PAM Kerberos and RStudio
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.
My rstudio file in /etc/pam.d/ looks like:
#%PAM-1.0
auth required pam_krb5.so retain_after_close debug
session requisite pam_krb5.so retain_after_close debug
account required pam_krb5.so debug
I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.
Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session
After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.
A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.
Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.
centos pam kerberos rstudio
asked Dec 13 '17 at 23:34
Chris C
112
add a comment |Â
up vote
2
down vote
favorite
I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.
My rstudio file in /etc/pam.d/ looks like:
#%PAM-1.0
auth required pam_krb5.so retain_after_close debug
session requisite pam_krb5.so retain_after_close debug
account required pam_krb5.so debug
I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.
Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session
After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.
A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.
Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.
centos pam kerberos rstudio
asked Dec 13 '17 at 23:34
Chris C
112
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.
My rstudio file in /etc/pam.d/ looks like:
#%PAM-1.0
auth required pam_krb5.so retain_after_close debug
session requisite pam_krb5.so retain_after_close debug
account required pam_krb5.so debug
I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.
Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session
After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.
A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.
Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.
centos pam kerberos rstudio
asked Dec 13 '17 at 23:34
Chris C
112
I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.
My rstudio file in /etc/pam.d/ looks like:
#%PAM-1.0
auth required pam_krb5.so retain_after_close debug
session requisite pam_krb5.so retain_after_close debug
account required pam_krb5.so debug
I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.
Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session
After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.
A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.
Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.
centos pam kerberos rstudio
asked Dec 13 '17 at 23:34
Chris C
112
asked Dec 13 '17 at 23:34
Chris C
112
asked Dec 13 '17 at 23:34
Chris C
112
asked Dec 13 '17 at 23:34
Chris C
112
112
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
The pam_krb5 from CentOS doesn't support retain_after_close.
answered Mar 9 at 18:18
fafaton
1
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
The pam_krb5 from CentOS doesn't support retain_after_close.
answered Mar 9 at 18:18
fafaton
1
add a comment |Â
up vote
0
down vote
The pam_krb5 from CentOS doesn't support retain_after_close.
answered Mar 9 at 18:18
fafaton
1
add a comment |Â
up vote
0
down vote
up vote
0
down vote
The pam_krb5 from CentOS doesn't support retain_after_close.
answered Mar 9 at 18:18
fafaton
1
The pam_krb5 from CentOS doesn't support retain_after_close.
answered Mar 9 at 18:18
fafaton
1
answered Mar 9 at 18:18
fafaton
1
answered Mar 9 at 18:18
fafaton
1
answered Mar 9 at 18:18
fafaton
1
1
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410768%2fpam-kerberos-and-rstudio%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
