Skip to content

How to best access Cockpit via AOA

Jump to bottom
Jó Ágila Bitsch edited this page Oct 28, 2022 · 1 revision

Goal

  • Provide an administrative interface to a linux machine like a headless raspberry pi or other server, without programming all the UI myself.
  • Reuse as many existing services and controls as possible

Idea

  • Tunnel ssh through the AOA connection
  • Authenticate using normal SSH mechanisms (password, public key, fido2)
  • connect to cockpit from the ssh session.
    • don't require authentication twice
    • reuse the HTTP serving capabilities of cockpit

How to achieve

Within the established ssh session, run the following command:

systemd-socket-activate -l $XDG_RUNTIME_DIR/cockpit.sock /usr/lib/cockpit/cockpit-ws --local-session cockpit-bridge

Hints

systemd-socket-activate allows us to use a unix socket instead of a tcp port for serving the cockpit interface.

cockpit-ws serves all the HTTP we need for the interface. On the Android side, we can use a chrome instance to connect to localhost (from the perspective of android) which is being forwarded via ssh port forwarding to the remote unix socket on the server side.

--local-session is an already authenticated version of the service. This is the reason, why we want to use a domain socket (or alternatively maybe a network namespace) to ensure, on the server side, no one else connects to this socket.

cockpit-bridge in turn handles the websocket requests from cockpit for executing commands, accessing dbus and the file system

Dependencies

Actually very limited:

  • aoa-proxy to forward everything from the phone to an ssh server
  • openssh-server
    • authenticate the user
    • run a local command
    • forward the traffic from the android browser to a unix socket
      • if running with a tinyssh server, we might have to find an alternative forwarding way, maybe via exec, as it deliberately does not implement port forwarding
  • cockpit

Security surface

Everything goes through ssh, so we should be good.

  • We're not opening new ports.
  • The authenticated cockpit unix socket is in $XDG_RUNTIME_DIR, which is only accessible to the logged in user, which could run cockpit-ws or cockpit-bridge (or any other commands with the same rights) anyways.

ssh port forwarding a unix socket

This is an extension of openssh, described in https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L237-L253. I'm not sure if this extension is supported by java/kotlin ssh libraries for Android, or if we need to extend a suitable library accordingly.

Clone this wiki locally