Closed nhoffman closed 6 years ago
Unfortunately, I have not used the host PAM authentication module before.
Basically, I generate a random password for the user and store it in an environment variable. I then launch RStudio Server with (simplified the code a bit):
RSTUDIO_PASSWORD="password" singularity run singularity-rstudio.simg \
--auth-none 0 \
--auth-pam-helper-path "/path/to/pam_override.sh"
where I override the PAM authentication with a script that looks like this:
#!/usr/bin/env bash
# Confirm username is supplied
if [[ $# -ne 1 ]]; then
echo "Usage: auth USERNAME"
exit 1
fi
USERNAME="${1}"
# Confirm password environment variable exists
if [[ -z ${RSTUDIO_PASSWORD} ]]; then
echo "The environment variable RSTUDIO_PASSWORD is not set"
exit 1
fi
# Read in the password from user
read -s -p "Password: " PASSWORD
echo ""
if [[ ${USERNAME} == ${USER} && ${PASSWORD} == ${RSTUDIO_PASSWORD} ]]; then
echo "Successful authentication"
exit 0
else
echo "Invalid authentication"
exit 1
fi
In other words RStudio will launch the PAM helper script with the username as the first argument, and feed in the password through STDIN. I just compare the first argument to the current user, and read in STDIN for the password and compare it to the RSTUDIO_PASSWORD
that was passed in when launching the Singularity image.
Thanks a lot for the response - this will do the trick for now. I realized that PAM probably isn't going to work on my system anyway, as it uses federated authentication (pbis), but I did find a useful comment in the context of docker and jupyter notebooks that suggested binding /etc/passwd and /etc/shadow (https://github.com/jupyterhub/jupyterhub/issues/535). I couldn't test this, but perhaps it will be useful to someone.
You might consider adding the script above to the image (if it works that way) - I'm sure others would find this approach useful in the absence of another way to require authentication.
Thanks again - feel free to close this.
Yes, theoretically binding /etc/passwd
and /etc/shadow
would work for a simple Linux system that use these flat files. I am not sure it would work though for something more complicated like NSS without probably installing the same version of it within the container.
Also, adding the above script to the Singularity image with a quick how-to in the README.md
is a great idea. I'll try to throw that in there soon and close this issue when done.
Actually since the Singularity container runs as the user, I am not entirely sure PAM would work even if you did bind /etc/passwd
and /etc/shadow
since it probably wouldn't allow the necessary privilege escalation in order to read /etc/shadow
due to security concerns.
See http://singularity.lbl.gov/faq#are-there-any-special-security-concerns-that-singularity-introduces, in particular:
Additionally, there are precautions within the container context to mitigate any escalation of privileges. This limits a user’s ability to gain root control once inside the container.
I believe Docker doesn't have these precautions, so not being able to use PAM would only be an issue for Singularity.
Hi - thanks a lot for putting this out there!
I'm wondering if you have attempted to implement PAM authentication - at least, I think that's the mechanism that allows authentication with the user's system credentials. I tried starting the server using
But visiting localhost:8787 didn't require a password prompt.
After reading https://support.rstudio.com/hc/en-us/articles/226868627-PAM-authentication-in-RStudio-Connect I also tried defining a config file:
But now I get an error
Before I forge ahead, I thought I'd ask if you had already attempted this.
Thanks!