+1 (non-binding) for removing On 18.07.2014 08:40, Achim Nierbeck wrote: > +1 for removing > > and also +1 for the idea of Matt Sicker, a script for easy generating of > keys. > > regards, Achim > > > 2014-07-18 6:58 GMT+02:00 Jean-Baptiste Onofré <[email protected]>: > >> Hi Freeman, >> >> thanks for the update ;) >> >> Regards >> JB >> >> >> On 07/18/2014 02:38 AM, Freeman Fang wrote: >> >>> +1 to comment out the default public key in keys.properties, it's really >>> a security hole. >>> >>> And about specify the key to bin/client, I just added it weeks ago, >>> please see KARAF-3059[1] >>> >>> [1]https://issues.apache.org/jira/browse/KARAF-3059 >>> >>> >>> ------------- >>> Freeman(Yue) Fang >>> >>> Red Hat, Inc. >>> FuseSource is now part of Red Hat >>> >>> >>> >>> On 2014-7-18, at 上午3:44, Jean-Baptiste Onofré wrote: >>> >>> Hi all, >>>> Following a discussion that we had with Christian, I would like to raise >>>> a concern. >>>> >>>> Now, on Karaf 2.x/3.x/4.x, the JMX layer is secure using RBAC. The >>>> MBeanServerBuilder is enabled by default, meaning that it's not possible to >>>> locally connect to the MBean server. >>>> I think it's good and secure. >>>> >>>> However, on the other hand, we have a key enabled by default (in >>>> etc/keys.properties) and used by default by bin/client. >>>> So it means that any user that download a Karaf distribution can connect >>>> to any Karaf runtimes by default. >>>> On one hand we have a very secure JMX layer (even for local connection), >>>> but on the other hand, bin/client can connect to any Karaf running instance >>>> (so not very secure). >>>> >>>> I would like to propose the following: >>>> - in etc/keys.properties, we should comment out the default key. We can >>>> document how to enable it and how to change the keys. >>>> - in bin/client, we should be able to specify a key that we want to use. >>>> >>>> WDYT ? >>>> >>>> I already created some Jira about the keys: >>>> - KARAF-2786: I would change this one by comment out the default key >>>> - KARAF-2836 to allow to specify multiple keys for an user in >>>> etc/keys.properties >>>> - KARAF-2787 to allow to specify the key to bin/client >>>> >>>> Thanks, >>>> Regards >>>> JB >>>> -- >>>> Jean-Baptiste Onofré >>>> [email protected] >>>> http://blog.nanthrax.net >>>> Talend - http://www.talend.com >>>> >>> >>> >> -- >> Jean-Baptiste Onofré >> [email protected] >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> > >
-- Krzysztof Sobkowiak JEE & OSS Architect | Technical Architect @ Capgemini | Committer @ ASF Capgemini <http://www.pl.capgemini.com/> | Software Solutions Center <http://www.pl.capgemini-sdm.com/> | Wroclaw e-mail: [email protected] <mailto:[email protected]> | Twitter: @KSobkowiak Calendar: http://goo.gl/yvsebC
