From 3eedcb355e3dfdc4b8006083cfbcf2610b9d895d Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Mon, 6 Jul 2015 08:28:36 -0400 Subject: [PATCH] Add arvados_pam.py and shellinabox pam configuration file. Refs #2256 --- sdk/pam/arvados_pam.py | 94 +++++++++++++++++++++++++ sdk/pam/debian/shellinabox | 136 +++++++++++++++++++++++++++++++++++++ 2 files changed, 230 insertions(+) create mode 100644 sdk/pam/arvados_pam.py create mode 100644 sdk/pam/debian/shellinabox diff --git a/sdk/pam/arvados_pam.py b/sdk/pam/arvados_pam.py new file mode 100644 index 0000000000..84eef244cb --- /dev/null +++ b/sdk/pam/arvados_pam.py @@ -0,0 +1,94 @@ +import syslog +import sys +sys.argv=[''] +import arvados +import os + +def auth_log(msg): + """Send errors to default auth log""" + syslog.openlog(facility=syslog.LOG_AUTH) + #syslog.openlog() + syslog.syslog("libpam python Logged: " + msg) + syslog.closelog() + + +def check_arvados_token(requested_username, token): + auth_log("%s %s" % (requested_username, token)) + ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet + # BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"! + my_hostname='shell' ## FIXME replace with puppet + + try: + arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None) + except Exception as e: + auth_log(str(e)) + return False + + try: + matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items'] + except Exception as e: + auth_log(str(e)) + return False + + + if len(matches) != 1: + auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname) + return False + + this_vm_uuid = matches[0]['uuid'] + auth_log("this_vm_uuid: %s" % this_vm_uuid) + client_user_uuid = arv.users().current().execute()['uuid'] + + filters = [ + ['link_class','=','permission'], + ['name','=','can_login'], + ['head_uuid','=',this_vm_uuid], + ['tail_uuid','=',client_user_uuid]] + + for l in arv.links().list(filters=filters).execute()['items']: + if requested_username == l['properties']['username']: + return True + return False + + +def pam_sm_authenticate(pamh, flags, argv): + try: + user = pamh.get_user() + except pamh.exception, e: + return e.pam_result + + if not user: + return pamh.PAM_USER_UNKNOWN + + try: + resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, '')) + except pamh.exception, e: + return e.pam_result + + try: + check = check_arvados_token(user, resp.resp) + except Exception as e: + auth_log(str(e)) + return False + + if not check: + auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp)) + return pamh.PAM_AUTH_ERR + + auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp)) + return pamh.PAM_SUCCESS + +def pam_sm_setcred(pamh, flags, argv): + return pamh.PAM_SUCCESS + +def pam_sm_acct_mgmt(pamh, flags, argv): + return pamh.PAM_SUCCESS + +def pam_sm_open_session(pamh, flags, argv): + return pamh.PAM_SUCCESS + +def pam_sm_close_session(pamh, flags, argv): + return pamh.PAM_SUCCESS + +def pam_sm_chauthtok(pamh, flags, argv): + return pamh.PAM_SUCCESS diff --git a/sdk/pam/debian/shellinabox b/sdk/pam/debian/shellinabox new file mode 100644 index 0000000000..65091b6a2d --- /dev/null +++ b/sdk/pam/debian/shellinabox @@ -0,0 +1,136 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +#auth optional pam_faildelay.so delay=3000000 +auth optional pam_faildelay.so delay=0 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + + +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_python.so /usr/local/bin/arvados_pam.py +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_ecryptfs.so unwrap +# end of pam-auth-update config + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the message of the day upon succesful login. +# (Replaces the `MOTD_FILE' option in login.defs) +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) -- 2.30.2