diff --git a/assemblies/features/base/src/main/resources/resources/etc/keys.properties b/assemblies/features/base/src/main/resources/resources/etc/keys.properties index 6ab2072fd6e..e0538ff234b 100644 --- a/assemblies/features/base/src/main/resources/resources/etc/keys.properties +++ b/assemblies/features/base/src/main/resources/resources/etc/keys.properties @@ -29,7 +29,7 @@ # # -# For security reason, the default auto-signed key is disabled. +# This is an example of how to associate a public key with a user. # The user guide describes how to generate/update the key. # #karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup diff --git a/client/pom.xml b/client/pom.xml index 847884db76d..5947b27dbe6 100644 --- a/client/pom.xml +++ b/client/pom.xml @@ -87,7 +87,6 @@ META-INF;-split-package:=merge-first - ../shell/ssh/src/main/resources/karaf.key, {maven-resources} !* @@ -95,27 +94,6 @@ true - - org.codehaus.mojo - build-helper-maven-plugin - - - attach-artifacts - package - - attach-artifact - - - - - target/classes/karaf.key - key - - - - - - diff --git a/client/src/main/java/org/apache/karaf/client/Main.java b/client/src/main/java/org/apache/karaf/client/Main.java index 9fcc7c89db0..1bbdaca988b 100644 --- a/client/src/main/java/org/apache/karaf/client/Main.java +++ b/client/src/main/java/org/apache/karaf/client/Main.java @@ -25,10 +25,8 @@ import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; -import java.io.ObjectInputStream; import java.io.Reader; import java.lang.reflect.Proxy; -import java.net.URL; import java.nio.charset.Charset; import java.nio.file.Paths; import java.security.KeyPair; @@ -141,7 +139,7 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la } }); } - + if (config.getUser()==null || config.getUser().isEmpty()) { while (true) { String user = console.readLine("Enter user: "); @@ -157,7 +155,7 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la else if (console != null) { console.printf("Logging in as %s\n", config.getUser()); } - + setupAgent(config.getUser(), config.getKeyFile(), client, passwordProvider); // define hearbeat (for the keep alive) and timeouts @@ -216,7 +214,7 @@ else if (console != null) { if (channel.getExitStatus() != null) { exitStatus = channel.getExitStatus(); } - + } else { ChannelShell channel = session.createShellChannel(); Attributes attributes = terminal.enterRawMode(); @@ -354,8 +352,7 @@ private static int getFlag(Attributes attributes, LocalFlag flag) { private static void setupAgent(String user, String keyFile, SshClient client, FilePasswordProvider passwordProvider) { SshAgent agent; - URL builtInPrivateKey = Main.class.getClassLoader().getResource("karaf.key"); - agent = startAgent(user, builtInPrivateKey, keyFile, passwordProvider); + agent = startAgent(user, keyFile, passwordProvider); client.setAgentFactory(new LocalAgentFactory(agent)); client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local"); } @@ -380,40 +377,23 @@ private static ClientSession connectWithRetries(SshClient client, ClientConfig c return session; } - private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile, FilePasswordProvider passwordProvider) { - InputStream is = null; + private static SshAgent startAgent(String user, String keyFile, FilePasswordProvider passwordProvider) { try { SshAgent agent = new AgentImpl(); - is = privateKeyUrl.openStream(); - ObjectInputStream r = new ObjectInputStream(is); - KeyPair keyPair = (KeyPair) r.readObject(); - is.close(); - agent.addIdentity(keyPair, user); if (keyFile != null) { FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(Paths.get(keyFile)); fileKeyPairProvider.setPasswordFinder(passwordProvider); for (KeyPair key : fileKeyPairProvider.loadKeys()) { - agent.addIdentity(key, user); + agent.addIdentity(key, user); } } return agent; } catch (Throwable e) { - close(is); System.err.println("Error starting ssh agent for: " + e.getMessage()); return null; } } - private static void close(Closeable is) { - if (is != null) { - try { - is.close(); - } catch (IOException e1) { - // Ignore - } - } - } - private static void registerSignalHandler(final Terminal terminal, final PtyCapableChannelSession channel) { try { Class signalClass = Class.forName("sun.misc.Signal"); diff --git a/client/src/main/key/karaf.key b/client/src/main/key/karaf.key deleted file mode 100644 index 708a466b380..00000000000 Binary files a/client/src/main/key/karaf.key and /dev/null differ diff --git a/manual/src/main/asciidoc/user-guide/security.adoc b/manual/src/main/asciidoc/user-guide/security.adoc index 0c459838096..f4cced27109 100644 --- a/manual/src/main/asciidoc/user-guide/security.adoc +++ b/manual/src/main/asciidoc/user-guide/security.adoc @@ -360,18 +360,6 @@ The keys allowed to connect are stored in `etc/keys.properties` file, following user=key,role ---- -By default, Karaf allows a key for the karaf user: - ----- -#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup -_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh ----- - -[NOTE] -==== -For security reason, this key is disabled. We encourage to create the keys pair per client and update the `etc/keys.properties` file. -==== - The easiest way to create key pair is to use OpenSSH. You can create a key pair using: diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafAgentFactory.