Basic Auth & TLS - api

[Daxcor69]

Feature request description

I would like to see a basic level of authentication on the tcp api endpoint. I realize that there is an argument that says, if they can access the api on your private network, then you have bigger issue. I agree. I still think when there are easy wins like basic auth on an endpoint, it can add another layer to the security effort. Many layers no mater how small make the security profile better. You can also argue that without tls, it is pointless as the creds can be snooped. Agreed. That would also pose the question of adding tls to the end point. What is see is that it is becoming pretty standard for any api to support tls.

I hope this idea adds value to the already great project.

Suggest potential solution

a flag on the command line, to enable basic auth with provided creds, and a flag to enable unsigned tls.

Have you considered any alternatives?

I have looked at using a proxy and firewall. These can be made to work however they add additional overhead and complexity that I am try to avoid. I could use ssh to tunnel to the vm and remotely execute a podman command. Kinda defeats the point of an api.

Additional context

Security is about risk/cost benefit analysis. Nothing is 100% fool proof. However simple security changes can meet the need of the given security profile without being 100% effective.

[Luap99]

TLS support is tracked in #24583. I don't this basic auth would add anything useful on top of that so I think this is needed.

I could use ssh to tunnel to the vm and remotely execute a podman command. Kinda defeats the point of an api.

Not really you can proxy the socket through ssh. And our go bindings support that, i.e. that is what podman is doing with podman machine setups (windows/macos)