File: authentication.xml

package info (click to toggle)
cockpit 188-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 119,768 kB
  • sloc: ansic: 66,833; xml: 5,776; python: 3,122; sh: 2,322; makefile: 1,289; sed: 7
file content (94 lines) | stat: -rw-r--r-- 4,584 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
<?xml version="1.0"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<chapter id="authentication">
  <title>Cockpit Authentication</title>

  <section id="initial-auth">
    <title>Primary server authentication</title>

    <para>While cockpit allows you to monitor and administer several servers at the
      same time, there is always a primary server your browser connects to
      that runs the Cockpit web service (cockpit-ws) through which connections to
      additional servers are established.
      See <ulink url="https://raw.githubusercontent.com/cockpit-project/cockpit/master/doc/cockpit-transport.png">this diagram</ulink> for how it works.</para>

    <para>By default the cockpit web service is installed on the base system and
      <link linkend="listen">socket activated by systemd</link>. In this setup
      access is controlled by a cockpit specific pam stack, generally located
      at <filename>/etc/pam.d/cockpit</filename>. By default this is configured
      to allow you to login with the username and password of any local account on the
      system or you can setup a <link linkend="sso">Kerberos based SSO
      solution</link>.</para>

    <para>The web server can also be run from the <filename>cockpit/ws</filename> docker
      container. If you are running cockpit on an <ulink url="https://www.projectatomic.io/">
      Atomic Host</ulink> this will be the default. In this setup, cockpit establishes an
      SSH connection from the container to the underlying host, meaning that it is up to
      your SSH server to grant access. To login with a local account, <filename>sshd
      </filename> will need to be configured to allow password based authentication.
      Alternatively you can setup a <link linkend="sso">Kerberos based SSO
      solution</link>.</para>

    <para>Like <filename>sshd</filename>, cockpit can be configured to limit the number
      of concurrent login attempts allowed. This is done by adding a <code>MaxStartups</code>
      option to the <code>WebService</code> section of your <code>cockpit.conf</code>.
      Additional connections will be dropped until authentication succeeds or
      the connections are closed.</para>

  </section>

  <section id="secondary-auth">
    <title>Secondary server authentication</title>

    <para>Once you are able to login to the primary server you will be able to connect to
      additional servers. These servers will need to be running an SSH server on port 22
      and be configured to support one of the following authentication methods.</para>

    <section id="password">
      <title>Password</title>
      <para>The target server will need to have password based authentication
        enabled in <filename>sshd</filename>. When this is setup for the first time,
        Cockpit will ensure that the user connected to primary server has the
        same password on the secondary server.</para>
    </section>

    <section id="kerberos">
      <title>Kerberos</title>
      <para>The target server will need to be a member of the same domain as the
        primary server and your domain must be whitelisted in your browser.
        See the <link linkend="sso">SSO documentation</link> for how to set
        this up.</para>
    </section>

    <section id="public-key">
      <title>Public key</title>

    <para>When you successfully log into the primary server, an <filename>ssh-agent
      </filename> is started. The following keys are then preloaded into the
      <filename>ssh-agent</filename> provided they are supported by your SSH
      version, present, with the correct permissions, and either unencrypted
      or encrypted with the same password that was used to login.</para>

<programlisting>
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ed25519
~/.ssh/id_ecdsa
</programlisting>

    <para>Cockpit provides an interface for loading other keys into the agent
      that could not be automatically loaded.</para>

    <para>The target server will need to have public key authentication enabled in
      <filename>sshd</filename>, and the public key you wish to use must be present in
      <filename>~/.ssh/authorized_keys</filename>.</para>

    <para>Note that when a user is authenticated in this way the authentication
      happens without a password, as such the standard cockpit reauthorization
      mechanisms do not work. The user will only be able to obtain additional
      privileges if they do not require a password.</para>

    </section>
  </section>
</chapter>