[
https://issues.apache.org/jira/browse/KARAF-4809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15663317#comment-15663317
]
Lars Kiesow commented on KARAF-4809:
------------------------------------
It is definitely a convenient way to connect remotely to Karaf. But you need to
configure Karaf properly before using it. If only, you need to set a proper
user and an SSH key. That is done easily but it means that you need to modify
the configuration anyway and setting `sshHost` as well is then no big deal.
On the other hand, if SSH listens globally and you do not configure your Karaf
properly–which from my experience, likely a lot of users will not do–everyone
can just log into the system and install and run arbitrary software on that
host. That is a major security problem. In fact, this might happen already if
you just try out Karaf and start it up once. I do not believe that is a good
idea.
> SSH should not listen to all hosts
> ----------------------------------
>
> Key: KARAF-4809
> URL: https://issues.apache.org/jira/browse/KARAF-4809
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.7
> Reporter: Lars Kiesow
> Assignee: Jean-Baptiste Onofré
>
> The default SSH server configuration will make Karaf listen to all hosts. It
> is usually good practice to instead listen to localhost only by default to
> avoid possible security risks (e.g. accidentally exposing an unconfigured SSH
> server).
> This can be fixed by adjusting `sshHost` in `org.apache.karaf.shell.cfg`
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
