Hacker News new | ask | show | jobs
by k_bx 284 days ago
While I am using cockpit every time I need to remotely manage the machines, I couldn't get it to log me in via something other than user's login/password, which are not that safe, and it listens to 0.0.0.0 by default too.

So I have to ssh into machine, start cockpit service, use it, and then stop the cockpit.socket once I finish.

Would be great to have something which has its own users/passwords (to have strong password in bitwarden) and doesn't listen to 0.0.0.0 by default. If it's also lightweight – even better!
3 comments
sergsoares 284 days ago
You can use a localhost Cockpit with SSH Port Forwarding.

> Configure Cockpit to listen only loopback/127.0.0.1[1]:

[Socket]

ListenStream= #This remove 0.0.0.0:9090 bind based on the docs

ListenStream=127.0.0.1:9090

> Execute in your machine a port forward with SSH[2]:

ssh -N -L 9090:127.0.0.1:9090 host@ip

> Then you can open localhost:9090 in your browser securely only using SSH (that is already part of your actual workflow).

[1]: https://cockpit-project.org/guide/latest/listen

[2]: https://coder.com/docs/code-server/guide#port-forwarding-via...

link
k_bx 283 days ago
Yes but if there's going to be something lightweight and correct-by-default I'd prefer that, mostly because I have many machines to manage and a team of people to educate. I'd like default to be good instead of wasting time and risking.
link
skydhash 284 days ago
If you’re using libvirt, you can do a remote connection through ssh with virsh or Virtual Manager desktop app.
link
0x073 284 days ago
I thought cockpit use pam, so you can use other pam modules to log in.
link
k_bx 284 days ago
Can you explain a bit more? The user passwords are inherently not strong enough so I disable all ssh via password and only use private keys (id_ed25519). If cockpit allowed me to use one I'd be ok, but if they don't – I at least want some scary auto-generated password only for cockpit, not the system user's one (which is often very weak).
link
natebc 284 days ago
so bind cockpit to 127.0.0.1 and use ssh port forwarding?

You could also have a more strict password policy but I don't know that I'd ever want to expose something like cockpit to the raw Internet.

link
k_bx 283 days ago
Yes but if there's going to be something lightweight and correct-by-default I'd prefer that, mostly because I have many machines to manage and a team of people to educate. I'd like default to be good instead of wasting time and risking.
link