You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2014/07/25 22:11:30 UTC
git commit: [KARAF-2786] Comment the default ssh key and update
configuration how to configure key
Repository: karaf
Updated Branches:
refs/heads/karaf-2.3.x 06043e37b -> 49f7e0217
[KARAF-2786] Comment the default ssh key and update configuration how to configure key
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/49f7e021
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/49f7e021
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/49f7e021
Branch: refs/heads/karaf-2.3.x
Commit: 49f7e0217610e2bff290276462e7b0d02702b8f9
Parents: 06043e3
Author: Jean-Baptiste Onofré <jb...@apache.org>
Authored: Fri Jul 25 22:10:59 2014 +0200
Committer: Jean-Baptiste Onofré <jb...@apache.org>
Committed: Fri Jul 25 22:10:59 2014 +0200
----------------------------------------------------------------------
.../main/distribution/text/etc/keys.properties | 7 ++-
.../src/main/webapp/users-guide/security.conf | 60 +++++++++++++++++++-
2 files changed, 63 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/49f7e021/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
----------------------------------------------------------------------
diff --git a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
index 2eb3b01..35ec6ea 100644
--- a/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
+++ b/assemblies/apache-karaf/src/main/distribution/text/etc/keys.properties
@@ -27,4 +27,9 @@
# and modifiable via the JAAS command group. These users reside in a JAAS domain
# with the name "karaf"..
#
-karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin
+
+#
+# For security reason, the default auto-signed key is disabled.
+# The user guide describes how to generate/update the key.
+#
+# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin
http://git-wip-us.apache.org/repos/asf/karaf/blob/49f7e021/manual/src/main/webapp/users-guide/security.conf
----------------------------------------------------------------------
diff --git a/manual/src/main/webapp/users-guide/security.conf b/manual/src/main/webapp/users-guide/security.conf
index 482f633..b1ab90c 100644
--- a/manual/src/main/webapp/users-guide/security.conf
+++ b/manual/src/main/webapp/users-guide/security.conf
@@ -1,6 +1,6 @@
h1. Security
-h2. Managing users and passwords
+h2. Managing authentication by users and passwords
The default security configuration uses a property file located at {{etc/users.properties}} to store authorized users and their passwords.
@@ -18,6 +18,62 @@ The {{users.properties}} file contains one or more lines, each line defining a u
user=password[,role][,role]...
{code}
+h2. Managing authentication by key
+
+For the SSH layer, Karaf supports the authentication by key, allowing to login without providing the password.
+
+The SSH client (so bin/client provided by Karaf itself, or any ssh client like OpenSSH) uses a public/private keys pair that
+will identify himself on Karaf SSHD (server side).
+
+The keys allowed to connect are stored in {{etc/keys.properties}} file, following the format:
+
+{code}
+user=key,role
+{code}
+
+By default, Karaf allows a key for the karaf user:
+
+{code}
+# karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,admin
+{code}
+
+{warning}
+For security reason, this key is disabled. We encourage to create the keys pair per client and update the {{etc/keys.properties}} file.
+{warning}
+
+The easiest way to create key pair is to use OpenSSH.
+
+You can create a key pair using:
+
+{code}
+ssh-keygen -t dsa -f karaf.id_dsa -N karaf
+{code}
+
+You have now the public and private keys:
+
+{code}
+-rw------- 1 jbonofre jbonofre 771 Jul 25 22:05 karaf.id_dsa
+-rw-r--r-- 1 jbonofre jbonofre 607 Jul 25 22:05 karaf.id_dsa.pub
+{code}
+
+You can copy in the content of the {{karaf.id_dsa.pub}} file in the {{etc/keys.properties}}:
+
+{code}
+karaf=AAAAB3NzaC1kc3MAAACBAJLj9vnEhu3/Q9Cvym2jRDaNWkATgQiHZxmErCmiLRuD5Klfv+HT/+8WoYdnvj0YaXFP80phYhzZ7fbIO2LRFhYhPmGLa9nSeOsQlFuX5A9kY1120yB2kxSIZI0fU2hy1UCgmTxdTQPSYtdWBJyvO/vczoX/8I3FziEfss07Hj1NAAAAFQD1dKEzkt4e7rBPDokPOMZigBh4kwAAAIEAiLnpbGNbKm8SNLUEc/fJFswg4G4VjjngjbPZAjhkYe4+H2uYmynry6V+GOTS2kaFQGZRf9XhSpSwfdxKtx7vCCaoH9bZ6S5Pe0voWmeBhJXi/Sww8f2stpitW2Oq7V7lDdDG81+N/D7/rKDD5PjUyMsVqc1n9wCTmfqmi6XPEw8AAACAHAGwPn/Mv7P9Q9+JZRWtGq+i4pL1zs1OluiStCN9e/Ok96t3gRVKPheQ6IwLacNjC9KkSKrLtsVyepGA+V5j/N+Cmsl6csZilnLvMUTvL/cmHDEEhTIQnPNrDDv+tED2BFqkajQqYLgMWeGVqXsBU6IT66itZlYtrq4v6uDQG/o=,admin
+{code}
+
+and specify to the client to use the {{karaf.id_dsa}} private key:
+
+{code}
+bin/client -k ~/karaf.id_dsa
+{code}
+
+or to ssh
+
+{code}
+ssh -p 8101 -i ~/karaf.id_dsa karaf@localhost
+{code}
+
h2. Managing roles
JAAS roles can be used by various components. The three management layers (SSH, JMX and WebConsole) all use a global role based authorization system. The default role name is configured in the {{etc/system.properties}} using the {{karaf.admin.role}} system property and the default value is {{admin}}. All users authenticating for the management layer must have this role defined.
@@ -79,5 +135,3 @@ In addition, you may want to provide access to the classes from those providers
{code}
org.osgi.framework.bootdelegation = ...,org.bouncycastle*
{code}
-
-