The second option is interesting. What would end/close such job? The third seems most natural but requires extra infra to setup and maintain. The first is probably most straightforward, but wouldn’t it have to ignore target host key verification? Ssh known hosts check would fail I guess after first connection.
Thanks for the feedback, that helps a lot. Please keep it coming.
The client closing the TCP connection would end the job, the same as pressing C-d closes a regular SSH session.
I start to like this option most since it fits best into the existing Foreman architecture, no? No new communication patterns between master and proxies, no new ports need to be opened, etc.
But this option also needs the biggest code changes to both Foreman and Cockpit. I’ll play around with this a bit to get a feel for how big.
Okay, this starts to look promising.
Here is a demo, with terrible sound (apologies):
The central piece for the Cockpit session is
It uses the new
/api/v2/remote_execution/ssh_params API of Foreman to get parameters like proxy, user, keyfile, password, etc, that are also used by REX.
It then uses the new
/remote_execution/ssh_session API in the Smart Proxy to start a interactive SSH session on the target host that runs
cockpit-bridge. Once running, it will pump the Cockpit protocol messages in both directions until the session ends. That API does a protocol upgrade on its connection, which is something new for Smart Proxy, I think.
Code for the
/api/v2/remote_execution/ssh_params API: https://github.com/mvollmer/foreman_remote_execution/commit/d35647905b19b23b76bbdd2f25c96fbbdff5a62e
Code for the
/remote_execution/ssh_session API: https://github.com/mvollmer/smart-proxy/commit/5f0ded7db4049a7c08877f3c86f9137b8c7ad21d
Super dirty code for the button in Foreman and the OAuth bits: https://github.com/mvollmer/foreman/commits/seamless-cockpit
I should rewrite cockpit-auth-foreman in Ruby.
This doesn’t work without a proxy, but I think it should. A Ruby version of cockpit-auth-foreman can probably quite easily use Net::SSH directly on that case, and we should factor the code to make that elegant.
ssh_sessionAPI needs to be implemented by
smart_proxy_remote_execution_ssh, not by
The code that uses Net::SSH should share as much as possible with script_runner.rb in
But overall, I am pretty happy with this. Next steps for me would be
Rewrite cockpit-auth-foreman in Ruby.
Figure out how Foreman runs behind Apache in production and put Cockpit behind it as well.
Make a PR for the
ssh_paramsAPI, with tests and everything.
Nice to see the progress here! So if I understand the workflow properly, when I click the
- it goes first to the Cockpit
- user gets redirected back to the Foreman to confirm the OAuth2 access
- then Foreman redirects back to Cockpit: at this point Cockpit trusts the user
- Cockpit asks the Foreman for the connection details
- Cockpit starts the session on the proxy to connect to the remote host
It that right?
If I understand it correctly, in point 4, Cockpit uses the same session id to authenticate to the Foreman, as user’s browser, right?
I’m just trying to rephrase this here to make sure I understand how the whole thing works, as there are multiple pieces in play.
Yes, except for the “trust” part.
Cockpit itself is unprivileged and doesn’t make decisions related to authentication. The credentials given out by Foreman in step 4 just need to be accepted by sshd in step 5. Foreman might decline access in step 4 based on which user the session is for, etc.
Yes, the Foreman API fortunately allows access with a valid _session_id cookie, and the token exchanged in steps 2 and 3 is the value of that cookie.
cockpit-auth-foreman turns the token back into a cookie.
A customer asked for better integration in regard to PCP performance data from hosts. While we will unlikely be writing a Foreman PCP plugins to present data from PCP, we should be able to have a button for hosts that opens up Cockpit interface on Performance page. I see there are plans on elaborating Cockcpit-PCP integration: https://github.com/cockpit-project/cockpit/wiki/Feature:-PCP-Integration