Can't log in to server using SSH keys #20218
-
Login: We can't log in to Cockpit using SSH keys. Basic password authentication is disabled across all resources and users are configured with public keys and random strings for passwords that are not known by anyone and not saved anywhere. Users with admin privileges are able to sudo to accomplish tasks. Cockpit requires a login/password combination. This does not exist in our configuration. Users log in with keys via ssh and enter their key username and key password on terminal login. When I set up a SSH tunnel to a Cockpit server I see the same Cockpit login screen, but my key password is rejected. Is there a way to fix this? Or to configure Cockpit to somehow allow login when there is no known password and server password authentication is disabled? Turning it on is not an option. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 9 replies
-
At least in the default configuratrion, the very first cockpit login has to happen via some auth mechanism that browsers understand: user/password, certificate/smartcard , or Kerberos. Browsers don't speak SSH, so it's not generally possible to directly do what you wnat. What you can do in your case is to set up a "bastion host" -- some unprivileged VM or container with user/password which gives you an initial Cockpit session from where you connect to "real" machines via SSH, see https://cockpit-project.org/guide/latest/authentication.html#secondary-auth. The cockpit/ws container can also be configured to receive a specific ssh private key and then use the login page password to decrypt it -- but of course that doesn't work for multiple users. |
Beta Was this translation helpful? Give feedback.
-
I use a Fedora instance on Lima (which runs on a Mac) to access Cockpit on a server over SSH. |
Beta Was this translation helpful? Give feedback.
-
I was thinking about logging in via webauthn/fido2, which is something that the browser as well as ssh should understand. To use a I think the signature type That being said, this would enable the use of secure hardware tokens and potentially even passkeys for weblogin and for remote SSH connections in cockpit, which would be pretty neat usability-wise and far better from a security perspective than passwords. webauthn signatures has very little adoption though on the net, so far. The only useful references I saw are:
|
Beta Was this translation helpful? Give feedback.
At least in the default configuratrion, the very first cockpit login has to happen via some auth mechanism that browsers understand: user/password, certificate/smartcard , or Kerberos. Browsers don't speak SSH, so it's not generally possible to directly do what you wnat.
What you can do in your case is to set up a "bastion host" -- some unprivileged VM or container with user/password which gives you an initial Cockpit session from where you connect to "real" machines via SSH, see https://cockpit-project.org/guide/latest/authentication.html#secondary-auth. The cockpit/ws container can also be configured to receive a specific ssh private key and then use the login page password to decrypt i…