Unable to access when forwarded by a link

[EmilioRui]

Explain what happens

1. Try to access cockpit from a landing page directing to :9090
2. Insert login information
3. It flashes and goes back to login page
4. If I copy the same exactly address and insert it into the Firefox, it works.

Version of Cockpit

264-1ubuntu0.22.04.1

Where is the problem in Cockpit?

Networking

Server operating system

Ubuntu

Server operating system version

22.04LTS

What browsers are you using?

Firefox

System log

gen 29 19:14:18 server-one sudo[1485836]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
gen 29 19:14:33 server-one sudo[1485836]: pam_unix(sudo:session): session closed for user root

[marusak]

landing page insert it into the Firefox, it works

Sorry, what is "landing page"? What browser it uses?

[KKoukiou]

landing page insert it into the Firefox, it works

Sorry, what is "landing page"? What browser it uses?

They mean some 'plugin' url I think, and not the default ltheir-ip-addr:9090/

[louis-irl]

I'm having this same issue, but it seems to only exist in the stable version of Firefox. I'm able to log in without any issues using Chrome or Firefox Nightly.

Also, I think this is a duplicate of #17936

[garrett]

@louis-irl, @EmilioRui: Can you provide more details?

Example questions which might have useful answers:

• Can you explain what you are trying to do?
• What link? From where to where? Is it a bookmark or something?
• What is your server's operating system?
• Do you have any browser extensions that might interfere?

Please provide any other details you think might be relevant. Thanks!

[cheerstopriya]

When you try to access Cockpit from the landing page directing to :9090 and insert your login information, the page flashes and goes back to the login page. However, when you copy the exact same address and insert it into Firefox, it works. This suggests that there might be some issue with how the landing page directs the request to the Cockpit server.

Since you have also mentioned that you are using Ubuntu 22.04LTS as the server operating system and Firefox as the browser, it is possible that there could be some compatibility issues between Cockpit and Firefox.

It might be helpful to check the system logs on the server to see if there are any relevant error messages. The log entries provided in the question do not appear to relate to the issue.

[garrett]

@EmilioRui, @louis-irl, @cheerstopriya:

What is a "landing page"? Can you be more specific? If you could describe it and/or provide a screenshot, that would help.

Cockpit doesn't have a "landing page". It does have a login page, but it doesn't sound like that's what is being talked about.

---

What's your setup like?

Are you using a proxy?

---

it is possible that there could be some compatibility issues between Cockpit and Firefox

This isn't possible. Most of the team uses Firefox as our primary browser and we have automated tests with both Firefox and Chrome. (We all manually test parts of Cockpit with several browsers from time to time too. This would always require logging in as well.)

That said, if you're running an extremely old version of any browser (we're talking over a year or two old or older right now, IIRC), then Cockpit won't work for you. We don't forbid any browsers or browser versions from using Cockpit, but do have a feature check (and the most recent feature is around a year or two old, depending on the browser). But then, your browsers should've been upgraded a long time ago, as there are severe issues (including extremely awful security flaws) with all old browsers — this goes for Firefox, Chrome, Edge, Safari, etc. Nobody should ever run such an old, unsupported browser.

[QazCetelic]

@EmilioRui have you tried disabling Firefox advanced tracking protection? I had a similar issue and that worked for me.

[jelly]

I can reproduce this issue if I visit https://pkgbuild.com/~jelle/cockpit.html and open the link https://127.0.0.2:9091 in a new tab. I can try to login and see from PAM that authentication succeeded but GET | https://127.0.0.2:9091/cockpit/login returns 401.

the PAM session auths successfully, but cockpit-ws still returns 401

Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: USER_AUTH pid=1577 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix,pam_listfile acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: USER_ACCT pid=1577 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: CRED_ACQ pid=1577 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_listfile acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: USER_ROLE_CHANGE pid=1577 uid=0 auid=1000 ses=11 subj=system_u:system_r:cockpit_session_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 cockpit-session[1577]: pam_ssh_add: Failed adding some keys
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 systemd-logind[759]: New session 11 of user admin.
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 systemd[1]: Started session-11.scope - Session 11 of User admin.
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: USER_START pid=1577 uid=0 auid=1000 ses=11 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 cockpit-session[1577]: pam_unix(cockpit:session): session opened for user admin(uid=1000) by admin(uid=0)
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1577]: CRED_REFR pid=1577 uid=0 auid=1000 ses=11 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_listfile acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:172.27.0.2 addr=::ffff:172.27.0.2 terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1584]: USER_AUTH pid=1584 uid=1000 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="admin" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1584]: USER_ACCT pid=1584 uid=1000 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="admin" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1584]: USER_CMD pid=1584 uid=1000 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/" cmd=636F636B7069742D627269646765202D2D70726976696C65676564 exe="/usr/bin/sudo" terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 sudo[1584]:    admin : PWD=/ ; USER=root ; COMMAND=/usr/bin/cockpit-bridge --privileged
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1584]: CRED_REFR pid=1584 uid=1000 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 audit[1584]: USER_START pid=1584 uid=1000 auid=1000 ses=11 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Jan 08 09:46:05 fedora-39-127-0-0-2-2201 sudo[1584]: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)

[GCTWorks]

I am also having this problem just as described. I can reproduce it on multiple systems too.

Using Firefox 121, from Heimdall link to https://:9090, when logging in with the correct credentials, the login fails. In the console, the response from the GET | https://127.0.0.2:9091/cockpit/login returns 401.

If I go to the address bar, click into it, then just hit enter without changing the URL, then click Log In, it works logs in just fine.

I have cleared everything in the browser like cookies and whatnot. I have disabled all the security settings I could find. I removed all extensions. It does not make a difference.

This doe snot seem to be a problem in Chrome.

[jelly]

@GCTWorks we are aware of the problem, there is a reproducer in my comment above. It indeed doesn't have to do with cookies, but another security mechanism (likely to prevent click jacking, tricking users into authing with a different service from a different website) in Firefox.

We need to get some debug logs from cockpit-ws/cockpit-session and figure out what the real 401 reason is as authenticating works fine.

[erentar]

This problem has been bothering me for a while How can I get you the logs you need?

[Vodes]

I'm not sure if it's of any help but I'm also running a cockpit instance behind a reverse proxy but with the slight twist that I'm using cloudflare tunnels to access that proxy. The cockpit subdomain also specifically has a "cloudflare access" auth in front of it which causes the same issue as here.