ago

Thanks a lot for the response - this will do the trick for now. I realized that PAM probably isn't going to work on my system anyway, as it uses federated authentication (pbis), but I did find a useful comment in the context of docker and jupyter notebooks that suggested binding /etc/passwd and /etc/shadow (https://github.com/jupyterhub/jupyterhub/issues/535). I couldn't test this, but perhaps it will be useful to someone.

You might consider adding the script above to the image (if it works that way) - I'm sure others would find this approach useful in the absence of another way to require authentication.

Thanks again - feel free to close this.

nickjer commented 6 years ago

Yes, theoretically binding /etc/passwd and /etc/shadow would work for a simple Linux system that use these flat files. I am not sure it would work though for something more complicated like NSS without probably installing the same version of it within the container.

Also, adding the above script to the Singularity image with a quick how-to in the README.md is a great idea. I'll try to throw that in there soon and close this issue when done.

nickjer commented 6 years ago

Actually since the Singularity container runs as the user, I am not entirely sure PAM would work even if you did bind /etc/passwd and /etc/shadow since it probably wouldn't allow the necessary privilege escalation in order to read /etc/shadow due to security concerns.

See http://singularity.lbl.gov/faq#are-there-any-special-security-concerns-that-singularity-introduces, in particular:

Additionally, there are precautions within the container context to mitigate any escalation of privileges. This limits a user’s ability to gain root control once inside the container.

I believe Docker doesn't have these precautions, so not being able to use PAM would only be an issue for Singularity.