Bug 1224261

Summary: cockpit: Refused user root for service cockpit
Product: [openSUSE] openSUSE Distribution Reporter: Felix Niederwanger <felix.niederwanger>
Component: DocumentationAssignee: Lubos Kocman <lubos.kocman>
Status: IN_PROGRESS --- QA Contact: Frank Sundermeyer <fs>
Severity: Normal    
Priority: P5 - None CC: lubos.kocman
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Felix Niederwanger 2024-05-15 08:46:55 UTC 
On a fresh Leap 15.6 installation I cannot login to cockpit as root user. The WebUI throws the error: "Wrong user name or password"

In the journal I see the following error messages

> May 15 10:41:40 radroach cockpit-session[15173]: pam_listfile(cockpit:auth): Refused user root for service cockpit
> May 15 10:41:57 radroach cockpit-session[15175]: pam_listfile(cockpit:auth): Refused user root for service cockpit
> May 15 10:42:08 radroach cockpit-session[15178]: pam_listfile(cockpit:auth): Refused user root for service cockpit

I'm using the default settings, including AppArmor. YaST didn't show anything in the audit logs.
Comment 1 Lubos Kocman 2024-05-15 11:23:24 UTC 
It's the default confiugration Felix See also https://github.com/cockpit-project/cockpit/issues/18427

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> cat /etc/cockpit/disallowed-users
# List of users which are not allowed to login to Cockpit
root

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> grep PRETTY_NAME /etc/os-release; 
PRETTY_NAME="openSUSE Leap 15.6"
lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse>
Comment 2 Lubos Kocman 2024-05-15 11:24:16 UTC 
I suppose we want similar experience as on LeapMicro. Otherwise, this would be an issue on Factory as well.

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> rpm -qf /etc/cockpit/disallowed-users
cockpit-ws-309-bp156.1.4.x86_64
Comment 3 Lubos Kocman 2024-05-15 11:27:17 UTC 
Seems like anything else than rhel <8 has it disabled in spec. I suppose micro does some magic outside of the spec.

# Allow root login in Cockpit on RHEL 8 and lower as it also allows password login over SSH.
%if 0%{?rhel} && 0%{?rhel} <= 8
%define disallow_root 0
%else
%define disallow_root 1
%endif
Comment 4 Felix Niederwanger 2024-05-15 13:54:07 UTC 
Ah, it seems also on Factory this is the now the default behavior. I was not aware that this changed, but it looks like this is expected.

I think we can close this bug as invalid then.
Comment 5 Lubos Kocman 2024-05-15 14:23:08 UTC 
Wait a sec Felix

I'm thinking of /etc/motd update which happens for cockpit


We could also mention this on ReleaseNotes/wiki. I think there is a value in having info somewhere.
Comment 6 Felix Niederwanger 2024-05-16 07:46:12 UTC 
Fully agree.