karaf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sobkowiak, Krzysztof" <krzys.sobkow...@gmail.com>
Subject Re: [PROPOSAL] Remove default ssh key
Date Fri, 18 Jul 2014 07:05:56 GMT
+1 (non-binding) for removing
On 18.07.2014 08:40, Achim Nierbeck wrote:
> +1 for removing
>
> and also +1 for the idea of Matt Sicker, a script for easy generating of
> keys.
>
> regards, Achim
>
>
> 2014-07-18 6:58 GMT+02:00 Jean-Baptiste Onofré <jb@nanthrax.net>:
>
>> Hi Freeman,
>>
>> thanks for the update ;)
>>
>> Regards
>> JB
>>
>>
>> On 07/18/2014 02:38 AM, Freeman Fang wrote:
>>
>>> +1 to comment out the default public key in keys.properties, it's really
>>> a security hole.
>>>
>>> And about specify the key to bin/client, I just added it weeks ago,
>>> please see KARAF-3059[1]
>>>
>>> [1]https://issues.apache.org/jira/browse/KARAF-3059
>>>
>>>
>>> -------------
>>> Freeman(Yue) Fang
>>>
>>> Red Hat, Inc.
>>> FuseSource is now part of Red Hat
>>>
>>>
>>>
>>> On 2014-7-18, at 上午3:44, Jean-Baptiste Onofré wrote:
>>>
>>>  Hi all,
>>>> Following a discussion that we had with Christian, I would like to raise
>>>> a concern.
>>>>
>>>> Now, on Karaf 2.x/3.x/4.x, the JMX layer is secure using RBAC. The
>>>> MBeanServerBuilder is enabled by default, meaning that it's not possible
to
>>>> locally connect to the MBean server.
>>>> I think it's good and secure.
>>>>
>>>> However, on the other hand, we have a key enabled by default (in
>>>> etc/keys.properties) and used by default by bin/client.
>>>> So it means that any user that download a Karaf distribution can connect
>>>> to any Karaf runtimes by default.
>>>> On one hand we have a very secure JMX layer (even for local connection),
>>>> but on the other hand, bin/client can connect to any Karaf running instance
>>>> (so not very secure).
>>>>
>>>> I would like to propose the following:
>>>> - in etc/keys.properties, we should comment out the default key. We can
>>>> document how to enable it and how to change the keys.
>>>> - in bin/client, we should be able to specify a key that we want to use.
>>>>
>>>> WDYT ?
>>>>
>>>> I already created some Jira about the keys:
>>>> - KARAF-2786: I would change this one by comment out the default key
>>>> - KARAF-2836 to allow to specify multiple keys for an user in
>>>> etc/keys.properties
>>>> - KARAF-2787 to allow to specify the key to bin/client
>>>>
>>>> Thanks,
>>>> Regards
>>>> JB
>>>> --
>>>> Jean-Baptiste Onofré
>>>> jbonofre@apache.org
>>>> http://blog.nanthrax.net
>>>> Talend - http://www.talend.com
>>>>
>>>
>>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
>>
>
>

-- 
Krzysztof Sobkowiak

JEE & OSS Architect | Technical Architect @ Capgemini | Committer @ ASF
Capgemini <http://www.pl.capgemini.com/> | Software Solutions Center
<http://www.pl.capgemini-sdm.com/> | Wroclaw
e-mail: krzys.sobkowiak@gmail.com <mailto:krzys.sobkowiak@gmail.com> |
Twitter: @KSobkowiak
Calendar: http://goo.gl/yvsebC

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message