Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cockpit prompts for kerberos authentication #13202

Closed
sebabordon opened this issue Nov 27, 2019 · 17 comments · Fixed by #13982
Closed

Cockpit prompts for kerberos authentication #13202

sebabordon opened this issue Nov 27, 2019 · 17 comments · Fixed by #13982
Assignees
@martinpitt

Comments

@sebabordon
Copy link

sebabordon commented Nov 27, 2019
edited by marusak

Cockpit version: 202.1
OS: Ubuntu 19.10
Page: login

When opening up cockpit homepage (ssl, custom letsencrypt certificate) I get a basic authentication prompt, that can be dismissed with no credentials and it works properly.
It only happens on the login page, no other page at all.
Installed from ubuntu repository on 19.04, then upgraded to 19.10, but it happened before

Relevant parts of the system log are also useful:
journalctl --since -10m if the issue happened in the last 10 minutes
journalctl -u cockpit -u <unit> if you know which unit it concerns
-->

-- Logs begin at Mon 2019-04-08 08:35:54 -03, end at Wed 2019-11-27 19:07:09 -03. --
Nov 27 18:57:09 gw systemd[1740]: Listening on debconf communication socket.
Nov 27 18:57:09 gw systemd[1740]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Nov 27 18:57:09 gw systemd[1740]: Listening on REST API socket for snapd user session agent.
Nov 27 18:57:09 gw systemd[1740]: Listening on GnuPG network certificate management daemon.
Nov 27 18:57:09 gw systemd[1740]: Listening on GnuPG cryptographic agent and passphrase cache.
Nov 27 18:57:09 gw systemd[1740]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Nov 27 18:57:09 gw systemd[1740]: Reached target Timers.
Nov 27 18:57:09 gw systemd[1740]: Reached target Paths.
Nov 27 18:57:09 gw systemd[1740]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Nov 27 18:57:09 gw systemd[1740]: Starting D-Bus User Message Bus Socket.
Nov 27 18:57:09 gw systemd[1740]: Listening on D-Bus User Message Bus Socket.
Nov 27 18:57:09 gw systemd[1740]: Reached target Sockets.
Nov 27 18:57:09 gw systemd[1740]: Reached target Basic System.
Nov 27 18:57:09 gw systemd[1]: Started User Manager for UID 10000.
Nov 27 18:57:09 gw systemd[1]: Started Session 1 of user seba.
Nov 27 18:57:09 gw systemd[1740]: Reached target Main User Target.
Nov 27 18:57:09 gw systemd[1740]: Startup finished in 82ms.
Nov 27 18:57:23 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:10 gw haproxy[1472]: [WARNING] 330/185810 (1496) : Backup Server filebrowser/apps1 is DOWN, reason: Layer4 timeout, check duration: 1001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in qu
Nov 27 18:58:18 gw haproxy[1472]: [WARNING] 330/185818 (1496) : Backup Server filebrowser/apps1 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Nov 27 18:58:37 gw haproxy[1472]: [WARNING] 330/185837 (1496) : Backup Server filebrowser/apps1 is DOWN, reason: Layer4 timeout, check duration: 1000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in qu
Nov 27 18:58:44 gw haproxy[1472]: [WARNING] 330/185844 (1496) : Backup Server filebrowser/apps1 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Nov 27 18:58:54 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:55 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:56 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:57 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:58 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:58:59 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:00 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:01 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:02 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:03 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:04 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:05 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:06 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:07 gw haproxy[1472]: [WARNING] 330/185907 (1496) : Backup Server filebrowser/apps1 is DOWN, reason: Layer4 timeout, check duration: 1001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in qu
Nov 27 18:59:07 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:08 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:09 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:10 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:11 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:12 gw haproxy[1472]: [WARNING] 330/185912 (1496) : Backup Server filebrowser/apps1 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Nov 27 18:59:12 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:13 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:14 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:15 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:18 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 10 TLS connection failed: Error in the pull function.
Nov 27 18:59:19 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 10 TLS connection failed: Error in the pull function.
Nov 27 18:59:20 gw cockpit-tls[1705]: cockpit-session: gssapi auth failed: An unsupported mechanism was requested (Unknown error)
Nov 27 18:59:22 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: The TLS connection was non-properly terminated.
Nov 27 18:59:22 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 7 TLS connection failed: The TLS connection was non-properly terminated.
Nov 27 18:59:24 gw haproxy[1472]: [WARNING] 330/185924 (1496) : Backup Server filebrowser/apps1 is DOWN, reason: Layer4 timeout, check duration: 1002ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in qu
Nov 27 18:59:26 gw haproxy[1472]: [WARNING] 330/185926 (1496) : Backup Server filebrowser/apps1 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 1 backup servers online. 0 sessions requeued, 0 total in queue.
Nov 27 18:59:27 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 10 TLS connection failed: Error in the pull function.
Nov 27 18:59:28 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 10 TLS connection failed: Error in the pull function.
Nov 27 18:59:32 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 8 TLS connection failed: The TLS connection was non-properly terminated.
Nov 27 18:59:32 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: The TLS connection was non-properly terminated.
Nov 27 18:59:33 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:34 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:35 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.
Nov 27 18:59:37 gw sshd[1856]: Received disconnect from 10.0.2.86 port 60318:11: disconnected by user
Nov 27 18:59:37 gw sshd[1856]: Disconnected from user sbsoft\\seba 10.0.2.86 port 60318
Nov 27 18:59:37 gw sshd[1727]: pam_unix(sshd:session): session closed for user sbsoft\seba
Nov 27 18:59:37 gw systemd[1]: session-1.scope: Succeeded.
Nov 27 18:59:37 gw systemd-logind[948]: Session 1 logged out. Waiting for processes to exit.
Nov 27 18:59:37 gw systemd-logind[948]: Removed session 1.
Nov 27 18:59:45 gw haproxy[1472]: [WARNING] 330/185945 (1496) : Backup Server filebrowser/apps1 is DOWN, reason: Layer4 timeout, check duration: 1000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in qu
Nov 27 18:59:45 gw cockpit-tls[1705]: cockpit-tls: reading from client fd 6 TLS connection failed: Error in the pull function.

