This article is based on this section of the administrator's guide.
RStudio Connect can use PAM for user authentication. PAM authentication is used if the
Authentication.Provider setting has a value of
[Authentication] Provider = pam
You can change the PAM service name used for authentication by customizing the
PAM.Servicesetting. The default PAM service name used by RStudio Connect is
[PAM] Service = rstudio-connect
We assume that RStudio Connect is configured to use the
rstudio-connect PAM service name in the examples that follow.
RStudio Connect does not create a PAM service on Ubuntu systems. When RStudio Connect attempts to use the
rstudio-connect service name for authentication, PAM will recognize that there is no service with that name and fall back to the default
other service located at
The default Ubuntu
other service is configured to inherit from a set of common PAM services:
# Ubuntu default "other" PAM service. @include common-auth @include common-account @include common-password @include common-session
other service is appropriate for your organization, no further configuration is needed.
You need a custom
rstudio-connect PAM service for RStudio Connect only if the
other service is not fitting for your users. Create and configure
/etc/pam.d/rstudio-connect to prevent PAM from falling back to the
other service. PAM will use this service for subsequent authentication attempts using the
rstudio-connect service name.
RedHat/CentOS systems deny access to unknown PAM service names by default. This is because the
other configuration in
/etc/pam.d/other contains only “deny” rules.
#%PAM-1.0 # RedHat/CentOS default "other" PAM service. auth required pam_deny.so account required pam_deny.so password required pam_deny.so session required pam_deny.so
The RStudio Connect RPM installs an
rstudio-connect PAM service at
/etc/pam.d/rstudio-connect. This service is configured to require a user-id greater than 500 and authenticates against local system accounts.
#%PAM-1.0 # RStudio Connect default PAM service. auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_unix.so nodelay account required pam_unix.so
This default PAM service may not reflect the authentication behavior that you want for RStudio Connect. Feel free to customize this service for your organization.
Configuring a PAM service
This section may be helpful if your organization has different requirements from the default behavior of the
rstudio-connect PAM service name. Please consult with your PAM/systems administrator to be sure that the RStudio Connect PAM service configuration fits your needs.
If your system already has a PAM service (e.g.
/etc/pam.d/login) with the desired behavior, it may be enough to simply include that service from within the RStudio Connect service. For example:
# RStudio Connect PAM service that defers to the existing login service. @include login
You could also copy that existing service into the RStudio Connect service, meaning the copy can be changed and evolve independently from the source service.
$ sudo cp /etc/pam.d/login /etc/pam.d/rstudio-connect
Lastly, you could configure the
PAM.Service setting to reference that PAM service. This would be appropriate if you have a common
rstudio service that you use across all the RStudio products, for example.
[PAM] Service = rstudio
If you change the
PAM.Service setting from its default
rstudio-connect value, the
/etc/pam.d/rstudio-connect PAM service will not be used.
Groups are supported when using PAM authentication in RStudio Connect version 1.7.2 and later. They can be managed manually in the Dashboard or via the Connect Server API.
Note: These groups are local to RStudio Connect and have no relation with Unix/Linux groups present in the host machine where PAM is configured.