Authentication
A single-admin login protects the entire console. Every /api route requires authentication.
How it works
- Passwords are hashed with PBKDF2-HMAC-SHA256 — never stored in plaintext.
- Sessions use an HS256 JWT stored in an httpOnly cookie.
- First login forces you to set a password before anything else is reachable.
- Optional self-signed (or Let's Encrypt) TLS encrypts the connection.
Lock-out protection
After 3 failed logins the console locks and records the attacker's IP and timestamps to a lock file. To unlock, SSH into the server and remove the lock file:
unlock
sudo rm /var/lib/linux-pro/state/login.lock
Note
The Terminal's WebSocket is origin-pinned (same-origin / console domain / localhost) to close the cross-site WebSocket hijacking vector.