Repository: karaf Updated Branches: refs/heads/karaf-2.3.x 06043e37b -> 49f7e0217
[KARAF-2786] Comment the default ssh key and update configuration how to configure key Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/49f7e021 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/49f7e021 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/49f7e021 Branch: refs/heads/karaf-2.3.x Commit: 49f7e0217610e2bff290276462e7b0d02702b8f9 Parents: 06043e3 Author: Jean-Baptiste Onofré <[email protected]> Authored: Fri Jul 25 22:10:59 2014 +0200 Committer: Jean-Baptiste Onofré <[email protected]> Committed: Fri Jul 25 22:10:59 2014 +0200 ---------------------------------------------------------------------- .../main/distribution/text/etc/keys.properties | 7 ++- .../src/main/webapp/users-guide/security.conf | 60 +++++++++++++++++++- 2 files changed, 63 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/49f7e021/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties ---------------------------------------------------------------------- diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties index 2eb3b01..35ec6ea 100644 --- a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties +++ b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties @@ -27,4 +27,9 @@ # and modifiable via the JAAS command group. These users reside in a JAAS domain # with the name "karaf".. # -karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin + +# +# For security reason, the default auto-signed key is disabled. +# The user guide describes how to generate/update the key. +# +# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin http://git-wip-us.apache.org/repos/asf/karaf/blob/49f7e021/manual/src/main/webapp/users-guide/security.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/users-guide/security.conf b/manual/src/main/webapp/users-guide/security.conf index 482f633..b1ab90c 100644 --- a/manual/src/main/webapp/users-guide/security.conf +++ b/manual/src/main/webapp/users-guide/security.conf @@ -1,6 +1,6 @@ h1. Security -h2. Managing users and passwords +h2. Managing authentication by users and passwords The default security configuration uses a property file located at {{etc/users.properties}} to store authorized users and their passwords. @@ -18,6 +18,62 @@ The {{users.properties}} file contains one or more lines, each line defining a u user=password[,role][,role]... {code} +h2. Managing authentication by key + +For the SSH layer, Karaf supports the authentication by key, allowing to login without providing the password. + +The SSH client (so bin/client provided by Karaf itself, or any ssh client like OpenSSH) uses a public/private keys pair that +will identify himself on Karaf SSHD (server side). + +The keys allowed to connect are stored in {{etc/keys.properties}} file, following the format: + +{code} +user=key,role +{code} + +By default, Karaf allows a key for the karaf user: + +{code} +# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin +{code} + +{warning} +For security reason, this key is disabled. We encourage to create the keys pair per client and update the {{etc/keys.properties}} file. +{warning} + +The easiest way to create key pair is to use OpenSSH. + +You can create a key pair using: + +{code} +ssh-keygen -t dsa -f karaf.id_dsa -N karaf +{code} + +You have now the public and private keys: + +{code} +-rw------- 1 jbonofre jbonofre 771 Jul 25 22:05 karaf.id_dsa +-rw-r--r-- 1 jbonofre jbonofre 607 Jul 25 22:05 karaf.id_dsa.pub +{code} + +You can copy in the content of the {{karaf.id_dsa.pub}} file in the {{etc/keys.properties}}: + +{code} +karaf=AAAAB3NzaC1kc3MAAACBAJLj9vnEhu3/Q9Cvym2jRDaNWkATgQiHZxmErCmiLRuD5Klfv+HT/+8WoYdnvj0YaXFP80phYhzZ7fbIO2LRFhYhPmGLa9nSeOsQlFuX5A9kY1120yB2kxSIZI0fU2hy1UCgmTxdTQPSYtdWBJyvO/vczoX/8I3FziEfss07Hj1NAAAAFQD1dKEzkt4e7rBPDokPOMZigBh4kwAAAIEAiLnpbGNbKm8SNLUEc/fJFswg4G4VjjngjbPZAjhkYe4+H2uYmynry6V+GOTS2kaFQGZRf9XhSpSwfdxKtx7vCCaoH9bZ6S5Pe0voWmeBhJXi/Sww8f2stpitW2Oq7V7lDdDG81+N/D7/rKDD5PjUyMsVqc1n9wCTmfqmi6XPEw8AAACAHAGwPn/Mv7P9Q9+JZRWtGq+i4pL1zs1OluiStCN9e/Ok96t3gRVKPheQ6IwLacNjC9KkSKrLtsVyepGA+V5j/N+Cmsl6csZilnLvMUTvL/cmHDEEhTIQnPNrDDv+tED2BFqkajQqYLgMWeGVqXsBU6IT66itZlYtrq4v6uDQG/o=,admin +{code} + +and specify to the client to use the {{karaf.id_dsa}} private key: + +{code} +bin/client -k ~/karaf.id_dsa +{code} + +or to ssh + +{code} +ssh -p 8101 -i ~/karaf.id_dsa karaf@localhost +{code} + h2. Managing roles JAAS roles can be used by various components. The three management layers (SSH, JMX and WebConsole) all use a global role based authorization system. The default role name is configured in the {{etc/system.properties}} using the {{karaf.admin.role}} system property and the default value is {{admin}}. All users authenticating for the management layer must have this role defined. @@ -79,5 +135,3 @@ In addition, you may want to provide access to the classes from those providers {code} org.osgi.framework.bootdelegation = ...,org.bouncycastle* {code} - -
