Cockpit for Linux
Cockpit is a remote host management system for Linux hosts, allowing management through a web portal hosted locally on the Linux host via a lightweight web server. As such, and like all remote management systems, enabling Cockpit carries inherit risks since this technology allows anyone with knowledge of system access to issue any command to the host. Cockpit is capable of managing system services, viewing all running processes, running commands (even as root), and more.
Installing Cockpit
dnf install -y cockpit
systemctl enable --now cockpit.socket
firewall-cmd --add-service=cockpit --permanent
firewall-cmd --reloadapt install -y cockpit
systemctl enable --now cockpit
ufw allow 9090
ufw allow 80Alpine does not have direct support for Cockpit. They suggest Alpine Configuration Framework (ACF)
pacman -Syu cockpitModify Cockpit to Defeat Automatic User Session Login
Cockpit supports passing your local user session login details to the remote host, through the web browser session. This can be helpful if your local host and the remote host are both joined to the same domain, and you are logged in to your local host with your domain credentials. In this situation your domain user session details (kerberos ticket) will be passed through the web browser to the remote host and you’ll be logged in to the remote host under your domain user account, automatically.
However, this automatic login behavior can be problematic if your local user account does not have administrative permission on the remote host, yet your intend is to log in to the remote host as the administrator. The workaround is to log off of Cockpit after the automatic login so that you can login under your admin account. rather frustrating
Unfortunately Cockpit does not provide configuration options for this behavior, so to modify Cockpit’s automatic login we must change Cockpit’s source HTML.
The auto login feature (and other advanced features of the login page) are coded as JavaScript functions at the top of the HTML file. There are some good comments in this section, so I eventually found the function responsible for the auto login: function I. Unfortunately, deleting or commenting out I breaks the login page pretty badly. I found that it really must be left in place, but that I could achieve the desired effect by altering the call for function I (happens in the code block just before the function I definition). function q seems to be related to login functions, and based on my trial-and-error experience, it is the magic function to replace I with.
Altering Cockpit HTML
Edit the login HTML page file with:
vi /usr/share/cockpit/static/login.min.htmlSearch for function I, as your reference point, by typing /function I then press [enter]. Use n to find the next instance of the search term (p would find the previous). In the code block just before function I (commented with /*Try automatic/kerberos authentication*/) you’ll see the following originals - replace these lines with the new lines as indicated:
| Original | New |
|---|---|
| } else if (o) { | } else if (o) { |
| q(i); | q(i); |
| } else { | } else { |
| I(); | q(i);//I(); |
| } | } |
So now, in either case q runs and I never will. Now the login page will never try to autologin using the local session kerberos ticket. Now we need to restart the Cockpit service:
systemctl restart cockpit