JupyterHub

JupyterHubの設定

アカウントロック

セキュリティの観点で一定回数パスワードを間違えた際にアカウントをロックしたい場合があります。

JupyterHubのデフォルトの認証はPAMです。
https://jupyterhub.readthedocs.io/en/stable/getting-started/authenticators-users-basics.html
PAMを使うことで、OSのシステム上のアカウントを認証に用いることができます。

そのため、アカウントロックの設定はJupyterHubではなくLinux側で行うことになります。

筆者の環境はJupyterHubの公式のDockerコンテナを利用しており、ディストリビューションはUbuntu18.04でしたのでその前提で進めます。

以下のファイルを編集します。

1
/etc/pam.d/common-auth

以下のような設定が確認できるはずです。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

ここに、例えば5回失敗したらロック、ただし30秒で解除の場合以下のような行を挿入します。

1
auth    required        pam_tally2.so deny=5 unlock_time=30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    required        pam_tally2.so deny=5 unlock_time=30
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

失敗の数は下記のコマンドで確認できます。

1
pam_tally2 -u [USERNAME]

実際にログインを失敗させて、回数が増えるかを確認してみましょう。

アカウントのロック解除は下記のコマンドです。

1
pam_tally2 -r -u [USERNAME]

HTTPヘッダの設定

HTTPヘッダもjupyterhub_config.pyを編集すれば良い。

試しに脆弱性対策として、いくつか設定を行ってみます。

vi jupyterhub_config.py

1
2
3
4
5
c.JupyterHub.tornado_settings = {'headers':{
        'Content-Security-Policy': "default-src 'self';frame-ancestors 'self'",
        'X-Content-Type-Options':"nosniff",
        'X-XSS-Protection':"1; mode=block",
  }}

記事情報

  • 投稿日:2020年6月25日
  • 最終更新日:2020年6月28日