RStudio Server authentication with libpam-pwdfile
I'm developing a Vagrant box with a full analytic stackand this includes, ofc, a RStudio Server instance.
I decided to use this pam module https://github.com/tiwe-de/libpam-pwdfile as it allows to authenticate against a pwd file. This allows me to let users access to RStudio without the need to make them server users.
But I'm not able to authenticate at all!
I've added these two files to my setup:
/etc/rstudio/passwd
jdoe:s/NKv5DK33kxQ
(the password was made using mkpasswd using crypt)
/etc/pam.d/rstudio
auth required pam_pwdfile.so pwdfile=/etc/rstudio/passwd
account required pam_permit.so
session required pam_permit.so
password required pam_deny.so
When I perform a pamtester --verbose rstudio jdoe authenticate as the user rstudio-server I get authentication successful.
But still not able to login to RStudio.
Looking into /var/lof/auth.log I can see that some lines:
PAM unable to dlopen(pam_permit.so#015): /lib/security/pam_permit.so#015: cannot open shared object file: No such file or directory
PAM adding faulty module: pam_permit.so#015
PAM unable to dlopen(pam_deny.so#015): /lib/security/pam_deny.so#015: cannot open shared object file: No such file or directory
PAM adding faulty module: pam_deny.so#015
This happens when I insert a valid user (with both the right or a wrong password).
Only if I insert a fake user at login screen I get an additional line pam_pwdfile(rstudio:auth): user not found in password database.
I'm totally puzzled why these files are not found: they are not /lib/security but in /lib/x86_64-linux-gnu/security/ actually.
Is it because of these missing files I cannot login?
Related
I've recently had a requirement to change the /etc/passwd file on my systems ( RHEL 7)
I've changed my root from interactive login, root:x:0:0:root:/root:/bin/bash , to non interactive login root:x:0:0:root:/root:/sbin/nologin to prevent users from using sudo su to switch to root.
However, I noticed that when this happens, I am unable to start services on my server. i.e. Nginx, Squid, Postfix.
A sample error is :
getpwnam failed to find userid for effective user 'squid'
I'm trying to implement an unattended script accessing files within OneDrive using Microsoft365R.
I've setup everything like in the docs using the default app registration.
The interactive flow with auth_type="device_code" works without issues:
odb <- Microsoft365R::get_business_onedrive(auth_type="device_code")
But when trying auth_type="resource_owner" like shown in the docs here, I get the following error:
odb <- Microsoft365R::get_business_onedrive(tenant=tenant, app=app, username=user, password=getPass(), auth_type="resource_owner")
Error in process_aad_response(res) :
Bad Request (HTTP 400). Failed to obtain Azure Active Directory token. Message:
AADSTS50126: Error validating credentials due to invalid username or password.
My guess is, that the default app is missing some privileges to use the "resource_owner" flow.
Can someone point me to the right direction on how to get the resource_owner flow working?
(Using Service Principles is not a solution for my setup, but I did also try it with a dedicated service account and it was not working either)
I am trying to connect to sharepoint to load excel files within an unattended R script using the package Microsoft365R
I have created the app within Azure, and assigned it permissions. I have been able to successfully connect to a users onedrive and list the files within it.
Code that works
library(AzureGraph)
library(Microsoft365R)
tenant <- "your-tenant-here"
# the application/client ID of the app registration you created in AAD
# - not to be confused with the 'object ID' or 'service principal ID'
app <- "your-app-id-here"
# retrieve the client secret (password) from an environment variable
pwd <- Sys.getenv("EXAMPLE_MS365R_CLIENT_SECRET")
# retrieve the user whose OneDrive we want to access
# - this should be their 'userPrincipalName', which is of the form 'name#tenant.com'
# - note this may be different to their regular email address
user <- Sys.getenv("EXAMPLE_MS365R_TARGET_USER")
# create a Microsoft Graph login
gr <- create_graph_login(tenant, app, password=pwd, auth_type="client_credentials")
drv <- gr$get_user(user)$get_drive()
drv$list_files()
When running the below code, i get the error
# the application/client ID of the app registration to use
app <- "your-app-id-here"
# get the service account username and password
user <- Sys.getenv("EXAMPLE_MS365R_SERVICE_USER")
pwd <- Sys.getenv("EXAMPLE_MS365R_SERVICE_PASSWORD")
# SharePoint site and path to folder
sitename <- Sys.getenv("EXAMPLE_MS365R_SPO_SITENAME")
folderpath <- Sys.getenv("EXAMPLE_MS365R_SPO_FOLDERPATH")
# use the 'resource_owner' auth type for a non-interactive login
site <- get_sharepoint_site(sitename, tenant=tenant, app=app, username=user, password=pwd,
auth_type="resource_owner")
Output:
Error in process_aad_response(res) :
Unauthorized (HTTP 401). Failed to obtain Azure Active Directory token. Message:
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
The function doesn't appear to have an argument for client secret.
