Repository: karaf Updated Branches: refs/heads/master dcfaa1512 -> 0c69a7f4e
[KARAF-2786] Comment the default ssh key and update configuration how to configure key Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/0c69a7f4 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/0c69a7f4 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/0c69a7f4 Branch: refs/heads/master Commit: 0c69a7f4e6b24fb6c86f0decaa5498968c0a97ab Parents: dcfaa15 Author: Jean-Baptiste Onofré <[email protected]> Authored: Fri Jul 25 22:19:40 2014 +0200 Committer: Jean-Baptiste Onofré <[email protected]> Committed: Fri Jul 25 22:20:29 2014 +0200 ---------------------------------------------------------------------- .../resources/resources/etc/keys.properties | 7 ++- .../src/main/webapp/users-guide/security.conf | 58 +++++++++++++++++++- 2 files changed, 63 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/0c69a7f4/assemblies/features/framework/src/main/resources/resources/etc/keys.properties ---------------------------------------------------------------------- diff --git a/assemblies/features/framework/src/main/resources/resources/etc/keys.properties b/assemblies/features/framework/src/main/resources/resources/etc/keys.properties index 36d3c0d..ce006a1 100644 --- a/assemblies/features/framework/src/main/resources/resources/etc/keys.properties +++ b/assemblies/features/framework/src/main/resources/resources/etc/keys.properties @@ -27,5 +27,10 @@ # and modifiable via the JAAS command group. These users reside in a JAAS domain # with the name "karaf".. # -karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup + +# +# For security reason, the default auto-signed key is disabled. +# The user guide describes how to generate/update the key. +# +#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup _g_\:admingroup = group,admin,manager,viewer http://git-wip-us.apache.org/repos/asf/karaf/blob/0c69a7f4/manual/src/main/webapp/users-guide/security.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/users-guide/security.conf b/manual/src/main/webapp/users-guide/security.conf index 8a4ee6c..1d601c0 100644 --- a/manual/src/main/webapp/users-guide/security.conf +++ b/manual/src/main/webapp/users-guide/security.conf @@ -330,6 +330,62 @@ The {{etc/org.apache.karaf.jaas.cfg}} configuration file allows you to define ad * the {{encryption.encoding}} property defines the encoding of the encrypted password. The possible values are {{hexadecimal}} or {{base64}}. The default value is {{hexadecimal}}. +h2. Managing authentication by key + +For the SSH layer, Karaf supports the authentication by key, allowing to login without providing the password. + +The SSH client (so bin/client provided by Karaf itself, or any ssh client like OpenSSH) uses a public/private keys pair that +will identify himself on Karaf SSHD (server side). + +The keys allowed to connect are stored in {{etc/keys.properties}} file, following the format: + +{code} +user=key,role +{code} + +By default, Karaf allows a key for the karaf user: + +{code} +# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin +{code} + +{warning} +For security reason, this key is disabled. We encourage to create the keys pair per client and update the {{etc/keys.properties}} file. +{warning} + +The easiest way to create key pair is to use OpenSSH. + +You can create a key pair using: + +{code} +ssh-keygen -t dsa -f karaf.id_dsa -N karaf +{code} + +You have now the public and private keys: + +{code} +-rw------- 1 jbonofre jbonofre 771 Jul 25 22:05 karaf.id_dsa +-rw-r--r-- 1 jbonofre jbonofre 607 Jul 25 22:05 karaf.id_dsa.pub +{code} + +You can copy in the content of the {{karaf.id_dsa.pub}} file in the {{etc/keys.properties}}: + +{code} +karaf=AAAAB3NzaC1kc3MAAACBAJLj9vnEhu3/Q9Cvym2jRDaNWkATgQiHZxmErCmiLRuD5Klfv+HT/+8WoYdnvj0YaXFP80phYhzZ7fbIO2LRFhYhPmGLa9nSeOsQlFuX5A9kY1120yB2kxSIZI0fU2hy1UCgmTxdTQPSYtdWBJyvO/vczoX/8I3FziEfss07Hj1NAAAAFQD1dKEzkt4e7rBPDokPOMZigBh4kwAAAIEAiLnpbGNbKm8SNLUEc/fJFswg4G4VjjngjbPZAjhkYe4+H2uYmynry6V+GOTS2kaFQGZRf9XhSpSwfdxKtx7vCCaoH9bZ6S5Pe0voWmeBhJXi/Sww8f2stpitW2Oq7V7lDdDG81+N/D7/rKDD5PjUyMsVqc1n9wCTmfqmi6XPEw8AAACAHAGwPn/Mv7P9Q9+JZRWtGq+i4pL1zs1OluiStCN9e/Ok96t3gRVKPheQ6IwLacNjC9KkSKrLtsVyepGA+V5j/N+Cmsl6csZilnLvMUTvL/cmHDEEhTIQnPNrDDv+tED2BFqkajQqYLgMWeGVqXsBU6IT66itZlYtrq4v6uDQG/o=,admin +{code} + +and specify to the client to use the {{karaf.id_dsa}} private key: + +{code} +bin/client -k ~/karaf.id_dsa +{code} + +or to ssh + +{code} +ssh -p 8101 -i ~/karaf.id_dsa karaf@localhost +{code} + h2. RBAC Apache Karaf uses the roles to control the access to the resources: it's a RBAC (Role Based Access Control) system. @@ -509,4 +565,4 @@ It can be done by modifying the {{org.osgi.framework.bootdelegation}} property i {code} org.osgi.framework.bootdelegation = ...,org.bouncycastle* -{code} \ No newline at end of file +{code}
