Setting up PAM with Shiny Server Pro

Follow

PAM is a built-in part of Linux - it's the main system that's typically used for configuring and connecting to authentication of any kind, including the standard Linux authentication (for instance, creating and updating users using useradd and passwd). While it doesn't connect with the Shiny Server built-in flat-file system, you can use a standard Linux authentication model with PAM to control authentication.

With a default Linux and PAM configuration, the following steps may be illustrative. Keep in mind that if your configuration is complex, or requires interaction with LDAP or Active Directory, you'll need to add additional configuration to your PAM profile.

1. Assuming standard PAM authentication, your system will use either the /etc/pam.d/shiny-server or /etc/pam.d/other profile to log in. If you don't have any special requirements for your login on your server, you shouldn't need to adjust these at all. See here for more: http://rstudio.github.io/shiny-server/latest/#pam-authentication 
2. Create a user using the useradd command and assign them a password using the passwd command, e.g. 

sudo useradd test 
sudo passwd test

will create a user named test and allow you to set their password. You can also add the user to a particular group if you're using group authentication using the groupadd command.

3. You should ensure that this user can log in to the server (via SSH or logging in interactively to the GUI if that's available)

4. Once that's set up, you'll need to set Shiny Server Pro to look at PAM for authentication options. You can do that by adding the auth_pam flag to the top of your /etc/shiny-server/shiny-server.conf file.

auth_pam;

5. Then, still in your /etc/shiny-server/shiny-server.conf file, go to the location you want to add authentication to, and add required_user test to the location, e.g. 

location /app1 {  
required_user test;
}


6. Restart Shiny Server Pro, then try to log in with the test user and see if it works.

This should make it so that only that particular location requires authentication, and only for the specified users or groups.

If it doesn't work, we'd suggest checking the following:

  • make sure the user can log into other services on the server. If they're able to login elsewhere but not into Shiny Server, you may want to copy over the working PAM profile, e.g. sudo cp /etc/pam.d/login /etc/pam.d/shiny-server
  • Make sure you've set the correct location in the shiny-server.conf file and you've correctly restarted the Shiny Server process

One more note - this will allow users to change their password, but they won't be able to do it via Shiny Server Pro's login since we don't provide a mechanism for that. In order to change their password, they'll need to login to another service (SSH, etc) to do it there.

This is a brief overview of the many options available in Shiny Server Pro and PAM authentication.  Additional examples can be found in this article, and we also suggest reviewing the resources here: 

Overview

Linux authentication

Man pages

 

Comments