karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject git commit: [KARAF-2786] Comment the default ssh key and update configuration how to configure key
Date Fri, 25 Jul 2014 20:20:01 GMT
Repository: karaf
Updated Branches:
  refs/heads/karaf-3.0.x 18edfc216 -> b6c655475


[KARAF-2786] Comment the default ssh key and update configuration how to configure key


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/b6c65547
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/b6c65547
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/b6c65547

Branch: refs/heads/karaf-3.0.x
Commit: b6c65547589ad0f71cacb5e72cd4ac2078eb06bc
Parents: 18edfc2
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
Authored: Fri Jul 25 22:19:40 2014 +0200
Committer: Jean-Baptiste Onofré <jbonofre@apache.org>
Committed: Fri Jul 25 22:19:40 2014 +0200

----------------------------------------------------------------------
 .../resources/resources/etc/keys.properties     |  7 ++-
 .../src/main/webapp/users-guide/security.conf   | 58 +++++++++++++++++++-
 2 files changed, 63 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/b6c65547/assemblies/features/framework/src/main/resources/resources/etc/keys.properties
----------------------------------------------------------------------
diff --git a/assemblies/features/framework/src/main/resources/resources/etc/keys.properties
b/assemblies/features/framework/src/main/resources/resources/etc/keys.properties
index 36d3c0d..ce006a1 100644
--- a/assemblies/features/framework/src/main/resources/resources/etc/keys.properties
+++ b/assemblies/features/framework/src/main/resources/resources/etc/keys.properties
@@ -27,5 +27,10 @@
 # and modifiable via the JAAS command group. These users reside in a JAAS domain
 # with the name "karaf"..
 #
-karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
+
+#
+# For security reason, the default auto-signed key is disabled.
+# The user guide describes how to generate/update the key.
+#
+#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
 _g_\:admingroup = group,admin,manager,viewer

http://git-wip-us.apache.org/repos/asf/karaf/blob/b6c65547/manual/src/main/webapp/users-guide/security.conf
----------------------------------------------------------------------
diff --git a/manual/src/main/webapp/users-guide/security.conf b/manual/src/main/webapp/users-guide/security.conf
index 8a4ee6c..1d601c0 100644
--- a/manual/src/main/webapp/users-guide/security.conf
+++ b/manual/src/main/webapp/users-guide/security.conf
@@ -330,6 +330,62 @@ The {{etc/org.apache.karaf.jaas.cfg}} configuration file allows you to
define ad
 * the {{encryption.encoding}} property defines the encoding of the encrypted password. The
possible values are {{hexadecimal}}
  or {{base64}}. The default value is {{hexadecimal}}.
 
+h2. Managing authentication by key
+
+For the SSH layer, Karaf supports the authentication by key, allowing to login without providing
the password.
+
+The SSH client (so bin/client provided by Karaf itself, or any ssh client like OpenSSH) uses
a public/private keys pair that
+will identify himself on Karaf SSHD (server side).
+
+The keys allowed to connect are stored in {{etc/keys.properties}} file, following the format:
+
+{code}
+user=key,role
+{code}
+
+By default, Karaf allows a key for the karaf user:
+
+{code}
+# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin
+{code}
+
+{warning}
+For security reason, this key is disabled. We encourage to create the keys pair per client
and update the {{etc/keys.properties}} file.
+{warning}
+
+The easiest way to create key pair is to use OpenSSH.
+
+You can create a key pair using:
+
+{code}
+ssh-keygen -t dsa -f karaf.id_dsa -N karaf
+{code}
+
+You have now the public and private keys:
+
+{code}
+-rw-------  1 jbonofre jbonofre    771 Jul 25 22:05 karaf.id_dsa
+-rw-r--r--  1 jbonofre jbonofre    607 Jul 25 22:05 karaf.id_dsa.pub
+{code}
+
+You can copy in the content of the {{karaf.id_dsa.pub}} file in the {{etc/keys.properties}}:
+
+{code}
+karaf=AAAAB3NzaC1kc3MAAACBAJLj9vnEhu3/Q9Cvym2jRDaNWkATgQiHZxmErCmiLRuD5Klfv+HT/+8WoYdnvj0YaXFP80phYhzZ7fbIO2LRFhYhPmGLa9nSeOsQlFuX5A9kY1120yB2kxSIZI0fU2hy1UCgmTxdTQPSYtdWBJyvO/vczoX/8I3FziEfss07Hj1NAAAAFQD1dKEzkt4e7rBPDokPOMZigBh4kwAAAIEAiLnpbGNbKm8SNLUEc/fJFswg4G4VjjngjbPZAjhkYe4+H2uYmynry6V+GOTS2kaFQGZRf9XhSpSwfdxKtx7vCCaoH9bZ6S5Pe0voWmeBhJXi/Sww8f2stpitW2Oq7V7lDdDG81+N/D7/rKDD5PjUyMsVqc1n9wCTmfqmi6XPEw8AAACAHAGwPn/Mv7P9Q9+JZRWtGq+i4pL1zs1OluiStCN9e/Ok96t3gRVKPheQ6IwLacNjC9KkSKrLtsVyepGA+V5j/N+Cmsl6csZilnLvMUTvL/cmHDEEhTIQnPNrDDv+tED2BFqkajQqYLgMWeGVqXsBU6IT66itZlYtrq4v6uDQG/o=,admin
+{code}
+
+and specify to the client to use the {{karaf.id_dsa}} private key:
+
+{code}
+bin/client -k ~/karaf.id_dsa
+{code}
+
+or to ssh
+
+{code}
+ssh -p 8101 -i ~/karaf.id_dsa karaf@localhost
+{code}
+
 h2. RBAC
 
 Apache Karaf uses the roles to control the access to the resources: it's a RBAC (Role Based
Access Control) system.
@@ -509,4 +565,4 @@ It can be done by modifying the {{org.osgi.framework.bootdelegation}}
property i
 
 {code}
 org.osgi.framework.bootdelegation = ...,org.bouncycastle*
-{code}
\ No newline at end of file
+{code}


Mime
View raw message