github →

New request

#2590: Support PAM-backed system-user WebUI login with per-user profiles

We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.

Issue
enhancementauth

Problem

Hermes WebUI currently supports a shared WebUI password flow. That works for single-user deployments, but shared hosts and LAN-facing workstations often need browser access to map back to real system accounts without handing every user the same WebUI credential.

The current profile-selection model is also client controlled, so adding username-based login safely needs server-side profile authority. Otherwise one authenticated browser session could choose another profile by changing the profile cookie or using profile-management routes.

Proposed Direction

Add an optional PAM-backed auth mode that keeps the existing password behavior unchanged by default:

  • HERMES_WEBUI_AUTH_MODE=pam enables PAM login.
  • A fixed PAM user can authenticate with the existing password field.
  • HERMES_WEBUI_PAM_ALLOW_ANY_USER=1 enables an explicit username field for multi-user hosts.
  • Multi-user PAM sessions bind server-side session metadata to a clean per-user Hermes profile.
  • Auth-bound sessions override client profile cookies and block cross-profile switch/create/delete operations.
  • Login-created profiles are created cleanly and do not clone default profile config or API keys.
  • PAM can run in-process when available, or through an administrator-configured helper command for deployments that need privileged PAM access.

Security / Compatibility Notes

This is security-sensitive behavior because it affects authentication and profile isolation. The intended compatibility shape is:

  • Default password auth remains the default and keeps existing profile behavior.
  • Legacy session records remain readable.
  • PAM multi-user login filters service accounts by shell and minimum UID.
  • No sudo or privileged helper behavior is assumed unless an operator explicitly configures HERMES_WEBUI_PAM_HELPER.

Validation Plan

A patch is available with focused auth/profile tests plus the full test suite passing locally:

  • Targeted auth/profile/login suites: 126 passed.
  • Full suite with Node available on PATH: 6001 passed, 6 skipped, 3 xpassed, 8 subtests passed.
Assessmentadvisory
feature●●● hard85% confidence

Security-sensitive authentication mode integrating PAM, server-side profile binding, and session authority.

Likely files
  • api/auth.py
  • api/sessions.py
  • api/profile.py
  • server.py
  • static/login.js
Create the request

This opens a fresh agent run and a draft PR for issue #2590.

Cancel