I have followed the vignettes within the package, but i must be missing something. Is anyone able to provide assistance?
Resource
https://cran.r-project.org/web/packages/Microsoft365R/vignettes/scripted.html
You will get the AADSTS7000218 error when you try to get an authentication token for an application with the "Web" platform configuration without the client_secret parameter.
How about when the platform configuration of the application to Mobile and desktop applications ?
To change the platform configuration:
Open the application from App registrations page on Azure AD, and open Manage - Authentication page.
Delete the existing Web platform configuration.
Open Add a platform and select Mobile and desktop applications.
Can't get to the root on juniper ssg5
After i enter my login username and password I'm stuck on this prompt
'my-fw->'
my-fw-> copy
^------unknown keyword copy
my-fw-> show
^------unknown keyword show
my-fw-> configure
^-----------unknown keyword configure
why can't i get to root#my-fw-> or root#my-fw-# prompt. What can i do to get to root. I'm using putty to console to the juniper ssg5.
[Note- I'm trying to backup config to a tftp server where i require to get to the root access]
You don't need root access. root is an special account and all / most of the commands works without root account. Any account which has privileges to perform configuration changes, can apply the command to archive the configuration on given site.
See junos-os-login-classes-overview for user privileges.
The prompt we get is in this format: user#hostname> Ref
If there is no hostname defined, then it is just: user>
Once you make sure that you have logged in with correct user, i.e. it has requirement permissions, you should be able to execute those commands and apply archival configuration.
I have a working solution, let me know if above doesn't help.
I am using drupal 7.27 version in which I need to connect to moodle site and its database. So I used drupal module moodle_connection to connect it withmoodle site. As it does not offer any end feature functionality. I installed another module called moodle_views but unfortunately there is no data received from the moodle. When I debug I found that connection does not establish between both the sites.
I am calling moodle_connector_connect() function in custom module to connect to Moodle. But no success. And in the moodle connector settings I put the following information:
Database Type : mysql
Database Server : localhost
Database TCP Port : 3306
Database Name : drupal_moodle ('Name of the moodle database')
Database Prefix : mdl_
Database User : root
Database Password : (I don't have password for my database user so I kept blank)
Moodle URL : drupal_moodle (Moodle site url)
Please help me to get out of this.
Regards
Neha
Reading over the bug reports in the Drupal module moodle_connector, I noticed some issues related to setting values for the moodle database connection variables, and some issues with handling error conditions.
Combine this with your mention of blank password, suggests the following line might be a problem.
Reading moodle_connector.module, around line 51 I notice some lazy checking for unset parameters.
// Return false if settings are incomplete.
if (!$type || !$server || !$port || !$username || !$password || !$database) {
return FALSE;
}
It looks like the check for !$password will cause the function moodle_connector_connect() to exit and not connect to the moodle database if any of the values are unset or empty.
As a workaround, and a step in right direction security-wise, could you create a new MySQL user, specifically grant it the necessary privileges to allow Drupal to read the Moodle DB and set a password.
I would also strongly advise that you read over the MySQL 'post installation' section of the manual which advises setting a password on the root user accounts. Having no root password is convenient during initial installation, but is a security problem. Any ordinary user on the machine, or a nearby machine which can connect to port 3306, could gain full access to the database.
http://dev.mysql.com/doc/refman/5.1/en/postinstallation.html