cockpit allows root log in using his password even when sshd is configured to not permit root login

Created on 9 Feb 2015  路  4Comments  路  Source: cockpit-project/cockpit

It means that when admin disallow user root login via sshd, it's still possible via cockpit where as far as I know is terminal emulator which makes it effectivelly same as login via ssh.

So it would be great if cockpit could somehow share PermitRootLogin configuration with sshd.

The global configuration of sshd could be dumped using '/usr/sbin/sshd -T'. However, sshd_conf support Match blocks and options like PermitRootLogin can set to different values for different Match option. A configuration for particular host, port, user or so could be dumped using '/usr/sbin/sshd -T -C "user=root" -C "host=localhost" ...'

Steff's suggestion is to use a pam module called like pam_check_sshd_config which would use above commands to check if root login is permitted or not.

Likewise, Cockpit could respect other sshd authentication settings as AllowUsers, PasswordAuthentication and others

enhancement

Most helpful comment

Workaround: In /etc/pam.d/cockpit have this as the first line:

auth requisite pam_succeed_if.so uid >= 1000

All 4 comments

Hmmm, I wonder if we should have a big 'respect ssh login settings' knob to control this. In many distros it would be on by default. I wonder where such a knob would live. Needs a bit more thought.

Are you interested in helping implement such a PAM module? It could be incubated in our sources. We already have raw C code and PAM module in src/reauthorize.

Workaround: In /etc/pam.d/cockpit have this as the first line:

auth requisite pam_succeed_if.so uid >= 1000

You can of course disallow root logins in /etc/pam.d/cockpit, just as one can disallow it for ssh, gdm, or VTs. It seems wrong to me to somehow "look at" ssh's PAM config, as it's a separate thing and may not even apply to cockpit.

The other option is to always use ssh to log into localhost as well, like the bastion host mode does, i. e. start cockpit-ws with --local-ssh (but that's not something we test or document). It's probably best to conceptually treat cockpit as parallel to gdm, ssh, or VT logins (which it really is).

The knob should be added to /users#/root. It would be nice, if the toggle could be added to every user - you can disable users other than root from logging in to cockpit.
Screenshot from 2020-02-05 19-36-57
I struggled on the wording, it could be phrased better.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

vazquezrodjoel picture vazquezrodjoel  路  8Comments

mehdiMj-ir picture mehdiMj-ir  路  5Comments

cedroid09 picture cedroid09  路  5Comments

daniel-wtd picture daniel-wtd  路  8Comments

gorgitko picture gorgitko  路  6Comments