Chapter 29. Managing remote systems in the web console

Connect to the remote systems and manage them in the RHEL 8 web console.

The following chapter describes:

  • The optimal topology of connected systems.
  • How to add and remove remote systems.
  • When, why, and how to use SSH keys for remote system authentication.
  • How to configure a web console client to allow a user authenticated with a smart card to SSH to a remote host and access services on it.

Prerequisites

  • Opened the SSH service on remote systems.

29.1. Remote system manager in the web console

Using the RHEL 8 web console to manage remote systems in the network requires considering the topology of connected servers.

For optimal security, Red Hat recommends the following connection setup:

  • Use one system with the web console as a bastion host. The bastion host is a system with opened HTTPS port.
  • All other systems communicate through SSH.

With the web interface running on the bastion host, you can reach all other systems through the SSH protocol using port 22 in the default configuration.

RHEL Cockpit ManagingSystems 484190 0119

29.2. Adding remote hosts to the web console

You can connect other systems with a user name and password.

Prerequisites

Procedure

  1. In the RHEL 8 web console, click on your username@hostname in the top left corner of the Overview page.

    cockpit username dropdown

  2. In the drop down menu, click the Add new host button.

    cockpit add new host

  3. In the Add new host dialog box, specify the host you want to add.
  4. (Optional) Add the user name for the account to which you want to connect.

    You can use any user account of the remote system. However, if you use credentials of a user account without administration privileges, you will not be able to perform administration tasks.

    If you use the same credentials as for your local system, the web console will authenticate remote systems automatically every time you log in. However, using the same credentials on more machines could be a potential security risk.

  5. (Optional) Click the Color field to change the color of the system.
  6. Click Add.

    The new host will appear in the list of hosts in the username@hostname drop down menu.

Note

The web console does not save passwords used to log in to remote systems which means that you have to log in again after each system restart. Next time you log in, click the Log in button placed on the main screen of the disconnected remote system to open the login dialog.

cockpit not connected to host

29.3. Removing remote hosts from the web console

You can remove other systems from the web console.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.
  2. Click on your username@hostname in the top left corner of the Overview page.

    cockpit username dropdown

  3. Click the Edit hosts icon.

    cockpit edit hosts

  4. To remove a host from web console, click the red minus sign - button next to its host name. Note that you cannot remove a host you are currently connected to.

    cockpit remove host

As a result, the server is removed from your web console.

29.4. Enabling SSH login for a new host

When you add a new host you can also log into it with an SSH key. If you already have an SSH key on your system, the web console will use the existing one; otherwise, the web console can create a key.

Prerequisites

Procedure

  1. In the RHEL 8 web console, click on your username@hostname in the top left corner of the Overview page.

    cockpit username dropdown

  2. In the drop down menu, click the Add new host button.

    cockpit add new host

  3. In the Add new host dialog box, specify the host you want to add.
  4. Add the user name for the account to which you want to connect.

    You can use any user account of the remote system. However, if you use credentials of a user account without administration privileges, you will not be able to perform administration tasks.

  5. (Optional) Click the Color field to change the color of the system.
  6. Click Add.

    A new dialog window will appear asking for a password.

  7. Enter the user account password.
  8. Check Authorize ssh key if you already have an SSH key.

    cockpit authorize ssh key

  9. Check Create a new SSH key and authorize it if you do not have an SSH key. The web console will create it for you.

    cockpit ssh key add from login

    1. Add a password for the SSH key.
    2. Confirm the password.
  10. Click Log in

    The new host will appear in the list of hosts in the username@hostname drop down menu.

Verification steps

  1. Log out.
  2. Log back in.
  3. Click Log in in the Not connected to host screen.
  4. Select SSH key as your authentication option.

    cockpit ssh login dialog
  5. Enter your key password.
  6. Click Log in.

29.5. Constrained delegation in Identity Management

The Service for User to Proxy (S4U2proxy) extension provides a service that obtains a service ticket to another service on behalf of a user. This feature is known as constrained delegation. The second service is typically a proxy performing some work on behalf of the first service, under the authorization context of the user. Using constrained delegation eliminates the need for the user to delegate their full ticket-granting ticket (TGT).

Identity Management (IdM) traditionally uses the Kerberos S4U2proxy feature to allow the web server framework to obtain an LDAP service ticket on the user’s behalf. The IdM-AD trust system also uses constrained delegation to obtain a cifs principal.

You can use the S4U2proxy feature to configure a web console client to allow an IdM user that has authenticated with a smart card to achieve the following:

  • Run commands with superuser privileges on the RHEL host on which the web console service is running without being asked to authenticate again.
  • Access a remote host using SSH and access services on the host without being asked to authenticate again.

29.6. Configuring a web console to allow a user authenticated with a smart card to SSH to a remote host without being asked to authenticate again

After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to connect to remote machines by using the SSH protocol. You can use the constrained delegation feature to use SSH without being asked to authenticate again.

