This article is adapted from the Shiny Server Administrator's Guide for version 1.4.2.
Introduction
Shiny Server Pro offers flat-file authentication as a simple and easy-to-configure authentication mechanism. This method is self-contained and not integrated into either the system's user/password database, nor any Enterprise authentication mechanism. Thus, usernames and passwords must be created explicitly for each user that should exist in Shiny Server.
Configuration
The storage of usernames and passwords is handled by a single file which can be specified using the auth_passwd_file
setting as follows in the /etc/shiny-server/shiny-server.conf
file:
run_as shiny;
auth_passwd_file /etc/shiny-server/passwd;
server {
location / {
...
This will instruct Shiny Server to look up all usernames and passwords in the file stored at /etc/shiny-server/passwd
. This file should have zero or more lines in the format
username:{scrypt-hashed-password}
The script encryption algorithm is used to protect users' passwords from theft; the hashed passwords are expected in this file in base64 format. We provide the sspasswd utility with Shiny Server Professional that vastly simplifies the process of managing these sspasswd
files.
You'll want to think carefully before adjusting the permissions on this file. For instance, if you were to enable the shiny
user to write to your password database, any Shiny application running as shiny
(the default) would now be able to modify your password database. Because the passwords are securely hashed, granting shiny
read access to this file is not problematic and, in fact, is enabled by default.
The sspasswd utility
The sspasswd
utility comes with Shiny Server Professional, and can be used to manage the username/password file. By default, it is not made available on the PATH
, but you can find it in opt/shiny-server/bin/
. The general pattern for the utility is to provide the file to use for storage followed by a username, as in:
$ sudo /opt/shiny-server/bin/sspasswd /etc/shiny-server/passwd tina
The default behavior will be to add the username specified (tina
, in the example above) to the file after prompting the user for a password (or reading it from stdin
).
This script has several options:
-c
Create (or overwrite) password file
-D
Delete a user from the file
-v
Verify user/password combinations
-C
Set the maximum amount of time (in seconds) for encryption. The larger this value is, the more secure the password hash will be.
Currently, the ':
', '$
' and newline ('\r
' or '\n
') characters are prohibited in usernames.
Comments