[ARVADOS] created: 2.1.0-449-g51fd12cc1
Git user
git at public.arvados.org
Mon Feb 15 20:46:01 UTC 2021
at 51fd12cc175a8128802756c954e4f07a8e315f19 (commit)
commit 51fd12cc175a8128802756c954e4f07a8e315f19
Author: Nico Cesar <nico at nicocesar.com>
Date: Mon Feb 15 15:44:50 2021 -0500
Added note about /bin/false as UNIX login
Arvados-DCO-1.1-Signed-off-by: Nico Cesar <nico at curii.com>
diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index aec82cfe2..0e5ad37ab 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -98,7 +98,7 @@ Enable PAM authentication in @config.yml@:
Check the "default config file":{{site.baseurl}}/admin/config.html for more PAM configuration options.
-The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a shell account and password on the controller host itself. This can be convenient for a single-user or test cluster.
+The default PAM configuration on most Linux systems uses the local password database in @/etc/shadow@ for all logins. In this case, in order to log in to Arvados, users must have a UNIX account and password on the controller host itself. This can be convenient for a single-user or test cluster. Note that the user can have a @/bin/false@ as shell to avoid a security risk.
PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list