Follow this procedure to configure the web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host and it is being configured to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT).
  • You have root access to remote.idm.example.com.
  • The web console service is present in IdM.
  • The remote.idm.example.com host is present in IdM.
  • The web console has created an S4U2Proxy Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open the Terminal page, and enter:

    $ klist
    Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache
    Default principal: user@IDM.EXAMPLE.COM
    
    Valid starting     Expires            Service principal
    07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    07/30/21 09:19:06  07/31/21 09:19:06  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
            for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM

Procedure

  1. Create a list of the target hosts that can be accessed by the delegation rule:

    1. Create a service delegation target:

      $ ipa servicedelegationtarget-add cockpit-target
    2. Add the target host to the delegation target:

      $ ipa servicedelegationtarget-add-member cockpit-target \ --principals=host/remote.idm.example.com@IDM.EXAMPLE.COM
  2. Allow cockpit sessions to access the target host list by creating a service delegation rule and adding the HTTP service Kerberos principal to it:

    1. Create a service delegation rule:

      $ ipa servicedelegationrule-add cockpit-delegation
    2. Add the web console client to the delegation rule:

      $ ipa servicedelegationrule-add-member cockpit-delegation \ --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    3. Add the delegation target to the delegation rule:

      $ ipa servicedelegationrule-add-target cockpit-delegation \ --servicedelegationtargets=cockpit-target
  3. Enable Kerberos authentication on the remote.idm.example.com host:

    1. SSH to remote.idm.example.com as root.
    2. Open the /etc/ssh/sshd_config file for editing.
    3. Enable GSSAPIAuthentication by uncommenting the GSSAPIAuthentication no line and replacing it with GSSAPIAuthentication yes.
  4. Restart the SSH service on remote.idm.example.com so that the above changes take effect immediately:

    $ systemctl try-restart sshd.service

29.7. Using Ansible to configure a web console to allow a user authenticated with a smart card to SSH to a remote host without being asked to authenticate again

After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to connect to remote machines by using the SSH protocol. You can use the constrained delegation feature to use SSH without being asked to authenticate again.

Follow this procedure to use the servicedelegationrule and servicedelegationtarget ansible-freeipa modules to configure a web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host and it is being configured to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • The IdM admin password.
  • root access to remote.idm.example.com.
  • The web console service is present in IdM.
  • The remote.idm.example.com host is present in IdM.
  • The web console has created an S4U2Proxy Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open the Terminal page, and enter:

    $ klist
    Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache
    Default principal: user@IDM.EXAMPLE.COM
    
    Valid starting     Expires            Service principal
    07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    07/30/21 09:19:06  07/31/21 09:19:06  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
            for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.14 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory:

    $ cd ~/MyPlaybooks/
  2. Create a web-console-smart-card-ssh.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target:

      ---
      - name: Playbook to create a constrained delegation target
        hosts: ipaserver
      
        vars_files:
        - /home/user_name/MyPlaybooks/secret.yml
        tasks:
        - name: Ensure servicedelegationtarget web-console-delegation-target is present
          ipaservicedelegationtarget:
            ipaadmin_password: "{{ ipaadmin_password }}"
            name: web-console-delegation-target
    2. Add a task that adds the target host to the delegation target:

        - name: Ensure servicedelegationtarget web-console-delegation-target member principal host/remote.idm.example.com@IDM.EXAMPLE.COM is present
          ipaservicedelegationtarget:
            ipaadmin_password: "{{ ipaadmin_password }}"
            name: web-console-delegation-target
            principal: host/remote.idm.example.com@IDM.EXAMPLE.COM
            action: member
    3. Add a task that ensures the presence of a delegation rule:

        - name: Ensure servicedelegationrule delegation-rule is present
          ipaservicedelegationrule:
            ipaadmin_password: "{{ ipaadmin_password }}"
            name: web-console-delegation-rule
    4. Add a task that ensures that the Kerberos principal of the web console client service is a member of the constrained delegation rule:

        - name: Ensure the Kerberos principal of the web console client service is added to the servicedelegationrule web-console-delegation-rule
          ipaservicedelegationrule:
            ipaadmin_password: "{{ ipaadmin_password }}"
            name: web-console-delegation-rule
            principal: HTTP/myhost.idm.example.com
            action: member
    5. Add a task that ensures that the constrained delegation rule is associated with the web-console-delegation-target delegation target:

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
          ipaservicedelegationrule:
            ipaadmin_password: "{{ ipaadmin_password }}"
            name: web-console-delegation-rule
            target: web-console-delegation-target
            action: member
  3. Save the file.
  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-ssh.yml
  5. Enable Kerberos authentication on remote.idm.example.com:

    1. SSH to remote.idm.example.com as root.
    2. Open the /etc/ssh/sshd_config file for editing.
    3. Enable GSSAPIAuthentication by uncommenting the GSSAPIAuthentication no line and replacing it with GSSAPIAuthentication yes.

Additional resources