Removing default karaf.key

assemblies/features/base/src/main/resources/resources/etc/keys.properties

@@ -29,7 +29,7 @@
 #
 
 #
-# For security reason, the default auto-signed key is disabled.
+# This is an example of how to associate a public key with a user.
 # The user guide describes how to generate/update the key.
 #
 #karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup

client/pom.xml

@@ -87,35 +87,13 @@
                             META-INF;-split-package:=merge-first
                         </Private-Package>
                         <Include-Resource>
-                            ../shell/ssh/src/main/resources/karaf.key,
                             {maven-resources}
                         </Include-Resource>
                         <Import-Package>!*</Import-Package>
                     </instructions>
                     <unpackBundle>true</unpackBundle>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>build-helper-maven-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <id>attach-artifacts</id>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>attach-artifact</goal>
-                        </goals>
-                        <configuration>
-                            <artifacts>
-                                <artifact>
-                                    <file>target/classes/karaf.key</file>
-                                    <type>key</type>
-                                </artifact>
-                            </artifacts>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
         </plugins>
     </build>
 </project>

client/src/main/java/org/apache/karaf/client/Main.java

@@ -25,10 +25,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.io.ObjectInputStream;
 import java.io.Reader;
 import java.lang.reflect.Proxy;
-import java.net.URL;
 import java.nio.charset.Charset;
 import java.nio.file.Paths;
 import java.security.KeyPair;
@@ -141,7 +139,7 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la
                     }
                 });
             }
-            
+
             if (config.getUser()==null || config.getUser().isEmpty()) {
             	while (true) {
             		String user = console.readLine("Enter user: ");
@@ -157,7 +155,7 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la
             else if (console != null) {
                 console.printf("Logging in as %s\n", config.getUser());
             }
-            
+
             setupAgent(config.getUser(), config.getKeyFile(), client, passwordProvider);
 
             // define hearbeat (for the keep alive) and timeouts
@@ -216,7 +214,7 @@ else if (console != null) {
                     if (channel.getExitStatus() != null) {
                         exitStatus = channel.getExitStatus();
                     }
-                    
+
                 } else {
                     ChannelShell channel = session.createShellChannel();
                     Attributes attributes = terminal.enterRawMode();
@@ -354,8 +352,7 @@ private static int getFlag(Attributes attributes, LocalFlag flag) {
 
     private static void setupAgent(String user, String keyFile, SshClient client, FilePasswordProvider passwordProvider) {
         SshAgent agent;
-        URL builtInPrivateKey = Main.class.getClassLoader().getResource("karaf.key");
-        agent = startAgent(user, builtInPrivateKey, keyFile, passwordProvider);
+        agent = startAgent(user, keyFile, passwordProvider);
         client.setAgentFactory(new LocalAgentFactory(agent));
         client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local");
     }
@@ -380,40 +377,23 @@ private static ClientSession connectWithRetries(SshClient client, ClientConfig c
         return session;
     }
 
-    private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile, FilePasswordProvider passwordProvider) {
-        InputStream is = null;
+    private static SshAgent startAgent(String user, String keyFile, FilePasswordProvider passwordProvider) {
         try {
             SshAgent agent = new AgentImpl();
-            is = privateKeyUrl.openStream();
-            ObjectInputStream r = new ObjectInputStream(is);
-            KeyPair keyPair = (KeyPair) r.readObject();
-            is.close();
-            agent.addIdentity(keyPair, user);
             if (keyFile != null) {
                 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(Paths.get(keyFile));
                 fileKeyPairProvider.setPasswordFinder(passwordProvider);
                 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
-                    agent.addIdentity(key, user);                
+                    agent.addIdentity(key, user);
                 }
             }
             return agent;
         } catch (Throwable e) {
-            close(is);
             System.err.println("Error starting ssh agent for: " + e.getMessage());
             return null;
         }
     }
 
-    private static void close(Closeable is) {
-        if (is != null) {
-            try {
-                is.close();
-            } catch (IOException e1) {
-                // Ignore
-            }
-        }
-    }
-
     private static void registerSignalHandler(final Terminal terminal, final PtyCapableChannelSession channel) {
         try {
             Class<?> signalClass = Class.forName("sun.misc.Signal");

manual/src/main/asciidoc/user-guide/security.adoc

@@ -360,18 +360,6 @@ The keys allowed to connect are stored in `etc/keys.properties` file, following
 user=key,role
 ----
 
-By default, Karaf allows a key for the karaf user:
-
-----
-#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
-_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh
-----
-
-[NOTE]
-====
-For security reason, this key is disabled. We encourage to create the keys pair per client and update the `etc/keys.properties` file.
-====
-
 The easiest way to create key pair is to use OpenSSH.
 
