rstudio workbench PRO docker - PAM sessions docs wrong

Posit Professional & Hosted Products
1

RSW_VERSION=2022.07.0-548.pro5

Hey Team!
thanks as usual for a great product.

ok so i've been working on setting up the rstudio PAM Sessions per here:
https://docs.rstudio.com/ide/server-pro/r_sessions/pam_sessions.html

It's taken me nearly 3 days of minute testing to work out that it looks like the documentation is wrong. Sadly there's no access to the rserver-PAM code where i probably could have found my answer after a few hours.

Basically, the problem is that the docs say that the following settings need to be set for rserver-PAM to trigger the PAM Session section within the configured /etc/pam.d/rstudio PAM profile

# /etc/rstudio/rserver.conf
launcher-sessions-enabled=1
auth-pam-sessions-enabled=1
auth-pam-sessions-profile=rstudio

but in fact in my setup the ONLY time rstudio workbench reaches the PAM session configuration is when the setting auth-pam-sessions-enabled=1 is REMOVED ENTIRELY, NOT just set to zero. or 1 as it is in the documentation.

Again i've tested this extensively.

Can someone take a look at the code to see if this is the case?

my rserver.conf is l ike this

auth-timeout-minutes=180

#server-health-check-enabled=1

admin-enabled=1

#auth-pam-sessions-enabled=1​

auth-pam-sessions-profile=rstudio-session

auth-pam-sessions-use-password=1

my rstudio-session profile looks like this:

# copy of /etc/pam.d/su file from inside ubuntu container
auth      required       pam_sss.so nodelay debug
auth      optional       pam_mount.so debug ### this should ask rstudio for the password.
account   required       pam_sss.so debug
session   required       pam_mkhomedir.so
session   optional       pam_mount.so debug ### new

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
2

How do you tell that PAM sessions are not used when setting auth-pam-sessions-enabled=1​ explicitly?

Please note that auth-pam-sessions-enabled is actually a boolean where the default depends on the usage of Launcher, c.f. RStudio Workbench Administration Guide - Appendix H — rserver.conf. According to your rserver.conf you are not using Launcher, so the default value would be 1.

3

Hey Rstub thanks for the reply!

ok i'll start with the "launcher" bit. as just someone reading the docs it's hard to work out what is meant when i see "Launcher".

I assume it means Job Launcher. But there is also the unfortunatley-named rserver-launcher executable that runs as well. Additionally it's the rserver-launcher process that i see connecting with doing most of the work around the same time as the PAM process as well.

So it's quite hard to know which is meant when it says just "launcher" in the docs. so as you can see i tried everything.

so when i set auth-pam-sessions-enabled=1​ then i get the following in my auth.log'
so you can see that it hits the auth and account PAM directives but never reaches the session PAM directive, and NEVER reaches the session PAM profile declared in rserver.conf as auth-pam-sessions-profile=rstudio-session.

    Aug  5 09:34:02 d16a37a99165 rserver-pam[229]: pam_sss(rstudio:auth): unknown option: nodelay
    Aug  5 09:34:02 d16a37a99165 rserver-pam[229]: pam_sss(rstudio:auth): unknown option: debug
    Aug  5 09:34:02 d16a37a99165 rserver-pam[229]: pam_sss(rstudio:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:34:02 d16a37a99165 rserver-pam[229]: pam_sss(rstudio:account): unknown option: debug
    Aug  5 09:34:02 d16a37a99165 rserver-pam[232]: pam_sss(rstudio:auth): unknown option: nodelay
    Aug  5 09:34:02 d16a37a99165 rserver-pam[232]: pam_sss(rstudio:auth): unknown option: debug
    Aug  5 09:34:02 d16a37a99165 rserver-pam[232]: pam_sss(rstudio:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:34:02 d16a37a99165 rserver-pam[232]: pam_sss(rstudio:account): unknown option: debug
    Aug  5 09:34:05 d16a37a99165 rserver-pam[238]: pam_sss(rstudio:auth): unknown option: nodelay
    Aug  5 09:34:05 d16a37a99165 rserver-pam[238]: pam_sss(rstudio:auth): unknown option: debug
    Aug  5 09:34:05 d16a37a99165 rserver-pam[238]: pam_sss(rstudio:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:34:05 d16a37a99165 rserver-pam[238]: pam_sss(rstudio:account): unknown option: debug

then if i remove the line auth-pam-sessions-enabled=1​ line completely then you see the logs as below where you can see it progresses through the PAM directives as expected from auth to account to session. and most importantly picks up the session PAM directive from my rstudio-session PAM profile which is defined in rserver.conf as auth-pam-sessions-profile=rstudio-session

    Aug  5 09:54:14 b5108592b724 rserver-pam[229]: pam_sss(rstudio:auth): unknown option: nodelay
    Aug  5 09:54:14 b5108592b724 rserver-pam[229]: pam_sss(rstudio:auth): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-pam[229]: pam_sss(rstudio:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:54:14 b5108592b724 rserver-pam[229]: pam_sss(rstudio:account): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-pam[232]: pam_sss(rstudio:auth): unknown option: nodelay
    Aug  5 09:54:14 b5108592b724 rserver-pam[232]: pam_sss(rstudio:auth): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-pam[232]: pam_sss(rstudio:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:54:14 b5108592b724 rserver-pam[232]: pam_sss(rstudio:account): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:auth): unknown option: nodelay
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:auth): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_unix(rstudio-session:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=xxxx
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=xxxx
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:account): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:setcred): unknown option: nodelay
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: pam_sss(rstudio-session:setcred): unknown option: debug
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (pam_mount.c:568): pam_mount 2.16: entering session stage
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:780): Could not get realpath of /home/xxxx/n: No such file or directory
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:250): Mount info: globalconf, user=xxxx <volume fstype="cifs" server="pos1-fhi-svm01" path="styrt" mountpoint="/home/xxxx/n" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="" /> fstab=0 ssh=0
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:304): mkmountpoint: checking /home
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:304): mkmountpoint: checking /home/xxxx
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:304): mkmountpoint: checking /home/xxxx/n
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:328): mkdir[1804307560] /home/xxxx/n
    Aug  5 09:54:14 b5108592b724 rserver-launcher[209]: (mount.c:659): Password will be sent to helper as-is.

So anyway it's interesting to hear that auth-pam-sessions-enabled=1​ is actually the default if it's not set in the rserver.conf...

I'm happy to troubleshoot this further myself by the way if i could get more info/logs e.g.

  • for the rserver-launcher process to see what options are being passed to the executable
  • for the rserver-pam process to see the detailed stepping of the program
  • code for rserver-pam? i cant find it so i assume it's not open sourced

my current logging.conf looks like this so i think i'm getting debug level logs for everything.
though the @rserver and @rserver-pam entries seem not to direct logs properly.

# This file contains sample logging configuration. Simply uncomment the lines below and modify it to suit your logging needs.
# For more documentation, see the RStudio Server Pro Admin Guide.
#
# define the root logging level, inherited by all loggers
[*]
log-level=debug
logger-type=syslog
#
# define logging specifically for the rserver binary
[@rserver]
log-level=debug
logger-type=file
log-dir=/var/log/rstudio-server
max-size-mb=4
#
# enable debug logging for file locking
#[file-locking]
#log-level=debug

[@rserver-pam]
log-level=debug
logger-type=file
log-dir=/var/log/rstudio-server-pam
max-size-mb=20
4

This is interesting. So far I have not managed to observe this different logging behavior. But I will keep trying. At some point it might make sense to open an internal support ticket, since this would allow us to exchange diagnostics data from your server.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.