Re: [PROPOSAL] Remove default ssh key

Fri, 18 Jul 2014 00:05:28 -0700 

More than a script, I propose:

karaf@root()> ssh:key-gen
karaf@root()> ssh:key-add

And in the same area:

karaf@root()> shell:passwd

to change the password.

WDYT ?

Regards
JB

On 07/18/2014 08:40 AM, Achim Nierbeck wrote:

+1 for removing

and also +1 for the idea of Matt Sicker, a script for easy generating of
keys.

regards, Achim


2014-07-18 6:58 GMT+02:00 Jean-Baptiste Onofré <[email protected]>:


Hi Freeman,

thanks for the update ;)

Regards
JB


On 07/18/2014 02:38 AM, Freeman Fang wrote:


+1 to comment out the default public key in keys.properties, it's really
a security hole.

And about specify the key to bin/client, I just added it weeks ago,
please see KARAF-3059[1]

[1]https://issues.apache.org/jira/browse/KARAF-3059


-------------
Freeman(Yue) Fang

Red Hat, Inc.
FuseSource is now part of Red Hat



On 2014-7-18, at 上午3:44, Jean-Baptiste Onofré wrote:

  Hi all,


Following a discussion that we had with Christian, I would like to raise
a concern.

Now, on Karaf 2.x/3.x/4.x, the JMX layer is secure using RBAC. The
MBeanServerBuilder is enabled by default, meaning that it's not possible to
locally connect to the MBean server.
I think it's good and secure.

However, on the other hand, we have a key enabled by default (in
etc/keys.properties) and used by default by bin/client.
So it means that any user that download a Karaf distribution can connect
to any Karaf runtimes by default.
On one hand we have a very secure JMX layer (even for local connection),
but on the other hand, bin/client can connect to any Karaf running instance
(so not very secure).

I would like to propose the following:
- in etc/keys.properties, we should comment out the default key. We can
document how to enable it and how to change the keys.
- in bin/client, we should be able to specify a key that we want to use.

WDYT ?

I already created some Jira about the keys:
- KARAF-2786: I would change this one by comment out the default key
- KARAF-2836 to allow to specify multiple keys for an user in
etc/keys.properties
- KARAF-2787 to allow to specify the key to bin/client

Thanks,
Regards
JB
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com






--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com







--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com

Reply via email to