Skip to content
DocsSecurityAuthentication

Authentication

A single-admin login protects the entire console. Every /api route requires authentication.

How it works

  • Passwords are hashed with PBKDF2-HMAC-SHA256 — never stored in plaintext.
  • Sessions use an HS256 JWT stored in an httpOnly cookie.
  • First login forces you to set a password before anything else is reachable.
  • Optional self-signed (or Let's Encrypt) TLS encrypts the connection.

Lock-out protection

After 3 failed logins the console locks and records the attacker's IP and timestamps to a lock file. To unlock, SSH into the server and remove the lock file:

unlock
sudo rm /var/lib/linux-pro/state/login.lock
Note
The Terminal's WebSocket is origin-pinned (same-origin / console domain / localhost) to close the cross-site WebSocket hijacking vector.