Steps to reproduce

  1. "open cockpit home page"
  2. "wait for the prompt"
  3. "cancel the prompt"
  4. "login to cockpit"

image

Though it's behind haproxy, it happens directly on the server as well on haproxy.
@sebabordon
Copy link
Author

After the prompt is cancelled, you can login normally. If you keep a tab open on cockpit and open a new tab there is no issue

@NULUSIOS
Copy link

NULUSIOS commented Dec 9, 2019

I verify this happens on fully new sessions only and on most (all?) modern browsers.

@H20-17
Copy link

H20-17 commented Dec 22, 2019

I believe this to be GSSAPI authentication which is supposed to be disablable but appears not to be at the moment. See #13036. If the cockpit URL isn't whitelisted in the browsers preference (for firefox) or "Internet options" for Edge and chrome in windows, the GSSAPI protocol will prompt for a password because it will only use kerberos (with no login) if the website is first whitelisted. SInce i am experiencing this too at the moment I actually believe that gssapi authentication should be opt in (instead of opt out). I don't like it it all because two factor is getting bypassed among other concerns.

@Neustradamus
Copy link

I confirm the problem :/

Examples:

Linked to:

@canuckbrian
Copy link

I'm having the same problem.

Ubuntu 18.04.4 LTS
Cockpit 215-1

Server is joined to AD domain using realmd and sssd. As soon as I try to access the login page it prompts me for a basic auth username/password. If I dismiss this dialog and then enter my credentials in the web form it works fine.

@H20-17
Copy link

H20-17 commented Apr 8, 2020

I see this as a security issue. I dont understand why it doesnt get immediate attention

@kellcomnet2
Copy link

I agree this needs to be corrected, this issue has been open for 5 months.

