Support

PAM authentication in RStudio Connect

Follow

This article is based on this section of the administrator's guide.


RStudio Connect can use PAM for user authentication. PAM authentication is used if theAuthentication.Provider setting has a value of pam.

[Authentication]
Provider = pam

You can change the PAM service name used for authentication by customizing the PAM.Servicesetting. The default PAM service name used by RStudio Connect is rstudio-connect.

[PAM]
Service = rstudio-connect

We assume that RStudio Connect is configured to use the rstudio-connect PAM service name in the examples that follow.

Ubuntu

RStudio Connect does not create a PAM service on Ubuntu systems. When RStudio Connect attempts to use the rstudio-connect service name for authentication, PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other.

The default Ubuntu other service is configured to inherit from a set of common PAM services:

# Ubuntu default "other" PAM service.
@include common-auth
@include common-account
@include common-password
@include common-session

If the other service is appropriate for your organization, no further configuration is needed.

You need a custom rstudio-connect PAM service for RStudio Connect only if the other service is not fitting for your users. Create and configure /etc/pam.d/rstudio-connect to prevent PAM from falling back to the other service. PAM will use this service for subsequent authentication attempts using the rstudio-connect service name.

RedHat/CentOS

RedHat/CentOS systems deny access to unknown PAM service names by default. This is because theother configuration in /etc/pam.d/other contains only “deny” rules.

#%PAM-1.0
# RedHat/CentOS default "other" PAM service.
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so

The RStudio Connect RPM installs an rstudio-connect PAM service at /etc/pam.d/rstudio-connect. This service is configured to require a user-id greater than 500 and authenticates against local system accounts.

#%PAM-1.0
# RStudio Connect default PAM service.
auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay
account   required       pam_unix.so

This default PAM service may not reflect the authentication behavior that you want for RStudio Connect. Feel free to customize this service for your organization.

Configuring a PAM service

This section may be helpful if your organization has different requirements from the default behavior of the rstudio-connect PAM service name. Please consult with your PAM/systems administrator to be sure that the RStudio Connect PAM service configuration fits your needs.

If your system already has a PAM service (e.g. /etc/pam.d/login) with the desired behavior, it may be enough to simply include that service from within the RStudio Connect service. For example:

# RStudio Connect PAM service that defers to the existing login service.
@include login

You could also copy that existing service into the RStudio Connect service, meaning the copy can be changed and evolve independently from the source service.

$ sudo cp /etc/pam.d/login /etc/pam.d/rstudio-connect

Lastly, you could configure the PAM.Service setting to reference that PAM service. This would be appropriate if you have a common rstudio service that you use across all the RStudio products, for example.

[PAM]
Service = rstudio

If you change the PAM.Service setting from its default rstudio-connect value, the/etc/pam.d/rstudio-connect PAM service will not be used.

Groups

Groups are not supported when using PAM authentication.

Comments