New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cockpit prompts for kerberos authentication #13202
Comments
After the prompt is cancelled, you can login normally. If you keep a tab open on cockpit and open a new tab there is no issue |
I verify this happens on fully new sessions only and on most (all?) modern browsers. |
I believe this to be GSSAPI authentication which is supposed to be disablable but appears not to be at the moment. See #13036. If the cockpit URL isn't whitelisted in the browsers preference (for firefox) or "Internet options" for Edge and chrome in windows, the GSSAPI protocol will prompt for a password because it will only use kerberos (with no login) if the website is first whitelisted. SInce i am experiencing this too at the moment I actually believe that gssapi authentication should be opt in (instead of opt out). I don't like it it all because two factor is getting bypassed among other concerns. |
I'm having the same problem. Ubuntu 18.04.4 LTS Server is joined to AD domain using realmd and sssd. As soon as I try to access the login page it prompts me for a basic auth username/password. If I dismiss this dialog and then enter my credentials in the web form it works fine. |
I see this as a security issue. I dont understand why it doesnt get immediate attention |
I agree this needs to be corrected, this issue has been open for 5 months. |
@atodorov, @chris1984, @dperpeet, @evan-goode, @Gundersanne, @jniederm, @martinpitt, @marusak, @mvollmer, @QiWang19, @sgallagher This original bug has 5 years old today! One day a security solution? |
@Neustradamus I am not that familiar with the code base, more in the org for testing. If someone submits a patch I am happy to review/test and ack/nack it. |
Wondering if this is the case for all the reporters here. Can please some of the reporters here check if white-listing cockpit helps? |
I can confirm that for me using the following config I am no longer getting the basic auth prompt when I was previously.
this is the part that I added
|
works for me too. i don't understand why it';s not in any documentation and it took months to get the answer. |
Working here in my cockpit setup. |
Thanks @kellcomnet2 and @H20-17! Yes, let's add that to the documentation, and write some tests that confirm that this works. |
Ah, so it has never actually been about basic auth, but Kerberos auth. This sounds exactly the same as issue #13036 now, isn't it? |
authentication.md was wrong about what exactly the authentication schema is for Kerberos/GSSAPI. Show the precise identifiers in cockpit.conf, and give an explicit example how to disable kerberos. Fix the same error in the certificate authentication docs. Add a link to the primary server authentication docs to make this easier to find. Add a test case to make sure that this actually works. Thanks to @H20-17 for discovering this! Fixes cockpit-project#13036 Fixes cockpit-project#13202
I sent a PR that updates documentation and adds a test case in #13982. |
authentication.md was wrong about what exactly the authentication schema is for Kerberos/GSSAPI. Show the precise identifiers in cockpit.conf, and give an explicit example how to disable kerberos. Fix the same error in the certificate authentication docs. Add a link to the primary server authentication docs to make this easier to find. Add a test case to make sure that this actually works. Thanks to @H20-17 for discovering this! Fixes #13036 Fixes #13202 Closes #13982
To all, thanks, there is now a fix in #13982 for: |
Cockpit version: 202.1
OS: Ubuntu 19.10
Page: login
When opening up cockpit homepage (ssl, custom letsencrypt certificate) I get a basic authentication prompt, that can be dismissed with no credentials and it works properly.
It only happens on the login page, no other page at all.
Installed from ubuntu repository on 19.04, then upgraded to 19.10, but it happened before
Relevant parts of the system log are also useful:
journalctl --since -10m
if the issue happened in the last 10 minutesjournalctl -u cockpit -u <unit>
if you know which unit it concerns-->
Steps to reproduce
Though it's behind haproxy, it happens directly on the server as well on haproxy.
The text was updated successfully, but these errors were encountered: