How to authenticate clients with the Multipass service

See also: authenticate, local.passphrase, Service

Multipass requires clients to be authenticated with the service before allowing commands to complete.

Contents:

Setting the passphrase

A passphrase needs to be set by the administrator in order for clients to authenticate with the Multipass service. The client setting the passphrase will need to already be authenticated. There are two ways to set the passphrase.

To set the passphrase with an echoless interactive entry where the typed in passphrase is hidden from view:

$ multipass set local.passphrase
Please enter passphrase:
Please re-enter passphrase:

To set the passphrase in one single command where the passphrase is visible:

$ multipass set local.passphrase=foo

Authenticating the client


A client that is not authorized to connect to the Multipass service will fail when running multipass commands. An error will be displayed when this happens. For example:

$ multipass list
list failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.

At this time, the client will need to provide the previously set passphrase. This can be accomplished in two ways.

To authenticate with an echoless interactive entry where the typed in passphrase is hidden from view:

$ multipass authenticate
Please enter passphrase:

To authenticate in one single command where the passphrase is visible:

$ multipass authenticate foo

In case client cannot authorize and the passphrase cannot be set

It is possible that another client that is privileged to connect to the Multipass socket will connect first and make it seemingly impossible to set the local.passphrase and also authorize the client with the service. One will see something like the following:

$ multipass list
list failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.
$ multipass authenticate
Please enter passphrase: 
authenticate failed: Passphrase is not set. Please `multipass set local.passphrase` with a trusted client.
$ multipass set local.passphrase
Please enter passphrase: 
Please re-enter passphrase: 
set failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.

and then it seems impossible to authorize the client to connect to the service. This may not even work when using sudo.

The following workaround should help get out of this situation:

$ cat ~/snap/multipass/current/data/multipass-client-certificate/multipass_cert.pem | sudo tee -a /var/snap/multipass/common/data/multipassd/authenticated-certs/multipass_client_certs.pem > /dev/null
$ snap restart multipass

You may need sudo with this last command: sudo snap restart multipass.

At this point, your client should be authenticated with the Multipass service.

1 Like

I was using multipass by two different user accounts in the same machine, and one of them lost its authentication.

As I never set any passphrase (and preferred certificate authentication), I followed the In case client cannot authorize and the passphrase cannot be set section.

After adding my lost-authentication user’s certificate to /var/.../multipassd/authenticated-certs/ , snap restart multipass didn’t work. I had to restart multipassd:

snap restart multipass.multipassd

Not sure if snap restart multipass is even needed, but it would be good to add snap restart multipass.multipassd to the documentation anyways.

I had to use sudo for snap restart multipass.

Hi @jugmac00, I added a hint to this in the doc. I still kept the details on when you need sudo with snap commands out, because I think it would be out of scope and distracting from the main topic.

Completing it here instead: it depends on whether or not you’re logged in with snapd (snap login) and whether you’re already running as root (which authenticate applies to).

1 Like