CVE-2022-31027 CILogonOAuthenticator is an OAuth token library for the JupyerHub login handler. CILogon is provided by the OAuthenticator package.

is validated. Thus, a user with a fake email from say "@bunny.org" might be successful in accessing the JupyterHub. To protect your JupyterHub from such fake users, you will have to whitelist the domains that are allowed to access the JupyterHub. You can do this by adding the whitelisted domain to `allowed_idps`. For example, to allow only users from `bunny.org` to access the JupyterHub, you might add the following line to your `JupyterHubConfig.py` file. allowed_idps = ['bunny.org']  Be careful not to add too many domains to the `allowed_idps` list because it will negatively affect performance. If you have to allow too many domains, you can instead allow all domains.

Disable SSH by Default

It is also recommended that you disable SSH by default in order to reduce the attack surface of your JupyterHub. With this configuration, the only way to connect to JupyterHub is via the HTTP server.

Various factors that can affect JupyterHub performance

There are a number of factors that can affect the performance of JupyterHub. These include the number of users, the length of time your JupyterHub has been up and running, and how many processes are running.

Configure JupyterHub firewall to block unauthorized access

You will also have to configure your JupyterHub firewall. To do this, add the following lines to `JupyterHubConfig.py`
# Allow an IP address or a CIDR range that you trust to access the JupyterHub # Uncomment the following line if you want to allow any incoming connections as well as # all outgoing connections except for those from localhost # using the `lowsrc` port (usually 9000):
allowed_ip = ('0.0.0.0/0' if 'allow_any_connections' else 'localhost')
allowed_port = ('8889')

Timeline

Published on: 06/09/2022 13:15:00 UTC
Last modified on: 06/16/2022 01:27:00 UTC

References