Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

After reinstalling OH2.5M5 on openHABian I now have to provide credentials for running openhab-cli console #792

Closed
shutterfreak opened this issue Nov 18, 2019 · 10 comments
Labels
awaiting feedback Waiting for additional information openHAB related Must be important

Comments

@shutterfreak
Copy link
Contributor

I'm running openHAB 2.5 M5 on a Raspberry Pi 3B+ running openHABian Buster.

The upgrade from 2.5 M4 to 2.5 M5 didn't occur without problems, for instance problems installing package expert-0. Eventually I decided to reinstall openHAB 2.5 M5 while first pruning the openhab package.

I ran into 2 problems:

  1. The uninstaller failed to uninstall openHAB, most likely because of ZRAM (mount point problem?)
  2. I now have to provide a password whenever running openhab-cli console from the openhabian user account, which I didn't have to prior to 2.5 M4 (Karaf upgrade problem?)

Details:
I manually deleted openHAB as follows:

$ sudo service zram-config stop
$ sudo apt purge openhab2

I then reinstalled openHAB again through openhabian-config, while first selecting the testing repository (milestone builds).

Now I have the following nuisance. Whenever I want to access the Karaf console (through openhab-cli console), I have to provide a password.

Is there a way to configure my environment so the openhabian user could again log in to the Karaf console on localhost without having to request a password?

Discussion on OH Community: https://community.openhab.org/t/after-reinstalling-oh2-5m5-on-openhabian-i-now-have-to-provide-credentials-for-running-openhab-cli-console/85734

@bwosborne2
Copy link

FYI, I also have to provide the password habopen when running the console after updating from M4 to M5.
Deleting cache & tmp files did not help.

@wborn
Copy link
Member

wborn commented Nov 18, 2019

The default Karaf SSH key has been removed in the Karaf master branch for security reasons, see apache/karaf#901. If you'd set the SSH host to a public IP in org.apache.karaf.shell.cfg everyone would be able to connect to the Console using that default key. But AFAIK that change is not yet part of Karaf 4.2.7 so it may be some other regression. But even if we fix this regression, we'll run into this again when upgrading to Karaf 4.3.x.

@bwosborne2
Copy link

I did not see any change in expected behavior documented in the release warnings.
Are we supposed to direct users on setting up ssh keys for this? What is the overall plan?

@BClark09
Copy link
Member

BClark09 commented Nov 18, 2019

The issue is the client/client.bat script from the same distribution no longer provides passwordless access.

From the above forum post copying in my findings here for clarity:

Found the cause, a change in Karaf 4.2.7 (jaas update?) has meant that encrypting passwords always prompts for password entry. You can test this by installing a standalone version of Karaf, and editing the following line in apache-karaf-4.2.*/etc/org.apache.karaf.jaas.cfg

encryption.enabled = true

In Karaf 4.2.6 I am able to login, however in Karaf 4.2.7 it prompts for a password. openHAB’s default is to set this variable to true (${OPENHAB_USERDATA}/etc/org.apache.karaf.jaas.cfg), hence seeing the issue now.

However, KARAF-5217 implies that should have been in intended from a while back. I do think however that the default password should allow login from the same machine, so perhaps it's worth raising this again?

@bwosborne2
Copy link

Perhaps set the default to unencrypted and just localhost access? Only those wanting remote console access would then need to change the settings and generate ssh keys.

@wborn wborn transferred this issue from openhab/openhab-core Nov 18, 2019
@kaikreuzer
Copy link
Member

But openhabian offers a menu entry to make the console available from remote hosts, so this feature would have to be adapted to switch to encrypted mode before we can set it to unencrypted as default.

@kaikreuzer kaikreuzer transferred this issue from openhab/openhab-distro Jan 27, 2020
@holgerfriedrich holgerfriedrich added openHAB related Must be important nice to have Makes life easier labels Apr 2, 2020
@mstormi
Copy link
Contributor

mstormi commented May 25, 2020

But openhabian offers a menu entry to make the console available from remote hosts,
so this feature would have to be adapted to switch to encrypted mode before we can set it to unencrypted as default.

Not sure I understand what you want openHABian to do here.

According to https://karaf.apache.org/manual/latest/security,
you can enter user=plaintextpassword,_g_:admingroup to /var/lib/openhab2/etc/users.properties
and it'll encrypt that password when you restart Karaf/OH next time.
That's what options 42 (setup console) does with the default password "habopen" (and it allows for all interfaces while default is localhost only).
It's also what option 34 (set console password) does to change that password.
I just validated it's working as documented.

So if openhab-cli was to use the default password, it should work.
Passwordless, I wouldn't know how to set that up on the server side (other than to use keys but that would be a different story then).

@mstormi mstormi added awaiting feedback Waiting for additional information and removed nice to have Makes life easier labels May 26, 2020
@mstormi
Copy link
Contributor

mstormi commented Jun 19, 2020

@shutterfreak @BClark09 is there anything you want me to change in openhHABian ?
Things IMHO work as documented and if you want passwordless access my understanding is you can set that in org.apache.karaf.jaas.cfg or use a SSH key.

@BClark09
Copy link
Member

BClark09 commented Jun 22, 2020

Not having to put in the password when coming in from the localhost would be a nice to have IMO, but it's not an issue restricted to openHABian so I think we can close the issue.

It might be possible for openhab-cli to try the default password first, which will prompt a password if it's anything other than "habopen". This would be an issue for openhab-linuxpkg and not openhabian though.

@mstormi
Copy link
Contributor

mstormi commented Jun 22, 2020

Ok, thanks for your feedback.
So will close. Feel free to reopen if there's significant news.

@mstormi mstormi closed this as completed Jun 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting feedback Waiting for additional information openHAB related Must be important
Projects
None yet
Development

No branches or pull requests

7 participants