|  |  |  | Cockpit Guide |  | 
|---|
Cockpit can use Kerberos for Single Sign On authentication, where users are automatically authenticated if they have a valid Kerberos ticket.
To authenticate users, the server that Cockpit is running on must be
      joined to a domain. This can usually be accomplished using the
      realm join example.com
      command.
The domain must be resolvable by DNS. For instance, the SRV records of the kerberos server should be resolvable:
$ host -t SRV _kerberos._udp.example.com _kerberos._udp.example.com has SRV record 0 100 88 dc.example.com
The server running Cockpit should have a fully qualified name that ends with the domain name.
There must be a valid Kerberos host key for the server in the /etc/krb5.keytab
      file. Alternatively, if you would like to use a different keytab, you can do so
      by placing it in /etc/cockpit/krb5.keytab, or below $XDG_CONFIG_DIRS
      if set (see cockpit.conf). It may be necessary to
      create a kerberos service principal and update the keytab if it is not present.
      Depending on your domain type different service names are required:
| Active Directory | 
 | 
| IPA and MIT | 
 | 
When joining an IPA domain with Cockpit and the ipa command line tool is
      available, both the service principal name and a /etc/cockpit/krb5.keytab get
      created automatically, so that Kerberos based single sign on into Cockpit works out of the
      box. If you want/need to do this by hand or in a script, first create or modify the
      HTTP/ service principal:
$ sudo ipa service-add --ok-as-delegate=true --ok-to-auth-as-delegate=true \
    HTTP/server.example.com@EXAMPLE.COM
# or, if it already exists, just enable delegation:
$ sudo ipa service-mod --ok-as-delegate=true --ok-to-auth-as-delegate=true \
    HTTP/server.example.com@EXAMPLE.COM
Then generate a key for that principal:
$ sudo ipa-getkeytab -p HTTP/server.example.com@EXAMPLE.COM -k /etc/cockpit/krb5.keytab
The following command can be used to list the /etc/cockpit/krb5.keytab:
$ sudo klist -k /etc/cockpit/krb5.keytab
Lastly accounts from the domain must be resolvable to unix accounts on the server running Cockpit. For example:
$ getent passwd user@example.com user@example.com:*:381001109:381000513:User Name:/home/user:/bin/sh
If you wish to delegate your kerberos credentials to Cockpit, and allow Cockpit
      to then connect to other machines using those credentials, you should enable delegation
      for the hosts running Cockpit, and in some cases the HTTP service as well.
      When joining an IPA domain, this is enabled by default.
Domain admins (usually the admins@example.com group) should normally
      also be able to administer any joined machine. Enable sudo access for that group
      with the following command on the IPA server, for version 4.7.1 and later:
ipa-advise enable-admins-sudo | sh -ex
On earlier FreeIPA versions, run these commands instead, as a domain admin on any joined machine:
ipa sudorule-add --hostcat=all --cmdcat=all All ipa sudorule-add-user --groups=admins All
Note that this does not change security properties; domain admins can give this privilege to themselves, so it is safe to enable by default.
The client side, where your web browser is running, should have a valid kerberos ticket in the current user session. A command like this will get one:
$ kinit user@EXAMPLE.COM Password for user@EXAMPLE.COM:
In addition your browser must be usually be configured to allow kerberos authentication for the domain.
| Mozilla Firefox | Go to  | 
| Google Chrome | 
          On Linux: create the file
           
{
  "AuthServerWhitelist": "*example.com"
}
          and restart the browser. On other platforms, exit your browser
          completely, and start it with a command line like this:
           | 
Use a fully qualified server name (with the domain name at the end) to access Cockpit in your web browser.
If you wish to connect from one server to another in Cockpit using kerberos SSO, then you have to explicitly enable all sorts of things. For starters, make sure that delegated credentials are allowed by your domain (see above). Next when requesting your kerberos ticket make sure that forwardable tickets are requested:
$ kinit -f user@EXAMPLE.COM Password for user@EXAMPLE.COM:
Make sure that the forwardable flag F is present in your ticket:
$ klist -f Ticket cache: KEYRING:persistent:1000:1000 Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 18.03.2017 05:39:23 19.03.2017 05:39:20 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: FIA
Lastly configure your browser to allow delegated, forwardable kerberos credentials to be sent to Cockpit:
| Mozilla Firefox | Go to  | 
| Google Chrome | 
          On Linux: create the file
           
{
  "AuthServerWhitelist": "*example.com",
  "AuthNegotiateDelegateWhitelist": "*example.com"
}
          and restart the browser. On other platforms, exit your browser
          completely, and start it with a command line like this:
           |