git commit: [KARAF-2786] Comment the default ssh key and update configuration how to configure key

Fri, 25 Jul 2014 13:13:27 -0700 

Repository: karaf
Updated Branches:
  refs/heads/karaf-2.x 916491103 -> 6879a4e07


[KARAF-2786] Comment the default ssh key and update configuration how to 
configure key

Conflicts:
        assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/6879a4e0
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/6879a4e0
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/6879a4e0

Branch: refs/heads/karaf-2.x
Commit: 6879a4e075c5c22a329869829ad0472cf70738a3
Parents: 9164911
Author: Jean-Baptiste Onofré <[email protected]>
Authored: Fri Jul 25 22:10:59 2014 +0200
Committer: Jean-Baptiste Onofré <[email protected]>
Committed: Fri Jul 25 22:12:49 2014 +0200

----------------------------------------------------------------------
 .../main/distribution/text/etc/keys.properties  |  6 +-
 .../src/main/webapp/users-guide/security.conf   | 60 +++++++++++++++++++-
 2 files changed, 62 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/6879a4e0/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
----------------------------------------------------------------------
diff --git 
a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties 
b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
index 36d3c0d..a13d3e6 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
@@ -27,5 +27,9 @@
 # and modifiable via the JAAS command group. These users reside in a JAAS 
domain
 # with the name "karaf"..
 #
-karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
+#
+# For security reason, the default auto-signed key is disabled.
+# The user guide describes how to generate/update the key.
+#
+#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
 _g_\:admingroup = group,admin,manager,viewer

http://git-wip-us.apache.org/repos/asf/karaf/blob/6879a4e0/manual/src/main/webapp/users-guide/security.conf
----------------------------------------------------------------------
diff --git a/manual/src/main/webapp/users-guide/security.conf 
b/manual/src/main/webapp/users-guide/security.conf
index 482f633..b1ab90c 100644
--- a/manual/src/main/webapp/users-guide/security.conf
+++ b/manual/src/main/webapp/users-guide/security.conf
@@ -1,6 +1,6 @@
 h1. Security
 
-h2. Managing users and passwords
+h2. Managing authentication by users and passwords
 
 The default security configuration uses a property file located at 
{{etc/users.properties}} to store authorized users and their passwords.
 
@@ -18,6 +18,62 @@ The {{users.properties}} file contains one or more lines, 
each line defining a u
 user=password[,role][,role]...
 {code}
 
+h2. Managing authentication by key
+
+For the SSH layer, Karaf supports the authentication by key, allowing to login 
without providing the password.
+
+The SSH client (so bin/client provided by Karaf itself, or any ssh client like 
OpenSSH) uses a public/private keys pair that
+will identify himself on Karaf SSHD (server side).
+
+The keys allowed to connect are stored in {{etc/keys.properties}} file, 
following the format:
+
+{code}
+user=key,role
+{code}
+
+By default, Karaf allows a key for the karaf user:
+
+{code}
+# 
karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin
+{code}
+
+{warning}
+For security reason, this key is disabled. We encourage to create the keys 
pair per client and update the {{etc/keys.properties}} file.
+{warning}
+
+The easiest way to create key pair is to use OpenSSH.
+
+You can create a key pair using:
+
+{code}
+ssh-keygen -t dsa -f karaf.id_dsa -N karaf
+{code}
+
+You have now the public and private keys:
+
+{code}
+-rw-------  1 jbonofre jbonofre    771 Jul 25 22:05 karaf.id_dsa
+-rw-r--r--  1 jbonofre jbonofre    607 Jul 25 22:05 karaf.id_dsa.pub
+{code}
+
+You can copy in the content of the {{karaf.id_dsa.pub}} file in the 
{{etc/keys.properties}}:
+
+{code}
+karaf=AAAAB3NzaC1kc3MAAACBAJLj9vnEhu3/Q9Cvym2jRDaNWkATgQiHZxmErCmiLRuD5Klfv+HT/+8WoYdnvj0YaXFP80phYhzZ7fbIO2LRFhYhPmGLa9nSeOsQlFuX5A9kY1120yB2kxSIZI0fU2hy1UCgmTxdTQPSYtdWBJyvO/vczoX/8I3FziEfss07Hj1NAAAAFQD1dKEzkt4e7rBPDokPOMZigBh4kwAAAIEAiLnpbGNbKm8SNLUEc/fJFswg4G4VjjngjbPZAjhkYe4+H2uYmynry6V+GOTS2kaFQGZRf9XhSpSwfdxKtx7vCCaoH9bZ6S5Pe0voWmeBhJXi/Sww8f2stpitW2Oq7V7lDdDG81+N/D7/rKDD5PjUyMsVqc1n9wCTmfqmi6XPEw8AAACAHAGwPn/Mv7P9Q9+JZRWtGq+i4pL1zs1OluiStCN9e/Ok96t3gRVKPheQ6IwLacNjC9KkSKrLtsVyepGA+V5j/N+Cmsl6csZilnLvMUTvL/cmHDEEhTIQnPNrDDv+tED2BFqkajQqYLgMWeGVqXsBU6IT66itZlYtrq4v6uDQG/o=,admin
+{code}
+
+and specify to the client to use the {{karaf.id_dsa}} private key:
+
+{code}
+bin/client -k ~/karaf.id_dsa
+{code}
+
+or to ssh
+
+{code}
+ssh -p 8101 -i ~/karaf.id_dsa karaf@localhost
+{code}
+
 h2. Managing roles
 
 JAAS roles can be used by various components. The three management layers 
(SSH, JMX and WebConsole) all use a global role based authorization system. The 
default role name is configured in the {{etc/system.properties}} using the 
{{karaf.admin.role}} system property and the default value is {{admin}}. All 
users authenticating for the management layer must have this role defined.
@@ -79,5 +135,3 @@ In addition, you may want to provide access to the classes 
from those providers
 {code}
 org.osgi.framework.bootdelegation = ...,org.bouncycastle*
 {code}
-
-

Reply via email to