+1 for removing and also +1 for the idea of Matt Sicker, a script for easy generating of keys.
regards, Achim 2014-07-18 6:58 GMT+02:00 Jean-Baptiste Onofré <[email protected]>: > Hi Freeman, > > thanks for the update ;) > > Regards > JB > > > On 07/18/2014 02:38 AM, Freeman Fang wrote: > >> +1 to comment out the default public key in keys.properties, it's really >> a security hole. >> >> And about specify the key to bin/client, I just added it weeks ago, >> please see KARAF-3059[1] >> >> [1]https://issues.apache.org/jira/browse/KARAF-3059 >> >> >> ------------- >> Freeman(Yue) Fang >> >> Red Hat, Inc. >> FuseSource is now part of Red Hat >> >> >> >> On 2014-7-18, at 上午3:44, Jean-Baptiste Onofré wrote: >> >> Hi all, >>> >>> Following a discussion that we had with Christian, I would like to raise >>> a concern. >>> >>> Now, on Karaf 2.x/3.x/4.x, the JMX layer is secure using RBAC. The >>> MBeanServerBuilder is enabled by default, meaning that it's not possible to >>> locally connect to the MBean server. >>> I think it's good and secure. >>> >>> However, on the other hand, we have a key enabled by default (in >>> etc/keys.properties) and used by default by bin/client. >>> So it means that any user that download a Karaf distribution can connect >>> to any Karaf runtimes by default. >>> On one hand we have a very secure JMX layer (even for local connection), >>> but on the other hand, bin/client can connect to any Karaf running instance >>> (so not very secure). >>> >>> I would like to propose the following: >>> - in etc/keys.properties, we should comment out the default key. We can >>> document how to enable it and how to change the keys. >>> - in bin/client, we should be able to specify a key that we want to use. >>> >>> WDYT ? >>> >>> I already created some Jira about the keys: >>> - KARAF-2786: I would change this one by comment out the default key >>> - KARAF-2836 to allow to specify multiple keys for an user in >>> etc/keys.properties >>> - KARAF-2787 to allow to specify the key to bin/client >>> >>> Thanks, >>> Regards >>> JB >>> -- >>> Jean-Baptiste Onofré >>> [email protected] >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >>> >> >> >> > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com > -- Apache Member Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead blog <http://notizblog.nierbeck.de/> Software Architect / Project Manager / Scrum Master
