Kerberos Authentication

A Kerberos system can be used to login to Posit Connect by configuring Posit Connect to use Linux PAM and configuring PAM on your server to use Kerberos.

Note

Posit Connect does not support Kerberos SSO (Windows Integrated Auth/SPNEGO), though support for Kerberos authentication may be served via SAML or OIDC/OAuth2 Identity Providers, which are supported with SAML or OpenID Connect integrations.

Using this integration, user authentication will be handled by Kerberos via PAM. However, the group functionality is provided by Posit Connect, and the groups will have no relation with Linux groups that may be provided by PAM.

Tip

Kerberos integration often means different things to different people, depending on what they are trying to accomplish. The information below will help you configure PAM integration for user authentication within Posit Connect. Further details regarding the use of Kerberos tickets from within published content can be found here

Configuration Example

Note

The PAM configuration appendix contains information about each PAM configuration option.

; /etc/rstudio-connect/rstudio-connect.gcfg

[Authentication]
Provider = "pam"

[PAM]
; These default values should be adjusted
; accord to the level of PAM support desired:
;Service = "rstudio-connect"
;UseSession = false
;ForwardPassword = false
; When troubleshooting a PAM authentication problem, more verbose
; logging is produced by uncommenting the following line:
;Logging = true
Tip

See the PAM sessions section for information about using PAM sessions when launching processes associated with content.

PAM Service

You can change the PAM service used for authentication by customizing the PAM.Service setting. The default PAM service name used for authentication is rstudio-connect.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = "rstudio-connect"

Note that there are three types of PAM services that can be configured in the PAM configuration section. The PAM sessions section contains additional information.

  • PAM.Service: The PAM service used for authenticating users when logging in.

    Tip

    If the user accounts on Linux are provisioned externally, you may need to use the pam_mkhomedir module in your PAM configuration to automatically create the users’ home directories on first login.

  • PAM.SessionService: When PAM.UseSession is enabled, this PAM service is used for running processes either as the default user or as an arbitrary user. This service should not require a password.

    Tip

    You may need to use the pam_rootok module in your PAM configuration to accomplish this.

  • PAM.AuthenticatedSessionService: The PAM service used for running processes as the currently logged-in user with the user’s password. Requires PAM.UseSession, PAM.ForwardPassword, and Applications.RunAsCurrentUser to be enabled. This is useful in Kerberos configurations to allow the running content to access authenticated resources as the visiting user.

The examples below assume Posit Connect is configured to use the rstudio-connect PAM service name for authentication.

Ubuntu

Posit Connect does not create a PAM service on Ubuntu systems. When Posit Connect attempts to use the rstudio-connect service name for authentication, PAM will recognize that there is no service with that name and fall back to the default other service located at /etc/pam.d/other.

The default Ubuntu other service is configured to inherit from a set of common PAM services:

# Ubuntu default "other" PAM service.
@include common-auth
@include common-account
@include common-password
@include common-session

If the other service is appropriate for your organization, no further configuration is needed.

Otherwise, create and configure /etc/pam.d/rstudio-connect to prevent PAM from falling back to the other service. PAM will use this service for subsequent authentication attempts using the rstudio-connect service name.

Red Hat/CentOS/SUSE

Red Hat/CentOS/SUSE systems may deny access to unknown PAM service names by default. This is because the other configuration in /etc/pam.d/other contains only “deny” rules.

#%PAM-1.0
# The Red Hat/CentOS default "other" PAM service.
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so

The Posit Connect RPM installs an rstudio-connect PAM service located at /etc/pam.d/rstudio-connect. This service is configured to require a user ID greater than 500 and authenticates against local system accounts.

#%PAM-1.0
# The Posit Connect default PAM service.
auth      requisite      pam_succeed_if.so uid >= 500 quiet
auth      required       pam_unix.so nodelay
account   required       pam_unix.so

This default PAM service may not reflect the authentication behavior that you want for Posit Connect. Feel free to customize this service for your organization.

Configuring a PAM service

This section may be helpful if your organization has different requirements from the default behavior of the rstudio-connect PAM service name. Please consult with your PAM/systems administrator to ensure that the Posit Connect PAM service configuration fits your needs.

If your system already has a PAM service (e.g. /etc/pam.d/login) with the desired behavior, it may be enough to simply include that service from within the Posit Connect service. For example:

# Posit Connect PAM service that defers to the existing login service.
@include login

Alternatively, you may copy the existing service into the Posit Connect service.

sudo cp /etc/pam.d/login /etc/pam.d/rstudio-connect

Lastly, you could configure the PAM.Service setting to reference that PAM service. This would be appropriate if you have a common posit service that you use across all Posit products, for example.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
Service = posit

If you change the PAM.Service setting from its default rstudio-connect value, the PAM service defined in /etc/pam.d/rstudio-connect will not be used.

User Provisioning

PAM Authentication requires that users in Posit Connect have corresponding local system accounts. These accounts should be provisioned ahead of the first login in Posit Connect. Linux Name Service Switch (NSS) or System Security Services Daemon (SSSD) can be configured on the machine hosting Posit Connect to automate the provisioning of these local accounts.

Users may also be created in Posit Connect ahead of their first login by adding them as users via the Posit Connect Server API.

Register on First Login

By default, PAM users can be created in Posit Connect upon their first successful login attempt. Accounts will be created with the role specified in the Authorization.DefaultUserRole setting (see User Roles).

Disabling Register on First Login

If you wish to disable this feature, set the configuration setting PAM.RegisterOnFirstLogin to false.

; /etc/rstudio-connect/rstudio-connect.gcfg
[PAM]
RegisterOnFirstLogin = false
Important

Using this option requires users to be exclusively created via the Posit Connect Server API.

Usernames

Usernames must be unique and are case-sensitive following the Linux requirement for usernames. Additionally, they must adhere to the following:

  • Be 3-64 characters in length
  • Start with a letter
  • Contain only alphanumeric characters, underscores, and periods
  • The following values are prohibited: connect, apps, users, groups, setpassword, user-completion, confirm, recent, reports, plots, unpublished, settings, metrics, tokens, help, login, welcome, register, resetpassword, content

Editing User Attributes

Posit Connect is always supplied with a username corresponding to the Linux account username and is therefore not editable.

Warning

Changing the username of the Linux account will result in a new user being created in Posit Connect the next time the user logs in.

A user’s first name, last name, and email address are not provided by the hosting system and are considered editable. The setting Authorization.UserInfoEditableBy has a default value of AdminAndSelf, permitting users and administrators to manage these user profile attributes. Configure Authorization.UserInfoEditableBy with Admin if profile editing should be restricted to administrators.

Tip

It is recommended that if you disable PAM.RegisterOnFirstLogin, that you also configure Authorization.UserInfoEditableBy to Admin.

Automatic User Role Mapping

Posit Connect does not provide the ability to map user roles when using the PAM Authentication provider. Roles must be managed within the Posit Connect dashboard or via the Posit Connect Server API.

Group Membership Management

Posit Connect allows the organization of users into groups. Administrators can manage local groups within the “People” tab in the Posit Connect dashboard or via the Posit Connect Server API.

Note

These groups are local to Posit Connect and have no relation with Linux groups present on the host machine where PAM is configured.

Tip

If you do not want groups at all in Posit Connect, set the Authorization.UserGroups configuration option to false.