PAM¶

RStudio Connect can use PAM for user authentication. PAM authentication is used if the Authentication.Provider setting has a value of pam.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
Provider = pam

Info

See the PAM sessions section for information about using PAM sessions when launching processes associated with deployed content.

You can change the PAM service name used for authentication by customizing the PAM.Service setting. The default PAM service name used for authentication is rstudio-connect.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio-connect

Note that there are three types of PAM service that can be configured in the PAM configuration section. The PAM sessions section contains additional information.

PAM.Service - The PAM service used for authenticating users when logging in.
PAM.SessionService - When PAM.UseSession is enabled, the PAM service used for running processes either as the default user or as an arbitrary user. Should not require a password.
PAM.AuthenticatedSessionService - The PAM service used for running processes as the currently logged-in user with the user's password. Requires PAM.UseSession, PAM.ForwardPassword, and Applications.RunAsCurrentUser to be enabled. Useful for Kerberos configurations.

We assume that RStudio Connect is configured to use the rstudio-connect PAM service name for authentication in the examples that follow.

When attempting to troubleshoot a problem relating to PAM, you can enable more verbose logging with PAM.Logging:

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Logging = true

Ubuntu¶

RStudio Connect does not create a PAM service on Ubuntu systems. When RStudio Connect attempts to use the rstudio-connect service name for authentication, PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other.

The default Ubuntu other service is configured to inherit from a set of common PAM services:

# Ubuntu default "other" PAM service.
@include common-auth
@include common-account
@include common-password
@include common-session

If the other service is appropriate for your organization, no further configuration is needed.

You need a custom rstudio-connect PAM service for RStudio Connect only if the other service is not fitting for your users. Create and configure /etc/pam.d/rstudio-connect to prevent PAM from falling back to the other service. PAM will use this service for subsequent authentication attempts using the rstudio-connect service name.

Red Hat/CentOS/SUSE¶

Red Hat/CentOS/SUSE systems may deny access to unknown PAM service names by default. This is because the other configuration in /etc/pam.d/other contains only "deny" rules.

#%PAM-1.0
# The Red Hat/CentOS default "other" PAM service.
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so

The RStudio Connect RPM installs an rstudio-connect PAM service at /etc/pam.d/rstudio-connect. This service is configured to require a user-id greater than 500 and authenticates against local system accounts.

#%PAM-1.0
# The RStudio Connect default PAM service.
auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay
account   required       pam_unix.so

This default PAM service may not reflect the authentication behavior that you want for RStudio Connect. Feel free to customize this service for your organization.

Configuring a PAM service¶

This section may be helpful if your organization has different requirements from the default behavior of the rstudio-connect PAM service name. Please consult with your PAM/systems administrator to be sure that the RStudio Connect PAM service configuration fits your needs.

If your system already has a PAM service (e.g. /etc/pam.d/login) with the desired behavior, it may be enough to simply include that service from within the RStudio Connect service. For example:

# RStudio Connect PAM service that defers to the existing login service.
@include login

You could also copy that existing service into the RStudio Connect service, meaning the copy can be changed and evolve independently from the source service.

sudo cp /etc/pam.d/login /etc/pam.d/rstudio-connect

Lastly, you could configure the PAM.Service setting to reference that PAM service. This would be appropriate if you have a common rstudio service that you use across all the RStudio products, for example.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = rstudio

If you change the PAM.Service setting from its default rstudio-connect value, the PAM service defined in /etc/pam.d/rstudio-connect will not be used.

Users¶

PAM authentication requires that user in RStudio Connect have a correspondent local system account. These accounts should be provisioned ahead of the first login in RStudio Connect. Linux Name Service Switch (NSS) or System Security Services Daemon (SSSD) can be configured on the machine hosting Connect to automate the provisioning of these local accounts.

Note

PAM authentication is case-sensitive for usernames.

Groups¶

Groups are supported when using PAM authentication. They can be managed manually in the Dashboard or via the Connect Server API.

Note

These groups are local to RStudio Connect and have no relation with Unix/Linux groups present in the host machine where PAM is configured.