Hi everybody
I just installed cockpit in a server that I have access exclusively with
ssh keys, my surprise is that the user hasn't a password and installing
cockpit make possible to login without password opening a breach. Having
users without password is a problem but if you have ssh set up to enforce
key authentication this problem can happen silently, once you install
cockpit anyone with access to the servers 9090 port and the user name will
gain access to the server.
Again i still think that the cause is the user without password, but would
be nice if cockpit enforce password authentication to avoid this, what you
guys think?
Regards,
PS: I tested with cockpit 176 from centos 7.6 repos
--
“If you're going to try, go all the way. Otherwise, don't even start. ..."
Charles Bukowski