PAM Kerberos and RStudio

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.



My rstudio file in /etc/pam.d/ looks like:



 #%PAM-1.0
auth required pam_krb5.so retain_after_close debug
session requisite pam_krb5.so retain_after_close debug
account required pam_krb5.so debug


I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.



Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session



After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.



A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.



Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.







share|improve this question
























    up vote
    2
    down vote

    favorite












    I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.



    My rstudio file in /etc/pam.d/ looks like:



     #%PAM-1.0
    auth required pam_krb5.so retain_after_close debug
    session requisite pam_krb5.so retain_after_close debug
    account required pam_krb5.so debug


    I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.



    Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session



    After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.



    A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.



    Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.







    share|improve this question






















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.



      My rstudio file in /etc/pam.d/ looks like:



       #%PAM-1.0
      auth required pam_krb5.so retain_after_close debug
      session requisite pam_krb5.so retain_after_close debug
      account required pam_krb5.so debug


      I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.



      Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session



      After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.



      A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.



      Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.







      share|improve this question












      I am trying to get Kerberos PAM to pull a ticket and not destroy it after an RStudio login on CentOS 7.



      My rstudio file in /etc/pam.d/ looks like:



       #%PAM-1.0
      auth required pam_krb5.so retain_after_close debug
      session requisite pam_krb5.so retain_after_close debug
      account required pam_krb5.so debug


      I know that RStudio is communicating fine with the PAM Stack because if I delete the first line, RStudio will not login. I an also do other manipulations that let me know the two are in sync.



      Per the RStudio documentation, if I run the command: pamtester --verbose rstudio <user> authenticate setcred open_session



      After entering my password, a ticket is created in /tmp called krb5cc_(uid) which is what I would expect. I can make the above pamtester line fail to pull a ticket by removing the setcred flag which tells me that this the key component.



      A look in the Keberos PAM documentation says that session performs the same as auth but it runs with the command pam_setcred(PAM_ESTABLISH_CRED) flag, which is what I want. The same documentation says that if I add retain_after_close then the ticket should be retained. However, this is not happening and I'm not even sure it's actually pulling the ticket.



      Any help is appreciated, I have tried nearly every combination of flags and parameters in the PAM file as possible but to no avail. Kerberos is a nightmare. LMK what else I can add to help. The log files are not useful unfortunately as they do not log an error due to the fact that PAM "silently fails" if a line is not understood.









      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 13 '17 at 23:34









      Chris C

      112




      112




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          The pam_krb5 from CentOS doesn't support retain_after_close.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410768%2fpam-kerberos-and-rstudio%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            The pam_krb5 from CentOS doesn't support retain_after_close.






            share|improve this answer
























              up vote
              0
              down vote













              The pam_krb5 from CentOS doesn't support retain_after_close.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                The pam_krb5 from CentOS doesn't support retain_after_close.






                share|improve this answer












                The pam_krb5 from CentOS doesn't support retain_after_close.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 9 at 18:18









                fafaton

                1




                1






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410768%2fpam-kerberos-and-rstudio%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?