1. Using the Cockpit Web Console
  2. Get Started: Cockpit Web Console
  3. Management of Multiple Hosts
  4. Security Considerations for Multiple Host Management

Security Considerations for Multiple Host Management

For optimal security, consider implementing the following configurations when accessing and managing multiple host systems from a single Cockpit web console instance.
  • Optimal topology configuration over SSH connection:
    • Install Cockpit on a bastion host and use it to connect and manage other secondary Cockpit hosts. The Cockpit bastion host should be configured with a certificate-authority-issued TLS certificate.
    • Configure all secondary hosts to communicate over an SSH connection. For example, in this scenario:
      • All secondary Cockpit hosts are reachable through the SSH protocol (which defaults to port 22).
      • The SSH firewall port is open on all secondary Cockpit hosts.
      • Enabling the cockpit.socket service on the secondary Cockpit hosts is not required.
      • A certificate-authority-issued TLS certificate isn't required on the secondary Cockpit hosts. However, the primary Cockpit bastion host must be configured with a certificate-authority-issued TLS certificate.

      For SSH configuration details, see Configuring OpenSSH Server in Oracle Linux: Connecting to Remote Systems With OpenSSH

      Note:

      Cockpit Project - Authentication: For additional information when managing primary and secondary servers using Cockpit, see https://cockpit-project.org/guide/latest/authentication.html.
  • Use of SSH for remote host authentication:
    • SSH key-based authentication (preferred authentication method) – Key-based authentication helps to prevent brute force password attacks against SSH and it provides administrators with password-less key-based authentication.

      If an SSH key-based authentication isn't already set up, it's easily configurable by selecting the Authorize SSH Key check box when logging in to a remote host. For details, see Step 3 in this procedure Add and Connect to Secondary Host.

      -OR-

    • SSH password authentication – Password authentication of the SSH client requires entering the user id and password from the host on which the SSH server resides. While SSH password authentication might be convenient for some users, password authentication is discouraged because it can make accounts more susceptible to intrusion.