cockpit-ws

Start with authentication via SSH at 127.0.0.1 with port 22 enabled

$ cockpit-ws --local-ssh

$ cockpit-ws --port [port]

$ cockpit-ws --address [ip_address]

$ cockpit-ws --no-tls

$ cockpit-ws --help

cockpit-ws [OPTIONS...]

--port=PORT
    Specifies the TCP port that cockpit-ws listens on (default 9090).

--listen-address=ADDRESS
    Specifies the IP address cockpit-ws binds to. By default, it listens on all configured network interfaces.

--local-ssh
    Forces cockpit-ws to connect to cockpit-bridge via SSH on localhost instead of directly. Useful in certain proxy setups.

--no-tls
    Disables HTTPS (TLS) encryption. Highly insecure and should only be used for debugging on trusted networks.

--no-pam
    Disables PAM authentication. Extremely insecure and should never be used in production environments.

--help
    Displays a brief help message and exits.

--version
    Displays the cockpit-ws version information and exits.

cockpit-ws is the core web server component of the Cockpit project, an open-source, web-based graphical interface for managing Linux servers. It typically listens on TCP port 9090 (by default) for HTTPS connections, serving the necessary web assets (HTML, CSS, JavaScript) to the user's browser. Furthermore, it establishes WebSocket connections that facilitate real-time communication with the underlying system through the cockpit-bridge process.

cockpit-ws handles user authentication, often via PAM, and manages web sessions, making it indispensable for providing a secure and interactive web-based administration experience. It allows users to monitor performance, manage services, view logs, configure networking, and perform various administrative tasks directly from a web browser without needing a separate client application.

Normally, cockpit-ws is started and managed by the systemd socket activation service (cockpit.socket), meaning it's rarely invoked directly by users. Disabling TLS (--no-tls) or PAM authentication (--no-pam) makes the server highly insecure and should only be done for debugging purposes in controlled environments. Ensure port 9090 (or custom port) is open in the firewall for external access.

cockpit-ws defaults to listening on TCP port 9090, exclusively using HTTPS (TLS) for secure communication. It integrates with the system's Pluggable Authentication Modules (PAM) for user authentication, ensuring that only authenticated users with sufficient privileges can access the server.

cockpit-ws serves the static web assets (HTML, CSS, JavaScript) to your browser and establishes WebSocket connections. These WebSockets communicate with the cockpit-bridge process, which in turn interacts with system services, D-Bus, and the shell to execute commands and retrieve system information, providing a real-time interactive experience.

The Cockpit project, including cockpit-ws, was initiated by Red Hat and first publicly released around 2014. Its primary goal was to provide a modern, web-based interface for managing Linux servers without abstracting away underlying system tools and concepts. cockpit-ws has been a core component since its inception, responsible for the web interface and secure communication, evolving alongside web technologies and Linux distribution features like systemd and Podman.

cockpit(1), cockpit-bridge(8), systemd(1), sshd(8), firewalld(8)