PAM is a built-in part of Linux - it's the main system that's typically used for configuring and connecting to authentication of any kind, including the standard Linux authentication (for instance, creating and updating users using useradd
and passwd
). While it doesn't connect with the Shiny Server built-in flat-file system, you can use a standard Linux authentication model with PAM to control authentication.
With a default Linux and PAM configuration, the following steps may be illustrative. Keep in mind that if your configuration is complex, or requires interaction with LDAP or Active Directory, you'll need to add additional configuration to your PAM profile.
1. Assuming standard PAM authentication, your system will use either the /etc/pam.d/shiny-server
or /etc/pam.d/other
profile to log in. If you don't have any special requirements for your login on your server, you shouldn't need to adjust these at all. See here for more: http://rstudio.github.io/shiny-server/latest/#pam-authentication
2. Create a user using the useradd
command and assign them a password using the passwd
command, e.g.
sudo useradd test
sudo passwd test
will create a user named test and allow you to set their password. You can also add the user to a particular group if you're using group authentication using the groupadd
command.
3. You should ensure that this user can log in to the server (via SSH or logging in interactively to the GUI if that's available)
4. Once that's set up, you'll need to set Shiny Server Pro to look at PAM for authentication options. You can do that by adding the auth_pam
flag to the top of your /etc/shiny-server/shiny-server.conf
file.
auth_pam;
5. Then, still in your /etc/shiny-server/shiny-server.conf
file, go to the location you want to add authentication to, and add required_user test
to the location, e.g.
location /app1 {
required_user test;
}
6. Restart Shiny Server Pro, then try to log in with the test user and see if it works.
This should make it so that only that particular location requires authentication, and only for the specified users or groups.
If it doesn't work, we'd suggest checking the following:
- make sure the user can log into other services on the server. If they're able to login elsewhere but not into Shiny Server, you may want to copy over the working PAM profile, e.g.
sudo cp /etc/pam.d/login /etc/pam.d/shiny-server
- Make sure you've set the correct location in the
shiny-server.conf
file and you've correctly restarted the Shiny Server process
One more note - this will allow users to change their password, but they won't be able to do it via Shiny Server Pro's login since we don't provide a mechanism for that. In order to change their password, they'll need to login to another service (SSH, etc) to do it there.
This is a brief overview of the many options available in Shiny Server Pro and PAM authentication. Additional examples can be found in this article, and we also suggest reviewing the resources here:
Overview
- http://docs.rstudio.com/shiny-server/#pam-authentication
- http://en.wikipedia.org/wiki/Pluggable_authentication_module
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-pam.html
Linux authentication
Man pages
- http://linux.die.net/man/8/pam
- http://linux.die.net/man/8/useradd
- http://linux.die.net/man/1/passwd
- http://linux.die.net/man/8/groupadd
Comments