Bug 1224261 - cockpit: Refused user root for service cockpit
Summary: cockpit: Refused user root for service cockpit
Status: IN_PROGRESS
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Documentation (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Lubos Kocman
QA Contact: Frank Sundermeyer
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-15 08:46 UTC by Felix Niederwanger
Modified: 2024-05-16 07:46 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Niederwanger 2024-05-15 08:46:55 UTC 
On a fresh Leap 15.6 installation I cannot login to cockpit as root user. The WebUI throws the error: "Wrong user name or password"

In the journal I see the following error messages

> May 15 10:41:40 radroach cockpit-session[15173]: pam_listfile(cockpit:auth): Refused user root for service cockpit
> May 15 10:41:57 radroach cockpit-session[15175]: pam_listfile(cockpit:auth): Refused user root for service cockpit
> May 15 10:42:08 radroach cockpit-session[15178]: pam_listfile(cockpit:auth): Refused user root for service cockpit

I'm using the default settings, including AppArmor. YaST didn't show anything in the audit logs.
Comment 1 Lubos Kocman 2024-05-15 11:23:24 UTC 
It's the default confiugration Felix See also https://github.com/cockpit-project/cockpit/issues/18427

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> cat /etc/cockpit/disallowed-users
# List of users which are not allowed to login to Cockpit
root

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> grep PRETTY_NAME /etc/os-release; 
PRETTY_NAME="openSUSE Leap 15.6"
lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse>
Comment 2 Lubos Kocman 2024-05-15 11:24:16 UTC 
I suppose we want similar experience as on LeapMicro. Otherwise, this would be an issue on Factory as well.

lkocman@localhost:~/Workspace/opensuse/os-autoinst-distri-opensuse> rpm -qf /etc/cockpit/disallowed-users
cockpit-ws-309-bp156.1.4.x86_64
Comment 3 Lubos Kocman 2024-05-15 11:27:17 UTC 
Seems like anything else than rhel <8 has it disabled in spec. I suppose micro does some magic outside of the spec.

# Allow root login in Cockpit on RHEL 8 and lower as it also allows password login over SSH.
%if 0%{?rhel} && 0%{?rhel} <= 8
%define disallow_root 0
%else
%define disallow_root 1
%endif
Comment 4 Felix Niederwanger 2024-05-15 13:54:07 UTC 
Ah, it seems also on Factory this is the now the default behavior. I was not aware that this changed, but it looks like this is expected.

I think we can close this bug as invalid then.
Comment 5 Lubos Kocman 2024-05-15 14:23:08 UTC 
Wait a sec Felix

I'm thinking of /etc/motd update which happens for cockpit


We could also mention this on ReleaseNotes/wiki. I think there is a value in having info somewhere.
Comment 6 Felix Niederwanger 2024-05-16 07:46:12 UTC 
Fully agree.