cockpit-doc 164-1 / usr / share / doc / cockpit / guide / sso.html

This file is indexed.

/usr/share/doc/cockpit/guide/sso.html is in cockpit-doc 164-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Single Sign On</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="guide.html" title="Part I. Deployment Guide">
<link rel="prev" href="authentication.html" title="Cockpit Authentication">
<link rel="next" href="privileges.html" title="Privileges and Permissions">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="authentication.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="guide.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="privileges.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h2 class="title">
<a name="sso"></a>Single Sign On</h2></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="sso.html#sso-server">Server Requirements</a></span></dt>
<dt><span class="section"><a href="sso.html#sso-client">Client Requirements</a></span></dt>
</dl></div>
<p>Cockpit can use Kerberos for Single Sign On authentication, where users are
    automatically authenticated if they have a valid Kerberos ticket.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="sso-server"></a>Server Requirements</h2></div></div></div>
<p>To authenticate users, the server that Cockpit is running on must be
      joined to a domain. This can usually be accomplished using the
      <a class="ulink" href="http://freedesktop.org/software/realmd/docs/realm.html" target="_top"><code class="code">realm join example.com</code></a>
      
      command.</p>
<p>The domain must be resolvable by DNS. For instance, the SRV records of the
      kerberos server should be resolvable:</p>
<pre class="programlisting">
$ host -t SRV  _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 0 100 88 dc.example.com
</pre>
<p>The server running Cockpit should have a fully qualified name that ends with
      the domain name.</p>
<p>There must be a valid Kerberos host key for the server in the <code class="code">/etc/krb5.keytab</code>
      file. Alternatively, if you would like to use a different keytab, you can do so
      by placing it in <code class="code">/etc/cockpit/krb5.keytab</code>. It may be necessary to
      create a kerberos service principal and update the keytab if it is not present.
      Depending on your domain type different service names are required:</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term">Active Directory</span></p></td>
<td><p><code class="code">HOST/server.example.com@EXAMPLE.COM</code></p></td>
</tr>
<tr>
<td><p><span class="term">IPA and MIT</span></p></td>
<td><p><code class="code">HTTP/server.example.com@EXAMPLE.COM</code></p></td>
</tr>
</tbody>
</table></div>
<p>The following command can be used to list the <code class="code">/etc/krb5.keytab</code>:</p>
<pre class="programlisting">
$ sudo klist -k
</pre>
<p>Lastly accounts from the domain must be resolvable to unix accounts on the server
      running Cockpit. For example:</p>
<pre class="programlisting">
$ getent passwd user@example.com
user@example.com:*:381001109:381000513:User Name:/home/user:/bin/sh
</pre>
<p>If you wish to delegate your kerberos credentials to Cockpit, and allow Cockpit
      to then connect to other machines using those credentials, you should enable delegation
      for the hosts running Cockpit, and in some cases the <code class="code">HTTP</code> service as well.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="sso-client"></a>Client Requirements</h2></div></div></div>
<p>The client side, where your web browser is running, should have a valid kerberos
      ticket in the current user session. A command like this will get one:</p>
<pre class="programlisting">
$ kinit user@EXAMPLE.COM
Password for user@EXAMPLE.COM:
</pre>
<p>In addition your browser must be usually be configured to allow kerberos
      authentication for the domain.</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term">Mozilla Firefox</span></p></td>
<td><p>Go to <code class="code">about:config</code> and set the
          <code class="code">network.negotiate-auth.trusted-uris</code> setting to your domain name
          preceded by a dot, ie: <code class="code">.example.com</code></p></td>
</tr>
<tr>
<td><p><span class="term">Google Chrome</span></p></td>
<td>
<p>
          On Linux: create the file
          <code class="code">/etc/opt/chrome/policies/managed/example-com.json</code>
          with the contents:
</p>
<pre class="programlisting">
{
  "AuthServerWhitelist": "*example.com"
}
</pre>
<p>
          and restart the browser. On other platforms, exit your browser
          completely, and start it with a command line like this:
          <code class="code">google-chrome --auth-server-whitelist=*example.com</code>
          </p>
</td>
</tr>
</tbody>
</table></div>
<p>Use a fully qualified server name (with the domain name at the end) to access
      Cockpit in your web browser.</p>
<p>If you wish to connect from one server to another in Cockpit using kerberos SSO,
      then you have to explicitly enable all sorts of things. For starters, make sure that
      delegated credentials are allowed by your domain (see above). Next when requesting your
      kerberos ticket make sure that forwardable tickets are requested:</p>
<pre class="programlisting">
$ kinit -f user@EXAMPLE.COM
Password for user@EXAMPLE.COM:
</pre>
<p>Make sure that the forwardable flag <code class="code">F</code> is present in your ticket:</p>
<pre class="programlisting">
$ klist -f
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user@EXAMPLE.COM

Valid starting       Expires              Service principal
18.03.2017 05:39:23  19.03.2017 05:39:20  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	Flags: FIA
</pre>
<p>Lastly configure your browser to allow delegated, forwardable kerberos
      credentials to be sent to Cockpit:</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term">Mozilla Firefox</span></p></td>
<td><p>Go to <code class="code">about:config</code> and set the
          <code class="code">network.negotiate-auth.delegation-uris</code> setting to your domain name
          preceded by a dot, ie: <code class="code">.example.com</code></p></td>
</tr>
<tr>
<td><p><span class="term">Google Chrome</span></p></td>
<td>
<p>
          On Linux: create the file
          <code class="code">/etc/opt/chrome/policies/managed/example-com.json</code>
          with the contents:
</p>
<pre class="programlisting">
{
  "AuthServerWhitelist": "*example.com",
  "AuthNegotiateDelegateWhitelist": "*example.com"
}
</pre>
<p>
          and restart the browser. On other platforms, exit your browser
          completely, and start it with a command line like this:
          <code class="code">google-chrome --auth-server-whitelist=*example.com --auth-negotiate-delegate-whitelist=*example.com</code>
          </p>
</td>
</tr>
</tbody>
</table></div>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>

APT Browse - Built by Thomas Orozco.