Motivation
When using LDAP or SAML for Authentication, excluding users is easier - groups can be managed within your Authentication provider, and RStudio Connect can be configured to allow and disallow some groups.
When using PAM for Authentication, there is no obvious way to forcibly include or exclude some groups of users, and RStudio Connect doesn't discriminate.
Solution
PAM comes with a service that allows you to allow or deny users based on group membership called pam_listfile.
Setting up PAM to take advantage of this is quick and easy:
1. Create a text file listing the allowed groups:
# cat /etc/connect.login.groups.allowed
root
admins
rstudio-connect
datascience
chemistry
2. Then, depending on your OS, open /etc/pam.d/system-auth
(RHEL style) or /etc/pam.d/common-auth
(Debian style) and add something like this at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/connect.login.groups.allowed
We put it at or near the top because we want this to be the first rule that a user hits when authenticating - excluding users before accidentally including them with another rule.
Note that the hard work is done with the sense
directive:
sense=[allow|deny] Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.
Users can be included or excluded in the same method by changing item=user
.
Comments