+# Embedding into existing session
+
+![local-session-unsafe](local-session-unsafe.pdf){height=60%}\
+
+\footnotesize \verb!cockpit-ws -p 9999 --no-tls --local-session=/usr/bin/cockpit-bridge!
+
+`firefox http://localhost:9999`
+
+:::notes
+- what I do want to show: opposite direction; "replace cockpit-session" can
+ also mean "by nothing"
+- due to common JSON protocol, we can connect ws directly to a cockpit-bridge
+- take a step back: if I want to admin this very machine, it's in a running
+ Linux session, it knows who I am
+- put the whole auth structure inside out and instead run cockpit-ws as my user
+ inside my session
+- open --local-session in shell
+- open localhost:9999 in firefox
+- alarm bells: exposes my session to a TCP port without any auth
+:::
+
+
+# Embedding into existing session: once more with safety!
+
+![local-session-unsafe](local-session.pdf){height=60%}\
+
+\footnotesize \verb! !
+
+`/usr/libexec/cockpit-desktop [page]`
+
+:::notes
+- need to hide that port; put browser and cockpit-ws into network namespace,
+ then they live in a completely isolated world
+- do some work to hide browser chrome, use webkit if available
+- cockpit-desktop /
+- wants to run priv bridge, can accept or decline
+- decline, R/O view
+- can show an individual iframe, "page"
+- suddenly you end up with a halfway decent desktop app
+- just the storage page, replacement for gnome-disks
+- cockpit-desktop podman
+- cockpit-desktop is small shell script, feel free to inspect and bend to your will
+:::
+
+# Conclusion
+
+- Authentication is very flexible
+- Works with zero configuration
+- Can be arbitrarily embedded and customized
+
+:::notes
+- Cockpit provides a set of standard auth protocols that are being used in
+ today's modern deployments
+- Once you know about the structure, you can combine ssh, web servers, reverse
+ proxies, and custom auth helpers to embed Cockpit anywhere you want
+:::