New request
#2590: Support PAM-backed system-user WebUI login with per-user profiles
We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.
Problem
Hermes WebUI currently supports a shared WebUI password flow. That works for single-user deployments, but shared hosts and LAN-facing workstations often need browser access to map back to real system accounts without handing every user the same WebUI credential.
The current profile-selection model is also client controlled, so adding username-based login safely needs server-side profile authority. Otherwise one authenticated browser session could choose another profile by changing the profile cookie or using profile-management routes.
Proposed Direction
Add an optional PAM-backed auth mode that keeps the existing password behavior unchanged by default:
HERMES_WEBUI_AUTH_MODE=pamenables PAM login.- A fixed PAM user can authenticate with the existing password field.
HERMES_WEBUI_PAM_ALLOW_ANY_USER=1enables an explicit username field for multi-user hosts.- Multi-user PAM sessions bind server-side session metadata to a clean per-user Hermes profile.
- Auth-bound sessions override client profile cookies and block cross-profile switch/create/delete operations.
- Login-created profiles are created cleanly and do not clone default profile config or API keys.
- PAM can run in-process when available, or through an administrator-configured helper command for deployments that need privileged PAM access.
Security / Compatibility Notes
This is security-sensitive behavior because it affects authentication and profile isolation. The intended compatibility shape is:
- Default
passwordauth remains the default and keeps existing profile behavior. - Legacy session records remain readable.
- PAM multi-user login filters service accounts by shell and minimum UID.
- No sudo or privileged helper behavior is assumed unless an operator explicitly configures
HERMES_WEBUI_PAM_HELPER.
Validation Plan
A patch is available with focused auth/profile tests plus the full test suite passing locally:
- Targeted auth/profile/login suites:
126 passed. - Full suite with Node available on
PATH:6001 passed, 6 skipped, 3 xpassed, 8 subtests passed.
Security-sensitive authentication mode integrating PAM, server-side profile binding, and session authority.
- api/auth.py
- api/sessions.py
- api/profile.py
- server.py
- static/login.js