PAM Kerberos and RStudio

Question

I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.

My rstudio file in /etc/pam.d/ looks like:

    #%PAM-1.0
    auth    required        pam_krb5.so retain_after_close debug
    session requisite       pam_krb5.so retain_after_close debug
    account required        pam_krb5.so debug

I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.

Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session

After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.

A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.

Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.

score 0 · Answer 1 · answered Mar 09 '18 at 18:18

0

The pam_krb5 from CentOS doesn't support retain_after_close.

answered Mar 09 '18 at 18:18

fafaton

1

score 0 · Answer 2 · edited Jul 29 '19 at 15:57

0

I had almost word for word the same exact issue. The result was that the rstudio-server user who is running the web server did not have write access to /etc.

When the ticket is created the user is trying to write to that directory and cannot.

The tester works fine since it's being run with elevated permissions.

edited Jul 29 '19 at 15:57

Bart

2,151
1
10
26

answered Jul 29 '19 at 14:29

Christopher Roos

1

score 0 · Accepted Answer · answered Aug 14 '19 at 22:12

Folks, I just realized that I had figured this out, but never posted an answer. In a nutshell, what I had to do is download the MIT Kerberos code (which is written in C++ otherwise known as Black Magic) and find the portion of the code which wrote out the kerberos ticket to the /tmp directory and change the code so that it did not add the 6 random characters to the end of the Kerberos ticket and comment out any section dealing with deleting or destroying the ticket.

I had to compile into a shared library (the pam_krb5.so file) and put my modified code into my docker container. It then worked. Unfortunately, I don't work on that project anymore and don't have access to the code. Really wish I had put that in my git.

On a side note, the paid version of RStudio supports this fine. This is a hack you have to do if you want to use the free version. If you need help finding the area in the code to modify, hit me up.

PAM Kerberos and RStudio

3 Answers3