From 7e1250a82b76f1d26d14ab8262b3ac8df04cb6aa Mon Sep 17 00:00:00 2001 From: Matt Graham Date: Thu, 27 Oct 2016 21:35:55 +0100 Subject: [PATCH] Adding bash script to secure Jupyter notebook server on DICE. --- secure-notebook-server.sh | 73 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 secure-notebook-server.sh diff --git a/secure-notebook-server.sh b/secure-notebook-server.sh new file mode 100644 index 0000000..95f0547 --- /dev/null +++ b/secure-notebook-server.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# Configure Jupyter notebook server to use password authentication +# Make sure Conda environment is active as will assume it is later +[ -z "$CONDA_PREFIX" ] && echo "Need to have Conda environment activated." && exit 1 +if [ "$#" -gt 2 ]; then + echo "Usage: bash secure-notebook-server.sh [jupyter-path] [open-ssl-config-path]" + exit 1 +fi +# If specified read Jupyter directory from passed argument +JUPYTER_DIR=${1:-"$HOME/.jupyter"} +# If specified read OpenSSL config file path from passed argument +# This is needed due to bug in how Conda handles config path +export OPENSSL_CONF=${2:-"$CONDA_PREFIX/ssl/openssl.cnf"} +SEPARATOR="=================================================================\n" +# Create default config file if one does not already exist +if [ ! -f "$JUPYTER_DIR/jupyter_notebook_config.py" ]; then + echo "No existing notebook configuration file found, creating new one ..." + printf $SEPARATOR + jupyter notebook --generate-config + printf $SEPARATOR + echo "... notebook configuration file created." +fi +# Get user to enter notebook server password +echo "Getting notebook server password hash. Enter password when prompted ..." +printf $SEPARATOR +HASH=$(python -c "from notebook.auth import passwd; print(passwd());") +printf $SEPARATOR +echo "... got password hash." +# Generate self-signed OpenSSL certificate and key file +echo "Creating certificate file ..." +printf $SEPARATOR +CERT_INFO="/C=UK/ST=Scotland/L=Edinburgh/O=University of Edinburgh/OU=School of Informatics/CN=$USER/emailAddress=$USER@sms.ed.ac.uk" +openssl req \ + -x509 -nodes -days 365 \ + -subj "/C=UK/ST=Scotland/L=Edinburgh/O=University of Edinburgh/OU=School of Informatics/CN=$USER/emailAddress=$USER@sms.ed.ac.uk" \ + -newkey rsa:1024 -keyout "$JUPYTER_DIR/key.key" \ + -out "$JUPYTER_DIR/cert.pem" +printf $SEPARATOR +echo "... certificate created." +# Setting permissions on key file +chmod 600 "$JUPYTER_DIR/key.key" +# Add password hash and certificate + key file paths to config file +echo "Setting up configuration file..." +printf $SEPARATOR +echo " adding password hash" +SRC_PSW="^#\?c\.NotebookApp\.password[ ]*=[ ]*u['"'"'"]\(sha1:[a-fA-F0-9]\+\)\?['"'"'"]" +DST_PSW="c.NotebookApp.password = u'$HASH'" +grep -q "c.NotebookApp.password" $JUPYTER_DIR/jupyter_notebook_config.py +if [ ! $? -eq 0 ]; then + echo DST_PSW >> $JUPYTER_DIR/jupyter_notebook_config.py +else + sed -i "s/$SRC_PSW/$DST_PSW/" $JUPYTER_DIR/jupyter_notebook_config.py +fi +echo " adding certificate file path" +SRC_CRT="^#\?c\.NotebookApp\.certfile[ ]*=[ ]*u['"'"'"]\([^'"'"'"]+\)\?['"'"'"]" +DST_CRT="c.NotebookApp.certfile = u'$JUPYTER_DIR/cert.pem'" +grep -q "c.NotebookApp.certfile" $JUPYTER_DIR/jupyter_notebook_config.py +if [ ! $? -eq 0 ]; then + echo DST_CRT >> $JUPYTER_DIR/jupyter_notebook_config.py +else + sed -i "s|$SRC_CRT|$DST_CRT|" $JUPYTER_DIR/jupyter_notebook_config.py +fi +echo " adding key file path" +SRC_KEY="^#\?c\.NotebookApp\.keyfile[ ]*=[ ]*u['"'"'"]\([^'"'"'"]+\)\?['"'"'"]" +DST_KEY="c.NotebookApp.keyfile = u'$JUPYTER_DIR/key.key'" +grep -q "c.NotebookApp.keyfile" $JUPYTER_DIR/jupyter_notebook_config.py +if [ ! $? -eq 0 ]; then + echo DST_KEY >> $JUPYTER_DIR/jupyter_notebook_config.py +else + sed -i "s|$SRC_KEY|$DST_KEY|" $JUPYTER_DIR/jupyter_notebook_config.py +fi +printf $SEPARATOR +echo "... finished setting up configuration file."