Shiny Server Pro: Flat-File Authentication Examples

Follow

This article is adapted from the Shiny Server Administrator's Guide for version 1.4.2.


Introduction

Shiny Server Pro offers flat-file authentication as a simple and easy-to-configure authentication mechanism. This method is self-contained and not integrated into either the system's user/password database, nor any Enterprise authentication mechanism. Thus, usernames and passwords must be created explicitly for each user that should exist in Shiny Server.

Configuration

The storage of usernames and passwords is handled by a single file which can be specified using the auth_passwd_file setting as follows in the /etc/shiny-server/shiny-server.conf file:

run_as shiny;

auth_passwd_file /etc/shiny-server/passwd;

server {
  location / {
    ...

This will instruct Shiny Server to look up all usernames and passwords in the file stored at /etc/shiny-server/passwd. This file should have zero or more lines in the format 

username:{scrypt-hashed-password}

The script encryption algorithm is used to protect users' passwords from theft; the hashed passwords are expected in this file in base64 format. We provide the sspasswd utility with Shiny Server Professional that vastly simplifies the process of managing these sspasswd files.

You'll want to think carefully before adjusting the permissions on this file. For instance, if you were to enable the shiny user to write to your password database, any Shiny application running as shiny (the default) would now be able to modify your password database. Because the passwords are securely hashed, granting shiny read access to this file is not problematic and, in fact, is enabled by default.

The sspasswd utility

The sspasswd utility comes with Shiny Server Professional, and can be used to manage the username/password file. By default, it is not made available on the PATH, but you can find it in opt/shiny-server/bin/. The general pattern for the utility is to provide the file to use for storage followed by a username, as in:

$ sudo /opt/shiny-server/bin/sspasswd /etc/shiny-server/passwd tina

The default behavior will be to add the username specified (tina, in the example above) to the file after prompting the user for a password (or reading it from stdin).

This script has several options:

-c  Create (or overwrite) password file

-D  Delete a user from the file

-v  Verify user/password combinations

-C  Set the maximum amount of time (in seconds) for encryption. The larger this value is, the more secure the password hash will be.

Currently, the ':', '$' and newline ('\r' or '\n') characters are prohibited in usernames.

 

Comments