@Neustradamus
Copy link

@atodorov, @chris1984, @dperpeet, @evan-goode, @Gundersanne, @jniederm, @martinpitt, @marusak, @mvollmer, @QiWang19, @sgallagher
@stefwalter, @jfarcher, @bortek, @jds2001
@sebabordon, @NULUSIOS, @H20-17:

This original bug has 5 years old today!

One day a security solution?

@chris1984
Copy link

@Neustradamus I am not that familiar with the code base, more in the org for testing. If someone submits a patch I am happy to review/test and ack/nack it.

@marusak marusak mentioned this issue Apr 27, 2020
Closed
@marusak
Copy link
Member

marusak commented Apr 27, 2020

I believe this to be GSSAPI authentication which is supposed to be disablable but appears not to be at the moment. See #13036.

Wondering if this is the case for all the reporters here. Can please some of the reporters here check if white-listing cockpit helps?

@kellcomnet2
Copy link

I can confirm that for me using the following config I am no longer getting the basic auth prompt when I was previously.

[WebService]
Origins = https://******.us wss://******.us
ProtocolHeader = X-Forwarded-Proto

[gssapi]
action = none

[negotiate]
action = none

this is the part that I added

[negotiate]
action = none

@H20-17
Copy link

H20-17 commented Apr 27, 2020

works for me too. i don't understand why it';s not in any documentation and it took months to get the answer.

@sebabordon
Copy link
Author

Working here in my cockpit setup.
I don't know if that can be added to the documentation.

@martinpitt
Copy link
Member

Thanks @kellcomnet2 and @H20-17! Yes, let's add that to the documentation, and write some tests that confirm that this works.

@martinpitt martinpitt self-assigned this Apr 28, 2020
@martinpitt
Copy link
Member

Ah, so it has never actually been about basic auth, but Kerberos auth. This sounds exactly the same as issue #13036 now, isn't it?

@martinpitt martinpitt changed the title Cockpit prompts for basic authentication Cockpit prompts for kerberos authentication Apr 28, 2020
martinpitt added a commit to martinpitt/cockpit that referenced this issue Apr 28, 2020
@martinpitt
doc: Document how to disable kerberos negotiation
6341f4c 
authentication.md was wrong about what exactly the authentication schema
is for Kerberos/GSSAPI. Show the precise identifiers in cockpit.conf,
and give an explicit example how to disable kerberos. Fix the same error
in the certificate authentication docs.

Add a link to the primary server authentication docs to make this easier
to find.

Add a test case to make sure that this actually works.

Thanks to @H20-17 for discovering this!

Fixes cockpit-project#13036
Fixes cockpit-project#13202
@martinpitt martinpitt mentioned this issue Apr 28, 2020
Merged
@martinpitt
Copy link
Member

I sent a PR that updates documentation and adds a test case in #13982.

marusak added a commit to marusak/cockpit that referenced this issue Apr 28, 2020
@marusak
doc: Document how to disable gssapi
a1884c3 
Fixes: cockpit-project#13202
Fixes: cockpit-project#13036
martinpitt added a commit that referenced this issue Apr 28, 2020
@martinpitt
doc: Document how to disable kerberos negotiation
1faa258 
authentication.md was wrong about what exactly the authentication schema
is for Kerberos/GSSAPI. Show the precise identifiers in cockpit.conf,
and give an explicit example how to disable kerberos. Fix the same error
in the certificate authentication docs.

Add a link to the primary server authentication docs to make this easier
to find.

Add a test case to make sure that this actually works.

Thanks to @H20-17 for discovering this!

Fixes #13036
Fixes #13202
Closes  #13982
@Neustradamus Neustradamus mentioned this issue Apr 28, 2020
Closed
@Neustradamus
Copy link

To all, thanks, there is now a fix in #13982 for:

@Neustradamus Neustradamus mentioned this issue Jul 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinpitt martinpitt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

doc: Document how to disable kerberos negotiation martinpitt/cockpit
9 participants
@Neustradamus @martinpitt @chris1984 @kellcomnet2 @canuckbrian @NULUSIOS @marusak @sebabordon @H20-17