From 40368b8f555f04ffdd662ffe99d32392a088b1d2 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 23 Mar 2016 23:24:54 +0100
Subject: [PATCH] Allow disabling PAM sessions

it's often buggy and rarely necessary,
so allow it to be disabled when it's causing problems.

It's still on by default for backward-compatibility,
though maybe it shouldn't be.
---
 jupyterhub/auth.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/jupyterhub/auth.py b/jupyterhub/auth.py
index afd8407510..e8b0bcd19a 100644
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -357,6 +357,18 @@ class PAMAuthenticator(LocalAuthenticator):
     service = Unicode('login', config=True,
         help="""The PAM service to use for authentication."""
     )
+    open_sessions = Bool(True, config=True,
+        help="""Whether to open PAM sessions when spawners are started.
+        
+        This may trigger things like mounting shared filsystems,
+        loading credentials, etc. depending on system configuration,
+        but it does not always work.
+        
+        It can be disabled with::
+        
+            c.PAMAuthenticator.open_sessions = False
+        """
+    )
     
     @gen.coroutine
     def authenticate(self, handler, data):
@@ -369,7 +381,7 @@ def authenticate(self, handler, data):
             pamela.authenticate(username, data['password'], service=self.service)
         except pamela.PAMError as e:
             if handler is not None:
-                self.log.warn("PAM Authentication failed (@%s): %s", handler.request.remote_ip, e)
+                self.log.warn("PAM Authentication failed (%s@%s): %s", username, handler.request.remote_ip, e)
             else:
                 self.log.warn("PAM Authentication failed: %s", e)
         else:
@@ -377,15 +389,23 @@ def authenticate(self, handler, data):
     
     def pre_spawn_start(self, user, spawner):
         """Open PAM session for user"""
+        if not self.open_sessions:
+            return
         try:
             pamela.open_session(user.name, service=self.service)
         except pamela.PAMError as e:
             self.log.warn("Failed to open PAM session for %s: %s", user.name, e)
+            self.log.warn("Disabling PAM sessions from now on.")
+            self.open_sessions = False
     
     def post_spawn_stop(self, user, spawner):
         """Close PAM session for user"""
+        if not self.open_sessions:
+            return
         try:
             pamela.close_session(user.name, service=self.service)
         except pamela.PAMError as e:
             self.log.warn("Failed to close PAM session for %s: %s", user.name, e)
+            self.log.warn("Disabling PAM sessions from now on.")
+            self.open_sessions = False