Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can PAM authenticate with Crowd

hallta
hallta December 4, 2014

I have a directory-based installation of Crowd which manages every component of my company, with the exception of ssh/remote login to our unix environments. It seems like an easy question, but I haven't found anyone with the answer - is there a way to have pam authenticate with crowd for remote user login.

 

A very similiar question (https://answers.atlassian.com/questions/3088), but most resources are for an LDAP install, which I don't have and don't want to install/configure.

Answer
Watch
Like # people like this
2822 views

4 answers

1 accepted

2 votes
Answer accepted
rrudnicki
rrudnicki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2014

Hi Trevor, 

There isn’t a native way to authenticate SSH against Crowd. 

However, you can create a custom connector to do it. In this link you can get more details. After you create it, I believe you will also need to create a Module to Pam. In this link and this you can find about it. 

 

Regards,

Renato Rudnicki

View More Comments
hallta
hallta December 4, 2014

That's what I thought. Thank you!

Like
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2014

I'm not super familiar with PAM, but you shouldn't have to create a Crowd custom directory. Crowd's REST API should be enough to let you check whether a user's username & password are correct, if you can make your PAM module make a call to it.

Like
Caspar Krieger
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2014

(You only need to write a custom Crowd directory if you want to change something like making users be fetched from some in-house database, etc)

Like
hallta
hallta December 4, 2014

Thanks, Caspar, that's a good point - I appreciate it.

Like
rrudnicki
rrudnicki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 5, 2014

Another easier way to authenticate your users against crowd would be you setup a LDAP. So, you can use the LDAP connector bundled on Crowd. I know maybe you won't use a LDAP, but also you will have a lot of work writing modules (lot of works = fun :) ). Good Luck Renato Rudnicki Atlassian Support

Like
Reply
3 votes
no_longer_in_sudoers_file
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 16, 2015

There is a solution: https://bitbucket.org/atlassian/crowd_pam/wiki/Home

Three of us (Sam Caldwell, @Brendan Shaklovitz, and Zach Boody) recently used this problem for Atlassian ShipIt 31.  What we built is a working PIP package (which we need to get up to PyPI soon) that will allow users to extend PAM to authenticate against Atlassian Crowd.

Right now this only supports user/pass authentication against Crowd, but we plan on adding SSH key support and additional meta data parameters for user accounts.

Reply
1 vote
no_longer_in_sudoers_file
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 18, 2015

Trevor, I asked this question once back in 2008-2009 and there was no solution.  But this morning I found that Tom OConnor has done what seems a promising job of starting down that path:

https://github.com/tomoconnor/pam_python_crowd

I'm debating on spending a weekend or so testing this solution to see if it can be made production-ready.

View More Comments
no_longer_in_sudoers_file
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 18, 2015

I have forked Tom O'Connor's git repo and made a couple enhancements to get this closer to production ready. There's still a bit to go, but here is my fork: https://github.com/x684867/pam_python_crowd/blob/master/lib/security/pam_crowd.py When I have a final solution, I'll send Tom a pull request. (Thanks, Tom for the start of a great solution)

Like
hallta
hallta March 18, 2015

That's fantastic, thanks for the hard work. Keep me/us posted, this work will surely come in very handy for myself and hopefully many others.

Like
Reply
0 votes
Brenden_Tuck
Brenden_Tuck
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 26, 2020

If you want to avoid having the python dependency, there is a new project available that does this with a native C shared object:  https://github.com/mbidewell/pam-crowd-auth

Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events