cockpit-doc 164-1 / usr / share / doc / cockpit / guide / authentication.html

This file is indexed.

/usr/share/doc/cockpit/guide/authentication.html is in cockpit-doc 164-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Cockpit Authentication</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="startup.html" title="Start up">
<link rel="next" href="sso.html" title="Single Sign On">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="startup.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="sso.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="authentication"></a>Cockpit Authentication</h2></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="authentication.html#initial-auth">Primary server authentication</a></span></dt>
<dt><span class="section"><a href="authentication.html#secondary-auth">Secondary server authentication</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="authentication.html#password">Password</a></span></dt>
<dt><span class="section"><a href="authentication.html#kerberos">Kerberos</a></span></dt>
<dt><span class="section"><a href="authentication.html#public-key">Public key</a></span></dt>
</dl></dd>
</dl></div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="initial-auth"></a>Primary server authentication</h2></div></div></div>
<p>While cockpit allows you to monitor and administer several servers at the
      same time, there is always a primary server your browser connects to
      that runs the Cockpit web service (cockpit-ws) through which connections to
      additional servers are established.
      See <a class="ulink" href="https://raw.githubusercontent.com/cockpit-project/cockpit/master/doc/cockpit-transport.png" target="_top">this diagram</a> for how it works.</p>
<p>By default the cockpit web service is installed on the base system and
      <a class="link" href="listen.html" title="TCP Port and Address">socket activated by systemd</a>. In this setup
      access is controlled by a cockpit specific pam stack, generally located
      at <code class="filename">/etc/pam.d/cockpit</code>. By default this is configured
      to allow you to login with the username and password of any local account on the
      system or you can setup a <a class="link" href="sso.html" title="Single Sign On">Kerberos based SSO
      solution</a>.</p>
<p>The web server can also be run from the <code class="filename">cockpit/ws</code> docker
      container. If you are running cockpit on an <a class="ulink" href="http://www.projectatomic.io/" target="_top">
      Atomic Host</a> this will be the default. In this setup, cockpit establishes an
      SSH connection from the container to the underlying host, meaning that it is up to
      your SSH server to grant access. To login with a local account, <code class="filename">sshd
      </code> will need to be configured to allow password based authentication.
      Alternatively you can setup a <a class="link" href="sso.html" title="Single Sign On">Kerberos based SSO
      solution</a>.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="secondary-auth"></a>Secondary server authentication</h2></div></div></div>
<p>Once you are able to login to the primary server you will be able to connect to
      additional servers. These servers will need to be running an SSH server on port 22
      and be configured to support one of the following authentication methods.</p>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="password"></a>Password</h3></div></div></div>
<p>The target server will need to have password based authentication
        enabled in <code class="filename">sshd</code>. When this is setup for the first time,
        Cockpit will ensure that the user connected to primary server has the
        same password on the secondary server.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="kerberos"></a>Kerberos</h3></div></div></div>
<p>The target server will need to be a member of the same domain as the
        primary server and your domain must be whitelisted in your browser.
        See the <a class="link" href="sso.html" title="Single Sign On">SSO documentation</a> for how to set
        this up.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="public-key"></a>Public key</h3></div></div></div>
<p>When you successfully log into the primary server, an <code class="filename">ssh-agent
      </code> is started. The following keys are then preloaded into the
      <code class="filename">ssh-agent</code> provided they are supported by your SSH
      version, present, with the correct permissions, and either unencrypted
      or encrypted with the same password that was used to login.</p>
<pre class="programlisting">
~/.ssh/id_rsa
~/.ssh/id_dsa
~/.ssh/id_ed25519
~/.ssh/id_ecdsa
</pre>
<p>Cockpit provides an interface for loading other keys into the agent
      that could not be automatically loaded.</p>
<p>The target server will need to have public key authentication enabled in
      <code class="filename">sshd</code>, and the public key you wish to use must be present in
      <code class="filename">~/.ssh/authorized_keys</code>.</p>
<p>Note that when a user is authenticated in this way the authentication
      happens without a password, as such the standard cockpit reauthorization
      mechanisms do not work. The user will only be able to obtain additional
      privileges if they do not require a password.</p>
</div>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>

APT Browse - Built by Thomas Orozco.