Pam Authentication Failure

Hi all,
May I ask how to enable PAM authentication in Kops Kubernetes zero to Jupyterhub on AWS ubuntu instance?
I tried dummyAuthenticator and Github login, both could work, but pam cannot.
Currently my configuration file is

hub:
  config:
    LocalAuthenticator:
      create_system_users: True
      delete_invalid_users: True
    Authenticator:
      admin_users:
        - user1
      allowed_users:
        - user3
      #says deprecated, use allowed_users instead of whitelist
      #whitelist:
      #  - gycc7253
    #  blocked_users:
    #    - user5
    #    - user6
    #PAMAuthenticator:
      open_sessions: False
    JupyterHub:
      authenticator_class: pam

and the logs says

.
When loggin in via my ubuntu’s users password and id
it says

PAM Authentication failed (user1@::ffff:100.96.1.1): [PAM Error 7] Authentication failure

Seems like the jupyterhub does not have permission to create user, probably unable to read the password from shadow file.
But then I am not sure how to do it.
Anyone can help?
Thank you very much in advance!

PAM authentication is only useful for local users. Since you’re running on Kubernetes the singleuser servers run in separate pods to JupyterHub.

If you explain a bit more about what you want to achieve there may be another solution.

Yes thanks!
So we want to employ our organization’s cluster resource for jupyterhub, and on our server, we have one-to-one mapping from our organizational account to the server’s linux user, and we wish to set up jupyterhub in the way that the credentials are using PAM on our server’s linux machine so that the users could log in to jupyterhub with our organizational credentials.

I know that each single user will spawn a new pod, but the authentication should be done via the centre hub right?
Also, may i ask if the PAM authentication is inheriting the master node(the hub node) 's users credentials?

Everything on Kubernetes is independent of the host server’s authentication. This means the JupyterHub pod knows nothing about the users on the host, which is why PAM authentication doesn’t make sense for Z2JH.

If you’ve using multiple institutional servers with common authentication this may be managed with LDAP or Active Directory, in which case you can configure JupyterHub to use the same authnetication server.

Thx!
However the doc says that

JupyterHub by default ships with only one source of authentication: PAM, the underlying unix authentication of the host system.

But you said

This means the JupyterHub pod knows nothing about the users on the host

The doc says jupyterhub the hub pod is managing all the auth stuff right?
Sorry, but it would be great if you could explain the difference between these two interpretations!
Thx again!

JupyterHub is designed to be very flexible, and has the ability to plug in different authenticators, spawners, and many other services.,

If you manually install JupyterHub on it’s own it will only support PAM and has no support for Kubernetes. The zero-to-jupyterhub Helm chart packages JupyterHub, KubeSpawner, several other dependencies, and manages a lot of configuration.

In Z2JH the JupyterHub pod manages authentication using either a hared-coded list of users, or an external authenticator, as described in https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/authentication.html