[ARVADOS] updated: 3eedcb355e3dfdc4b8006083cfbcf2610b9d895d

git at public.curoverse.com git at public.curoverse.com
Tue Jul 7 15:42:58 EDT 2015 

Summary of changes:
 sdk/pam/arvados_pam.py     |  8 ++++----
 sdk/pam/debian/shellinabox | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

  discards  397a21ef82d7d7a7f61b1b88250cc21702d3847b (commit)
       via  3eedcb355e3dfdc4b8006083cfbcf2610b9d895d (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (397a21ef82d7d7a7f61b1b88250cc21702d3847b)
            \
             N -- N -- N (3eedcb355e3dfdc4b8006083cfbcf2610b9d895d)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 3eedcb355e3dfdc4b8006083cfbcf2610b9d895d
Author: Ward Vandewege <ward at curoverse.com>
Date:   Mon Jul 6 08:28:36 2015 -0400

    Add arvados_pam.py and shellinabox pam configuration file.
    
    Refs #2256

diff --git a/sdk/pam/arvados_pam.py b/sdk/pam/arvados_pam.py
new file mode 100644
index 0000000..84eef24
--- /dev/null
+++ b/sdk/pam/arvados_pam.py
@@ -0,0 +1,94 @@
+import syslog
+import sys
+sys.argv=['']
+import arvados
+import os
+
+def auth_log(msg):
+ """Send errors to default auth log"""
+ syslog.openlog(facility=syslog.LOG_AUTH)
+ #syslog.openlog()
+ syslog.syslog("libpam python Logged: " + msg)
+ syslog.closelog()
+
+
+def check_arvados_token(requested_username, token):
+    auth_log("%s %s" % (requested_username, token))
+    ARVADOS_API_HOST='4xphq.arvadosapi.com' ## FIXME replace with puppet
+    # BUG: hostname stored on the API is just "foo.shell", not "foo.shell.zzzzz.arvadosapi.com"!
+    my_hostname='shell' ## FIXME replace with puppet
+
+    try:
+	arv = arvados.api('v1',host=ARVADOS_API_HOST, token=token, cache=None)
+    except Exception as e:
+	auth_log(str(e))
+	return False
+
+    try:
+	matches = arv.virtual_machines().list(filters=[['hostname','=',my_hostname]]).execute()['items']
+    except Exception as e:
+	auth_log(str(e))
+	return False
+
+
+    if len(matches) != 1:
+        auth_log("libpam_arvados could not dertermine vm uuid for '%s'" % my_hostname)
+        return False
+
+    this_vm_uuid = matches[0]['uuid']
+    auth_log("this_vm_uuid: %s" % this_vm_uuid)
+    client_user_uuid = arv.users().current().execute()['uuid']
+
+    filters = [
+            ['link_class','=','permission'],
+            ['name','=','can_login'],
+            ['head_uuid','=',this_vm_uuid],
+            ['tail_uuid','=',client_user_uuid]]
+
+    for l in arv.links().list(filters=filters).execute()['items']:
+         if requested_username == l['properties']['username']:
+             return  True
+    return False
+
+
+def pam_sm_authenticate(pamh, flags, argv):
+ try:
+  user = pamh.get_user()
+ except pamh.exception, e:
+  return e.pam_result
+
+ if not user:
+  return pamh.PAM_USER_UNKNOWN
+
+ try:
+  resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, ''))
+ except pamh.exception, e:
+  return e.pam_result
+
+ try:
+  check = check_arvados_token(user, resp.resp)
+ except Exception as e:
+  auth_log(str(e))
+  return False
+
+ if not check:
+  auth_log("Auth failed Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
+  return pamh.PAM_AUTH_ERR
+
+ auth_log("Success! Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
+ return pamh.PAM_SUCCESS
+
+def pam_sm_setcred(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_acct_mgmt(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_open_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_close_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_chauthtok(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
diff --git a/sdk/pam/debian/shellinabox b/sdk/pam/debian/shellinabox
new file mode 100644
index 0000000..65091b6
--- /dev/null
+++ b/sdk/pam/debian/shellinabox
@@ -0,0 +1,136 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+#auth       optional   pam_faildelay.so  delay=3000000
+auth       optional   pam_faildelay.so  delay=0
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth  [success=1 default=ignore] pam_python.so /usr/local/bin/arvados_pam.py
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth	optional	pam_ecryptfs.so unwrap
+# end of pam-auth-update config
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+
+# Prints the message of the day upon succesful login.
+# (Replaces the `MOTD_FILE' option in login.defs)
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so  motd=/run/motd.dynamic
+session    optional   pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+
+# Standard Un*x account and session
+ at include common-account
+ at include common-session
+ at include common-password
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list