cockpit uses PAM (8) to authenticate local users. PAM imposes user / group / IP restrictions in access.conf (5), which can be used to limit the users who can log in to cockpit.
When you install it,
/etc/pam.d/cockpit is created.
Edit with a suitable editor and add a line for pam_access.so.
ʻAccessfile = path / to / access.config
is not required. If not specified,/etc/security/access.conf` will be used.
#%PAM-1.0 # this MUST be first in the "auth" stack as it sets PAM_USER # user_unknown is definitive, so die instead of ignore to avoid subsequent modules mess up the error code -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account required pam_access.so accessfile=/etc/security/cockpit_access.conf ★ Add this line account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin
The place to add must precede ʻaccount include password-auth
. If this order is reversed, the password-auth read by ʻaccount include password-auth contains a sufficient line, so the restrictions written after that will not be evaluated if the authentication is successful there. Hmm.
Prepare the file in the format of access.conf (5) in the path specified in accessfile. For example, if you want to create a cockpit group so that only users in that group can log in:
-:ALL EXCEPT (cockpit):LOCAL
<permission>: <user or group>: <access>
<permission> is either'-'(permit) or
--user or group name, ALL represents all users or all groups, EXCEPT specifies exclusions for subsequent user groups
--Is it better to add
() for group?
--ʻALL EXCEPT (cockpit)
is for all users except those who belong to cockpit --
Try logging in and get
Permission Denied to succeed