Repository: karaf Updated Branches: refs/heads/karaf-3.0.x 820df78cc -> 025c45f69
[KARAF-3621]Generate a more secure host key for SSH by default Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/025c45f6 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/025c45f6 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/025c45f6 Branch: refs/heads/karaf-3.0.x Commit: 025c45f69fb6bda202dee13237a527d8ff8c9034 Parents: 820df78 Author: Freeman Fang <[email protected]> Authored: Tue May 12 16:58:49 2015 +0800 Committer: Freeman Fang <[email protected]> Committed: Tue May 12 16:58:49 2015 +0800 ---------------------------------------------------------------------- .../resources/etc/org.apache.karaf.shell.cfg | 8 +- .../resources/etc/org.apache.karaf.shell.cfg | 8 +- manual/src/main/webapp/users-guide/remote.conf | 8 +- shell/ssh/pom.xml | 6 ++ .../resources/OSGI-INF/blueprint/shell-ssh.xml | 4 +- .../apache/karaf/shell/ssh/ConfigHelper.java | 98 ++++++++++++++++++++ .../karaf/shell/ssh/KnownHostsManagerTest.java | 13 ++- .../shell/ssh/ServerKeyVerifierImplTest.java | 13 ++- tooling/karaf-maven-plugin/pom.xml | 41 -------- 9 files changed, 142 insertions(+), 57 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/assemblies/features/framework/src/main/resources/resources/etc/org.apache.karaf.shell.cfg ---------------------------------------------------------------------- diff --git a/assemblies/features/framework/src/main/resources/resources/etc/org.apache.karaf.shell.cfg b/assemblies/features/framework/src/main/resources/resources/etc/org.apache.karaf.shell.cfg index cf92e2e..1845a0b 100644 --- a/assemblies/features/framework/src/main/resources/resources/etc/org.apache.karaf.shell.cfg +++ b/assemblies/features/framework/src/main/resources/resources/etc/org.apache.karaf.shell.cfg @@ -46,14 +46,14 @@ hostKey = ${karaf.etc}/host.key # # Self defined key size in 1024, 2048, 3072, or 4096 -# If not set, this defaults to 1024. +# If not set, this defaults to 4096. # -# keySize = 1024 +# keySize = 4096 # -# Specify host key algorithm, defaults to DSA +# Specify host key algorithm, defaults to RSA # -# algorithm = DSA +# algorithm = RSA # Specify an additional welcome banner to be displayed when a user logs into the server. # http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/instance/core/src/main/resources/org/apache/karaf/instance/resources/etc/org.apache.karaf.shell.cfg ---------------------------------------------------------------------- diff --git a/instance/core/src/main/resources/org/apache/karaf/instance/resources/etc/org.apache.karaf.shell.cfg b/instance/core/src/main/resources/org/apache/karaf/instance/resources/etc/org.apache.karaf.shell.cfg index f2aa4c3..22e30d2 100644 --- a/instance/core/src/main/resources/org/apache/karaf/instance/resources/etc/org.apache.karaf.shell.cfg +++ b/instance/core/src/main/resources/org/apache/karaf/instance/resources/etc/org.apache.karaf.shell.cfg @@ -46,14 +46,14 @@ hostKey = ${karaf.etc}/host.key # # Self defined key size in 1024, 2048, 3072, or 4096 -# If not set, this defaults to 1024. +# If not set, this defaults to 4096. # -# keySize = 1024 +# keySize = 4096 # -# Specify host key algorithm, defaults to DSA +# Specify host key algorithm, defaults to RSA # -# algorithm = DSA +# algorithm = RSA # Specify an additional welcome banner to be displayed when a user logs into the server. # http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/manual/src/main/webapp/users-guide/remote.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/users-guide/remote.conf b/manual/src/main/webapp/users-guide/remote.conf index 0c88861..a4dd329 100644 --- a/manual/src/main/webapp/users-guide/remote.conf +++ b/manual/src/main/webapp/users-guide/remote.conf @@ -70,14 +70,14 @@ hostKey = ${karaf.etc}/host.key # # Self defined key size in 1024, 2048, 3072, or 4096 -# If not set, this defaults to 1024. +# If not set, this defaults to 4096. # -# keySize = 1024 +# keySize = 4096 # -# Specify host key algorithm, defaults to DSA +# Specify host key algorithm, defaults to RSA # -# algorithm = DSA +# algorithm = RSA # # Defines the completion mode on the Karaf shell console. The possible values are: http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/shell/ssh/pom.xml ---------------------------------------------------------------------- diff --git a/shell/ssh/pom.xml b/shell/ssh/pom.xml index 7b6ace9..c4dc045 100644 --- a/shell/ssh/pom.xml +++ b/shell/ssh/pom.xml @@ -82,6 +82,12 @@ <artifactId>org.apache.karaf.jaas.boot</artifactId> <scope>provided</scope> </dependency> + + <dependency> + <groupId>commons-io</groupId> + <artifactId>commons-io</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml b/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml index 4de0036..cc019a3 100644 --- a/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml +++ b/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml @@ -47,8 +47,8 @@ <cm:property name="hostKey" value="$[karaf.etc]/host.key"/> <cm:property name="authorizedKeys" value="$[karaf.etc]/authorized_keys"/> <cm:property name="authMethods" value="keyboard-interactive,password,publickey"/> - <cm:property name="keySize" value="1024"/> - <cm:property name="algorithm" value="DSA"/> + <cm:property name="keySize" value="4096"/> + <cm:property name="algorithm" value="RSA"/> <cm:property name="macs" value="hmac-sha1" /> <cm:property name="ciphers" value="aes256-ctr,aes192-ctr,aes128-ctr,arcfour256" /> <cm:property name="welcomeBanner" value="" /> http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ConfigHelper.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ConfigHelper.java b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ConfigHelper.java new file mode 100644 index 0000000..007c418 --- /dev/null +++ b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ConfigHelper.java @@ -0,0 +1,98 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.karaf.shell.ssh; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.apache.commons.io.IOUtils; + +public class ConfigHelper { + + public static final String BLUEPRINT_CONFIG = "OSGI-INF/blueprint/shell-ssh.xml"; + public static final String BLUEPRINT_VALUE_PATTERN = + "^.*<cm:property\\s*name=\"<<KEY>>\"\\s*value=\"([^\"]+)\".*$"; + + public static final String CONFIG_ALGORITHM = "algorithm"; + public static final String CONFIG_CIPHERS = "ciphers"; + public static final String CONFIG_KEXALGORITHMS = "kexAlgorithms"; + public static final String CONFIG_KEYSIZE = "keySize"; + public static final String CONFIG_MACS = "macs"; + + /** + * Retrieves a value from the specified blueprint configuration key. + * + * @param blueprintConfig the configuration file + * @param key the configuration key + * + * @return the configured value or <code>null</code> + * + * @throws FileNotFoundException in case the blueprint config can not be found + * @throws IOException in case an error occurs at blueprint config file reading + */ + public static String getValue(String blueprintConfig, String key) + throws IOException + { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + InputStream is = cl.getResourceAsStream(blueprintConfig); + if (is == null) { + // retry with our class... + cl = ConfigHelper.class.getClassLoader(); + is = cl.getResourceAsStream(blueprintConfig); + } + if (is == null) { + throw new FileNotFoundException( + "Unable to find blueprint configuration file: " + + blueprintConfig); + } + String xml = IOUtils.toString(is, "UTF-8"); + String regex = BLUEPRINT_VALUE_PATTERN.replaceFirst("<<KEY>>", key); + Pattern p = Pattern.compile(regex, Pattern.MULTILINE | Pattern.DOTALL); + Matcher m = p.matcher(xml); + if (m.find()) { + return m.group(1); + } + return null; + } + + /** + * Retrieves a value from the specified blueprint configuration key. + * + * @param key the configuration key + * + * @return the configured value or <code>null</code> + * + * @throws FileNotFoundException in case the blueprint config can not be found + * @throws IOException in case an error occurs at blueprint config file reading + */ + public static String getValue(String key) throws IOException { + return getValue(BLUEPRINT_CONFIG, key); + } + + public static Integer getValueAsInt(String key) throws IOException { + String value = getValue(key); + if (value != null) { + return Integer.valueOf(value); + } + return null; + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/KnownHostsManagerTest.