Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Managing remote systems in the web console

You can connect to remote systems and manage them in the Red Hat Enterprise Linux web console, enabling you to monitor and administer systems across your network from a single central interface.

For security reasons, use the following network setup of remote systems managed by the web console:

  • Configure one system as a bastion host. The bastion host is a system with an opened HTTPS port.
  • All other systems communicate through SSH.

With the web interface running on the bastion host, you can reach all other systems through the SSH protocol.

You can connect to a remote system by using the SSH protocol directly from the login page of the RHEL web console. After you log in remotely, connection traffic is encrypted, and you can manage the remote system in the graphical interface of the web console.

Prerequisites

  • You have installed the RHEL 10 web console.

    For instructions, see Installing and enabling the web console.

  • The cockpit-system package is installed on the remote system.
  • The sshd service runs on the remote system, and the corresponding port is allowed in the firewall.

Procedure

  1. Open the web console login page.
  2. Specify the username on the remote host in the User name field.
  3. Click Other options to reveal the Connect to text field.

  4. Specify the remote host you want to connect to using SSH in the Connect to text field. If you do not specify any port, the web console attempts to connect to port 22 on the specified remote host.

    The remote SSH login directly from the web console login page
  5. Click Log in.

5.2. Adding remote hosts to the web console
Copy link

When logged in to the RHEL web console, you can switch between the local system and multiple remote hosts through the host switcher in the top left corner of the Overview page. You can connect to and manage a remote system after you add its credentials to the host switcher.

Prerequisites

Procedure

  1. In your terminal, open or create the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your preference.

  2. Add the following text: 

    [WebService]
AllowMultiHost=yes
    Warning

    The host switcher is deprecated and disabled by default. Due to web technology limitations, this feature cannot be secure. Do not enable the host switcher if you connect to untrusted hosts because all connected systems can make arbitrary changes to the rest of the connected. As a more secure alternative, you can either use the web console login page with the secure limit of one host in a web browser session or the Cockpit Client Flatpak.

  3. Save the file.

  4. Restart the web console to ensure the changes take effect. 

    # systemctl try-restart cockpit

  5. In the RHEL web console, click <username>@<hostname> in the top left corner of the Overview page.

    username@hostname drop-down menu

  6. In the drop-down menu, click Add new host.
  7. In the Add new host dialog box, specify the host you want to add.

  8. Optional: Add the username for the account you want to connect to.

    You can use any user account of the remote system. However, if you use the credentials of a user account without administration privileges, you cannot perform administration tasks.

    If you use the same credentials as on your local system, the web console authenticates remote systems automatically every time you log in.

    Important

    The web console does not save passwords used to log in to remote systems.

  9. Optional: Click the Color field to change the color of the system.
  10. Click Add.

Verification

  • The new host is listed in the <username>@<hostname> drop-down menu.

5.3. Enabling SSH login for a new host
Copy link

You can enable secure SSH login for a new remote host that uses key-based authentication in the RHEL web console.

If you already have an SSH key on your system, the web console uses the existing one; otherwise, it can create a key.

Prerequisites

Procedure

  1. Log in to the RHEL 10 web console.

  2. In the RHEL web console, click <username>@<hostname> in the top left corner of the Overview page.

    username@hostname drop-down menu
  3. In the drop-down menu, click Add new host.
  4. In the Add new host dialog box, specify the host you want to add. If you connect to the host for the first time, you must click Trust and add new host in the following dialog box.

  5. The password dialog box differs depending on the existence of an SSH key file on the host:

    1. If you already have the SSH key for the host, select the Authorize SSH key option.
    2. If you do not have the SSH key, select the Create a new SSH key and authorize it option. The web console creates the key.
  6. Add and confirm a password for the SSH key.
  7. Click Log in.

Verification

  1. Log out.
  2. Log back in.
  3. Click Log in in the Not connected to host screen.
  4. Select SSH key as your authentication option.
  5. Enter your key password.
  6. Click Log in.

After logging in to a user account on the RHEL web console, you can connect to remote machines by using the SSH protocol. You can use the constrained delegation feature to use SSH without being asked to authenticate again.

In the example procedure, the web console session runs on the myhost.idm.example.com host, and you configure the console to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) on myhost.idm.example.com.
  • You have root access to remote.idm.example.com.
  • The host that runs the web console is a member of an IdM domain.

