= Talk summary = Cockpit is primarily known as a graphical, browser-based, reactive, and non-intrusive interface for configuring and troubleshooting your servers. But it also makes these accessible from a lot more places like computers with Windows or mobile devices. You can log into Cockpit using classic passwords, single-sign on in an Identity Management domain, seamlessly from Foreman/Satellite, through SSH keys, or even a local smart card. This talk explains how all these standard Linux authentication schemas transcend through a web browser while keeping them trustworthy. It also shows briefly how you can write your own authentication plugin tailored to your environment. = Outline = - Introduction + Cockpit as graphical UI to interact with your server, complementing ssh + Configure LVM or RAID once a year? Simpler and safer to do it like this (Storage page demo) than this (shell commands) → add PV, resize partition + Makes server accessible from a lot more places + Integrates into authentication setups beyond simple user/password login page - Devices demo + Win10 VM, Edge browser (./vm-run windows-10, [[https://10.0.2.2:9090]], preload that) + Firefox mobile emulation ([[http://localhost:9090/storage]]) + So far zero configuration except for enabling cockpit.socket - Anatomy of a Cockpit session + ws-session.drawio + ws: http+WebSocket on TCP ←→ cockpit JSON protocol (auth and session) on a pipe; ask for/collect credentials (password, oauth token, krb negotiation, client cert); unprivileged + session/auth: use creds from ws to start a login session, connect pipe to it; standard is cockpit-session (suid root helper) that starts PAM (password, krb) but it doesn't have to be: ssh or custom plugins + cockpit-bridge: session leader, role of bash; JSON protocol on stdio ←→ system APIs (exec programs, call D-Bus, use files or sockets); runs as target user - Alternative session launcher: ssh + ws and session do not need to run on the same machine + ssh-session.drawio + ssh key login with dashboard to older RHEL machine + bastion-host.drawio + bastion host (no ws on critical machines, don't trust cockpit-session, even to localhost) config option to only use this mode, can be run from container - Alternative authentication: smart card + most interesting mechanism as it's rather browser specific; moral equivalent of ssh with key + demo + cert-auth.png - Other auth setups: + SSO with Identity Management + OAuth (for Kubernetes/OpenShift integration) - Custom auth plugin + TODO = Unsorted = - foreman demo (custom auth plugin) https://www.youtube.com/watch?v=Ua3b79UG9JM 5:35 ~ 10s - [ManageIQ](https://github.com/ManageIQ/manageiq/blob/master/lib/miq_cockpit.rb) = Links = * [authentication protocol](https://github.com/cockpit-project/cockpit/blob/master/doc/authentication.md) * [Authentication configuration](https://cockpit-project.org/guide/latest/authentication.html)