search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
10.84k stars 1.08k forks source link

(Option to) reduce information leakage on login page and option to disable `connect with` #19852

Open JaneX8 opened 7 months ago

JaneX8 commented 7 months ago

The Login page leaks quite some information that I rather not, such as:

  1. in div#login-details and in the document title- the server hostname (can be different than the domain or IP used to access the WebUI)
  2. the default TLS cert contains the hostname in the CN too
  3. in div#main h1#brand - the OS type and version such as Ubuntu 22.04.3 LTS or Raspbian GNU/Linux
  4. in span#badge - the OS logo such as Ubuntu or Rasbian
  5. the favicon contains the OS logo too

Also, I would like to disable the connect with option on the login screen, not just hide the input box, disable the feature entirely.

No need to explain 'security through obscurity', I have a comprehensive multi-layered security approach, this should be only one of many things to harden it and lock it down. Also, I know I can proxy it and rewrite everything but I'd rather see this in the original project, preferably as the default behavior, or at least as an easy option to disable.

JaneX8 commented 7 months ago

Ok, two things (as documented here) can currently already be addresses by creating a cockpit.conf file in /etc/cockpit or edit the existing one.

  1. The hostname in div#login-details and title can be hidden with LoginTitle as shown below.
  2. The connect with option can be hidden using LoginTo=False. Assuming that issue https://github.com/cockpit-project/cockpit/issues/18540 has been fixed.
[WebService]
# Prevent the user to log into another server (if this is fixed: https://github.com/cockpit-project/cockpit/issues/18540)
# Also see https://github.com/cockpit-project/cockpit/commit/29500b32c66dff16ec4aabf119a5772f007a007e
LoginTo = false

# Disable hostname leakage in title
# Does not work fully as expected, see: https://github.com/cockpit-project/cockpit/issues/19852#issuecomment-1900509361
LoginTitle = cockpit

Then restart cockpit service cockpit restart

The documentation regarding Banner seems incorrect:

The contents of the specified file (commonly /etc/issue) are shown on the login page. By default, no banner is displayed.

However by default the banner is shown on the login page such as Ubuntu 22.04.3 LTS when cat /etc/issue is indeed Ubuntu 22.04.3 LTS \n \l, I also don't understand why it's documented under [Session] because its about the login screen, when there may not be a session yet. It should probably be under [WebService] instead. I tried to override it by setting Banner under Session as documented, but it had no effect on the login page.

jelly commented 7 months ago

Ok, two things (as documented here) can currently already be addresses by creating a cockpit.conf file in /etc/cockpit or edit the existing one. Assuming that issue #18540 has been fixed.

[WebService]
# Prevent the user to log into another server (if this is fixed: https://github.com/cockpit-project/cockpit/issues/18540)
LoginTo = false

# Disable hostname leakage in title
LoginTitle = cockpit

Then restart cockpit service cockpit restart

The documentation regarding Banner seems incorrect:

The contents of the specified file (commonly /etc/issue) are shown on the login page. By default, no banner is displayed.

However by default the banner is shown on the login page such as Ubuntu 22.04.3 LTS when cat /etc/issue is indeed Ubuntu 22.04.3 LTS \n \l, I also don't understand why it's documented under [Session] because its about the login screen, when there may not be a session yet. It should probably be under [WebService] instead. I tried to override it by setting Banner under Session as documented, but it had no effect on the login page.

The banner is hidden for me by default:

image

Maybe you mean the branding? For example what is shown for Fedora:

image

JaneX8 commented 7 months ago

Both branding and full OS with version (3 branding, 4 logo, and 5 favicon in the question). Here are two examples:

image

image

JaneX8 commented 7 months ago

Additionally I would like (an option) to disable the 'view password' option on the login screen.

image

jelly commented 7 months ago

Additionally I would like (an option) to disable the 'view password' option on the login screen.

image

I don't see this as a security issue, it is a common practice overall on various services to allow a user to view it's entered password. If someone is able to flip this switch while you are behind your computer, there is lower hanging fruit to resolve.

Both branding and full OS with version (3 branding, 4 logo, and 5 favicon in the question). Here are two examples:

image

image

Right, so those are all from branding, unrelated to the banner.

JaneX8 commented 7 months ago

As a workaround I tried to empty the /etc/issue file and restarted cockpit service. But that doesn't remove it either.

JaneX8 commented 7 months ago

Right, so those are all from branding, unrelated to the banner.

Hence this feature request :).

JaneX8 commented 7 months ago 
LoginTitle = cockpit

Also does not work as expected. The new value cockpit is also shown on the login page on in the grey area below the form, however when submitting a false login the value is replaced with the server hostname.