 You can create a key pair using:

shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafAgentFactory.java

@@ -19,10 +19,6 @@
 package org.apache.karaf.shell.ssh;
 
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.net.URL;
-import java.security.KeyPair;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -105,11 +101,6 @@ public void registerSession(org.apache.karaf.shell.api.console.Session session)
         try {
             String user = (String) session.get("USER");
             SshAgent agent = new AgentImpl();
-            URL url = getClass().getClassLoader().getResource("karaf.key");
-            InputStream is = url.openStream();
-            ObjectInputStream r = new ObjectInputStream(is);
-            KeyPair keyPair = (KeyPair) r.readObject();
-            agent.addIdentity(keyPair, "karaf");
             String agentId = "local:" + user;
             session.put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, agentId);
             locals.put(agentId, agent);

tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/ClientMojo.java

@@ -46,11 +46,8 @@
 import java.io.FileReader;
 import java.io.IOError;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
-import java.net.URL;
 import java.security.KeyPair;
 import java.util.Comparator;
 import java.util.EnumSet;
@@ -236,20 +233,15 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la
     }
 
     private void setupAgent(String user, File keyFile, SshClient client) {
-        URL builtInPrivateKey = ClientMojo.class.getClassLoader().getResource("karaf.key");
-        SshAgent agent = startAgent(user, builtInPrivateKey, keyFile);
+        SshAgent agent = startAgent(user, keyFile);
         client.setAgentFactory( new LocalAgentFactory(agent));
         client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local");
     }
 
-    private SshAgent startAgent(String user, URL privateKeyUrl, File keyFile) {
-        try (InputStream is = privateKeyUrl.openStream())
+    private SshAgent startAgent(String user, File keyFile) {
+        try
         {
             SshAgent agent = new AgentImpl();
-            ObjectInputStream r = new ObjectInputStream(is);
-            KeyPair keyPair = (KeyPair) r.readObject();
-            is.close();
-            agent.addIdentity(keyPair, user);
             if (keyFile != null) {
                 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFile.getAbsoluteFile().toPath());
                 for (KeyPair key : fileKeyPairProvider.loadKeys()) {

tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/client/DeployMojo.java

@@ -50,11 +50,8 @@
 import java.io.File;
 import java.io.IOError;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
-import java.net.URL;
 import java.security.KeyPair;
 import java.util.ArrayList;
 import java.util.EnumSet;
@@ -240,20 +237,14 @@ public String getUpdatedPassword(ClientSession session, String prompt, String la
     }
 
     private void setupAgent(String user, File keyFile, SshClient client) {
-        URL builtInPrivateKey = ClientMojo.class.getClassLoader().getResource("karaf.key");
-        SshAgent agent = startAgent(user, builtInPrivateKey, keyFile);
+        SshAgent agent = startAgent(user, keyFile);
         client.setAgentFactory( new LocalAgentFactory(agent));
         client.getProperties().put(SshAgent.SSH_AUTHSOCKET_ENV_NAME, "local");
     }
 
-    private SshAgent startAgent(String user, URL privateKeyUrl, File keyFile) {
-        try (InputStream is = privateKeyUrl.openStream())
-        {
+    private SshAgent startAgent(String user, File keyFile) {
+        try {
             SshAgent agent = new AgentImpl();
-            ObjectInputStream r = new ObjectInputStream(is);
-            KeyPair keyPair = (KeyPair) r.readObject();
-            is.close();
-            agent.addIdentity(keyPair, user);
             if (keyFile != null) {
                 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFile.getAbsoluteFile().toPath());
                 for (KeyPair key : fileKeyPairProvider.loadKeys()) {