How to authenticate clients with the Multipass service

See also: authenticate, local.passphrase, Service

[since version 1.9.0]

Multipass requires clients to be authenticated with the service before allowing commands to complete.

Contents:

Setting the passphrase

A passphrase needs to be set by the administrator in order for clients to authenticate with the Multipass service. The client setting the passphrase will need to already be authenticated. There are two ways to set the passphrase.

To set the passphrase with an echoless interactive entry where the typed in passphrase is hidden from view:

$ multipass set local.passphrase
Please enter passphrase:
Please re-enter passphrase:

To set the passphrase in one single command where the passphrase is visible:

$ multipass set local.passphrase=foo

Authenticating the client


A client that is not authorized to connect to the Multipass service will fail when running multipass commands. An error will be displayed when this happens. For example:
$ multipass list
list failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.

At this time, the client will need to provide the previously set passphrase. This can be accomplished in two ways.

To authenticate with an echoless interactive entry where the typed in passphrase is hidden from view:

$ multipass authenticate
Please enter passphrase:

To authenticate in one single command where the passphrase is visible:

$ multipass authenticate foo

In case client cannot authorize and the passphrase cannot be set

It is possible that another client that is privileged to connect to the Multipass socket will connect first and make it seemingly impossible to set the local.passphrase and also authorize the client with the service. One will see something like the following:

$ multipass list
list failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.
$ multipass authenticate
Please enter passphrase: 
authenticate failed: Passphrase is not set. Please `multipass set local.passphrase` with a trusted client.
$ multipass set local.passphrase
Please enter passphrase: 
Please re-enter passphrase: 
set failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.

and then it seems impossible to authorize the client to connect to the service. This may not even work when using sudo.

The following workaround should help get out of this situation:

$ cat ~/snap/multipass/current/data/multipass-client-certificate/multipass_cert.pem | sudo tee -a /var/snap/multipass/common/data/multipassd/authenticated-certs/multipass_client_certs.pem > /dev/null
$ snap restart multipass

At this point, your client should be authenticated with the Multipass service.

1 Like