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafAgentFactory.java index 0f3e4e40a1b..9b4884ee611 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafAgentFactory.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafAgentFactory.java @@ -19,10 +19,6 @@ package org.apache.karaf.shell.ssh; import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.net.URL; -import java.security.KeyPair; import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -105,11 +101,6 @@ public void registerSession(org.apache.karaf.shell.api.console.Session session) try { String user = (String) session.get("USER"); SshAgent agent = new AgentImpl(); - URL url = getClass().getClassLoader().getResource("karaf.key"); - InputStream is = url.openStream(); - ObjectInputStream r = new ObjectInputStream(is); - KeyPair keyPair = (KeyPair) r.readObject(); - agent.addIdentity(keyPair, "karaf"); String agentId = "local:" + user; session.put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, agentId); locals.put(agentId, agent); diff --git a/shell/ssh/src/main/resources/karaf.key b/shell/ssh/src/main/resources/karaf.key deleted file mode 100644 index 708a466b380..00000000000 Binary files a/shell/ssh/src/main/resources/karaf.key and /dev/null differ diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/ClientMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/ClientMojo.java index 1d5cc1ea4fb..f98668d1d4c 100644 --- a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/ClientMojo.java +++ b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/ClientMojo.java @@ -46,11 +46,8 @@ import java.io.FileReader; import java.io.IOError; import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; import java.io.PrintWriter; import java.io.StringWriter; -import java.net.URL; import java.security.KeyPair; import java.util.Comparator; import java.util.EnumSet; @@ -236,20 +233,15 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la } private void setupAgent(String user, File keyFile, SshClient client) { - URL builtInPrivateKey = ClientMojo.class.getClassLoader().getResource("karaf.key"); - SshAgent agent = startAgent(user, builtInPrivateKey, keyFile); + SshAgent agent = startAgent(user, keyFile); client.setAgentFactory( new LocalAgentFactory(agent)); client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local"); } - private SshAgent startAgent(String user, URL privateKeyUrl, File keyFile) { - try (InputStream is = privateKeyUrl.openStream()) + private SshAgent startAgent(String user, File keyFile) { + try { SshAgent agent = new AgentImpl(); - ObjectInputStream r = new ObjectInputStream(is); - KeyPair keyPair = (KeyPair) r.readObject(); - is.close(); - agent.addIdentity(keyPair, user); if (keyFile != null) { FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFile.getAbsoluteFile().toPath()); for (KeyPair key : fileKeyPairProvider.loadKeys()) { diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/DeployMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/DeployMojo.java index e9ee204f8e5..92312eb73c0 100644 --- a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/DeployMojo.java +++ b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/DeployMojo.java @@ -50,11 +50,8 @@ import java.io.File; import java.io.IOError; import java.io.IOException; -import java.io.InputStream; -import java.io.ObjectInputStream; import java.io.PrintWriter; import java.io.StringWriter; -import java.net.URL; import java.security.KeyPair; import java.util.ArrayList; import java.util.EnumSet; @@ -240,20 +237,14 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la } private void setupAgent(String user, File keyFile, SshClient client) { - URL builtInPrivateKey = ClientMojo.class.getClassLoader().getResource("karaf.key"); - SshAgent agent = startAgent(user, builtInPrivateKey, keyFile); + SshAgent agent = startAgent(user, keyFile); client.setAgentFactory( new LocalAgentFactory(agent)); client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local"); } - private SshAgent startAgent(String user, URL privateKeyUrl, File keyFile) { - try (InputStream is = privateKeyUrl.openStream()) - { + private SshAgent startAgent(String user, File keyFile) { + try { SshAgent agent = new AgentImpl(); - ObjectInputStream r = new ObjectInputStream(is); - KeyPair keyPair = (KeyPair) r.readObject(); - is.close(); - agent.addIdentity(keyPair, user); if (keyFile != null) { FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFile.getAbsoluteFile().toPath()); for (KeyPair key : fileKeyPairProvider.loadKeys()) {