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/KnownHostsManagerTest.java b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/KnownHostsManagerTest.java index a4a939a..191aa50 100644 --- a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/KnownHostsManagerTest.java +++ b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/KnownHostsManagerTest.java @@ -29,13 +29,24 @@ import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; import org.junit.Assert; +import org.junit.BeforeClass; import org.junit.Test; public class KnownHostsManagerTest { - private static final String ALGORITHM = "DSA"; + + private static String ALGORITHM; + private static int KEY_SIZE; + + @BeforeClass + public static void init() throws IOException { + // test key algorithm and size as configured... + ALGORITHM = ConfigHelper.getValue(ConfigHelper.CONFIG_ALGORITHM); + KEY_SIZE = ConfigHelper.getValueAsInt(ConfigHelper.CONFIG_KEYSIZE); + } private PublicKey createPubKey() throws NoSuchAlgorithmException { KeyPairGenerator gen = KeyPairGenerator.getInstance(ALGORITHM); + gen.initialize(KEY_SIZE); KeyPair keyPair = gen.generateKeyPair(); return keyPair.getPublic(); } http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ServerKeyVerifierImplTest.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ServerKeyVerifierImplTest.java b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ServerKeyVerifierImplTest.java index 63f8ac2..cd60584 100644 --- a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ServerKeyVerifierImplTest.java +++ b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/ServerKeyVerifierImplTest.java @@ -18,6 +18,7 @@ */ package org.apache.karaf.shell.ssh; +import java.io.IOException; import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.KeyPair; @@ -28,15 +29,25 @@ import java.security.spec.InvalidKeySpecException; import org.easymock.EasyMock; import org.junit.Assert; +import org.junit.BeforeClass; import org.junit.Test; public class ServerKeyVerifierImplTest { private static final InetSocketAddress LOCALHOST = new InetSocketAddress("localhost", 1001); - private static final String ALGORITHM = "DSA"; + private static String ALGORITHM; + private static int KEY_SIZE; + + @BeforeClass + public static void init() throws IOException { + // test key algorithm and size as configured... + ALGORITHM = ConfigHelper.getValue(ConfigHelper.CONFIG_ALGORITHM); + KEY_SIZE = ConfigHelper.getValueAsInt(ConfigHelper.CONFIG_KEYSIZE); + } private PublicKey createPubKey() throws NoSuchAlgorithmException { KeyPairGenerator gen = KeyPairGenerator.getInstance(ALGORITHM); + gen.initialize(KEY_SIZE); KeyPair keyPair = gen.generateKeyPair(); return keyPair.getPublic(); } http://git-wip-us.apache.org/repos/asf/karaf/blob/025c45f6/tooling/karaf-maven-plugin/pom.xml ---------------------------------------------------------------------- diff --git a/tooling/karaf-maven-plugin/pom.xml b/tooling/karaf-maven-plugin/pom.xml index f74171e..d9db29f 100644 --- a/tooling/karaf-maven-plugin/pom.xml +++ b/tooling/karaf-maven-plugin/pom.xml @@ -178,47 +178,6 @@ <build> <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-invoker-plugin</artifactId> - <version>1.6</version> - <configuration> - <debug>true</debug> - <projectsDirectory>src/it</projectsDirectory> - <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo> - <pomExcludes> - <pomExclude>test-check-dependencies-failure/pom.xml</pomExclude> - </pomExcludes> - <pomIncludes> - <pomInclude>*/pom.xml</pomInclude> - </pomIncludes> - <postBuildHookScript>verify</postBuildHookScript> - <localRepositoryPath>${project.build.directory}/system</localRepositoryPath> - <!--<settingsFile>src/it/settings.xml</settingsFile>--> - <mavenOpts>-Djava.io.tmpdir=${project.build.directory}</mavenOpts> - <skipInstallation>${skipTests}</skipInstallation> - <skipInvocation>${skipTests}</skipInvocation> - <goals> - <goal>install</goal> - </goals> - </configuration> - <executions> - <execution> - <id>integration-test</id> - <goals> - <goal>install</goal> - <goal>run</goal> - </goals> - </execution> - </executions> - <dependencies> - <dependency> - <groupId>xmlunit</groupId> - <artifactId>xmlunit</artifactId> - <version>1.3</version> - </dependency> - </dependencies> - </plugin> </plugins> </build>
