Port arvados-pam to Python 3
source:sdk/pam provides a PAM module that allows users to authenticate (e.g., to an SSH service on a shell node) using an Arvados token. It checks the same login permissions as source:services/login-sync. It makes it possible to provide a login service like shellinabox that doesn't have SSH private keys or tunnel options.
Currently it requires Python 2.7.
#5 Updated by Tom Clegg about 2 months ago
arvados-pam is one such "PAM module written in Python." We
can make have made the arvados_pam module python3-compatible enough to pass its unit tests, but it can't be shown to work in real life (and can't eliminate the python2.7 dependency) until pam-python itself is updated to work with python3. The author hasn't done this yet, but plans to.
- https://bugzilla.redhat.com/show_bug.cgi?id=1641386 "Unfortunately, it seems that at the moment it can't work without python2. Migration to python3 is "in progress", but it's not done right now."
- https://sourceforge.net/p/pam-python/tickets/5/#f4bb "Debian is coming up for a release next year, so things will happen by then. The major thing is the port to Python 3." (2018-10-25)
If we can't wait for an upstream fix (or fork pam-python and do it ourselves) another approach would be to start fresh and implement a PAM module in Go, using someone else's example like https://github.com/uber/pam-ussh. This might be a better long term solution anyway -- it looks like we never even found a way to test the libpam-python solution without hitting segfaults.
#8 Updated by Tom Clegg about 1 month ago
(from discussion offline) having a PAM module is worthwhile (still the best way to enable shell-over-https for CLI/browser use) but the Python solution is looking like a dead end -- it's never been stable and the connector shim isn't even aimed at production use. Porting to Go seems like the least-effort long term solution.