`multipass authenticate` command

See also: local.passhprase

[Since version 1.9.0]

The multipass authenticate command allows a client to authenticate with the Multipass service. Once authenticated, the client can issue commands such as list, launch, etc.

$ multipass authenticate --help
Usage: multipass authenticate [options] [<passphrase>]
Authenticate with the Multipass service.
A system administrator should provide you with a passphrase
to allow use of the Multipass service.

Options:
  -h, --help     Display this help
  -v, --verbose  Increase logging verbosity. Repeat the 'v' in the short option
                 for more detail. Maximum verbosity is obtained with 4 (or more)
                 v's, i.e. -vvvv.

Arguments:
  passphrase     Passphrase to register with the Multipass service. If omitted,
                 a prompt will be displayed for entering the passphrase.

To help reduce the amount of typing for authenticate, one can also use multipass auth as an alias:

$ multipass auth foo

If no passphrase is given in the authenticate command line, a prompt will be displayed in order to enter the passphrase:

$ multipass authenticate
Please enter passphrase:

How it works

Linux & macoOS

Linux and macOS hosts currently use a Unix domain socket for client and daemon communication. Upon first use, this socket only allows a client to connect via a user who belongs to the particular group the socket is owned by. For example, this group could be sudo, admin, or wheel and the user needs to belong to this group or else permission will be denied when connecting.

After the first client connects with a user belonging to the socket’s admin group, the client’s OpenSSL certificate will be accepted by the daemon and the socket will be then be open for all users to connect. Any other user trying to connect to the Multipass service will need to authenticate with the service using the previously set local.passphrase.

Windows

The Windows host uses a TCP socket listening on port 50051 for client connections. This socket is open for all to use since there is no concept of file ownership for TCP sockets. This is not very secure in that any Multipass client can connect to the service and issue any commands.

To close this gap, the client will now need to be authenticated with the Multipass service. To ease the burden of having to authenticate the client, the user who installs the updated version of Multipass will automatically have their clients authenticated with the service. Any other users connecting to the service will have to use authenticate using the previously set local.passphrase.