Procedure

  1. In the Terminal page, verify that the web console has created a Service for User to Proxy (S4U2proxy) Kerberos ticket in the user session: 

    $ klist
…
Valid starting     Expires            Service principal
05/20/25 09:19:06 05/21/25 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM

  2. Create a list of the target hosts that the delegation rule can access:

    1. Create a service delegation target: 

      $ ipa servicedelegationtarget-add cockpit-target

    2. Add the target host to the delegation target: 

      $ ipa servicedelegationtarget-add-member cockpit-target \
  --principals=host/remote.idm.example.com@IDM.EXAMPLE.COM

  3. Allow cockpit sessions to access the target host list by creating a service delegation rule and adding the HTTP service Kerberos principal to it:

    1. Create a service delegation rule: 

      $ ipa servicedelegationrule-add cockpit-delegation

    2. Add the web console client to the delegation rule: 

      $ ipa servicedelegationrule-add-member cockpit-delegation \
  --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM

    3. Add the delegation target to the delegation rule: 

      $ ipa servicedelegationrule-add-target cockpit-delegation \
  --servicedelegationtargets=cockpit-target

  4. Enable Kerberos authentication on the remote.idm.example.com host:

    1. Connect through SSH to remote.idm.example.com as root.
    2. Add the GSSAPIAuthentication yes line to the /etc/ssh/sshd_config file.

  5. Restart the sshd service on remote.idm.example.com so that the changes take effect immediately: 

    $ systemctl try-restart sshd.service

After logging in to a user account on the RHEL web console, you can connect to remote machines by using the SSH protocol. You can use the servicedelegationrule and servicedelegationtarget Ansible modules to configure the web console for the constrained delegation feature, which enables SSH connections without being asked to authenticate again.

In the example procedure, the web console session runs on the myhost.idm.example.com host and you configure it to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) on myhost.idm.example.com.
  • You have root access to remote.idm.example.com.
  • The host that runs the web console is a member of an IdM domain.

  • You have configured your Ansible control node to meet the following requirements:

    • You have installed the ansible-freeipa package.
    • The example assumes you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.

    • The example assumes that the secret.yml Ansible vault stores the admin password in the ipaadmin_password variable.

      See the /usr/share/doc/ansible-freeipa/playbooks/servicedelegationtarget and /usr/share/doc/ansible-freeipa/playbooks/servicedelegationrule directories for example playbooks and the README-servicedelegationrule.md and README-servicedelegationtarget.md files in the /usr/share/doc/ansible-freeipa/ directory for more information.

  • The target node, that is the node on which the ansible-freeipa module runs, is part of the IdM domain as an IdM client, server, or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/

  2. Store your sensitive variables in an encrypted file:

    1. Create the vault: 

      $ ansible-vault create secret.yml
New Vault password: <vault_password>
Confirm New Vault password: <vault_password>

    2. After the ansible-vault create command opens an editor, enter the sensitive data in the <key>: <value> format: 

      ipaadmin_password: <admin_password>
    3. Save the changes, and close the editor. Ansible encrypts the data in the vault.

  3. In the Terminal page, verify that the web console has created a Service for User to Proxy (S4U2proxy) Kerberos ticket in the user session: 

    $ klist
…
Valid starting     Expires            Service principal
05/20/25 09:19:06 05/21/25 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM

  4. Create a web-console-smart-card-ssh.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target: 

      ---
- name: Playbook to create a constrained delegation target
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure servicedelegationtarget web-console-delegation-target is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target

    2. Add a task that adds the target host to the delegation target: 

        - name: Ensure servicedelegationtarget web-console-delegation-target member principal host/remote.idm.example.com@IDM.EXAMPLE.COM is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target
      principal: host/remote.idm.example.com@IDM.EXAMPLE.COM
      action: member

    3. Add a task that ensures the presence of a delegation rule: 

        - name: Ensure servicedelegationrule delegation-rule is present
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule

    4. Add a task that ensures that the Kerberos principal of the web console client service is a member of the constrained delegation rule: 

        - name: Ensure the Kerberos principal of the web console client service is added to the servicedelegationrule web-console-delegation-rule
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      principal: HTTP/myhost.idm.example.com
      action: member

    5. Add a task that ensures that the constrained delegation rule is associated with the web-console-delegation-target delegation target: 

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      target: web-console-delegation-target
      action: member

    6. Add a task that enable Kerberos authentication on remote.idm.example.com: 

        - name: Enable Kerberos authentication
    hosts: remote.idm.example.com
    vars:
      sshd_config:
        GSSAPIAuthentication: true
    roles:
      - role: rhel-system-roles.sshd
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-ssh.yml
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top