Restrict which user can login into/use Cockpit

[knacky34]

I'm setting up Cockpit on a server and I would like to limit which users can login into cockpit.

Let's say there are two users on the server:

• admin, able to sudo, mainly doing administrative tasks via SSH
• accountmanager, able to use only useradd, usermod (configured in sudoers file)

How can I prevent admin to use Cockpit entirely? So, only accountmanager can login and he would not be able to do anything else than managing user accounts because of his privileges.

[Venefilyn]

Heya

We have a file /etc/cockpit/disallowed-users that you can edit and add in users you don't want to be able to login through cockpit

Hope that helps

If you want to do even more there is this in the docs

https://cockpit-project.org/guide/latest/privileges

[knacky34]

Nice, thank you

[CoreKit-glitch]

Hello,

is there a way to do the reverse thing ? Deny all users except xxxx.

Thank you for your help ?

[Venefilyn]

@CoreKit-glitch you could modify the PAM file /etc/pam.d/cockpit. I don't know the specifics but AFAIK you should be able to just change it like this (just remember to make the allowed-users file). This would make it so only the ones in the file are allowed to use Cockpit.

Caution

I haven't tested this at all so experiment at your own risk.

- account    required     pam_listfile.so item=user sense=deny file=/etc/cockpit/disallowed-users onerr=succeed
+ account    required     pam_listfile.so item=user sense=allow file=/etc/cockpit/allowed-users onerr=succeed

[CoreKit-glitch]

Thank you for your help, i'll test this and give feedback !

[CoreKit-glitch]

it works, now just need to ensure it pass package upgrades.