After reinstalling OH2.5M5 on openHABian I now have to provide credentials for running openhab-cli console

Bruce_Osborne · November 18, 2019, 2:18pm

Thanks. Getting ready to upgrade now.

EDIT: Somebody else said restarting OpenHAB resolved their ssh issue. Have you tried that?

shutterfreak · November 18, 2019, 2:38pm

More than once, including rebooting the RPi… to no avail.

Bruce_Osborne · November 18, 2019, 2:47pm

Verified. I even removed the cache & tmp files but still have the issue.

FYI the password is habopen

shutterfreak · November 18, 2019, 3:12pm

I know, I changed the default openhab password on my server through openhabian-config.

rlkoshak · November 18, 2019, 3:31pm

Well, you purged openHAB which means the contents of /var/lib/openhab2/etc got deleted. Then you reinstalled which replaced the contents of that folder with the defaults. Did you re-add your public key to /var/lib/openhab2/etc/keys.properties?

shutterfreak · November 18, 2019, 3:51pm

So far I never generated any key for my openHAB setup. This key must thus have been generated by the first-time installer (the openhabian installer?).

The only nonblank or non-comment line in /var/lib/openhab2/etc/keys.properties is:

$ cat /var/lib/openhab2/etc/keys.properties | grep -vE '^$|^#'
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Does this mean I have to generate an SSH key for the openhabian user and add the public key to /var/lib/openhab2/etc/keys.properties? The approch depicted in the following post does not work, I still have to provide the password for openhab:

Here’s what I get:

[16:49:15] openhabian@openhab:~$ ssh -p 8101 openhab@localhost
Password authentication
Password:

[16:49:23] openhabian@openhab:~$ openhab-cli console

Logging in as openhab
Password:

[16:52:00] openhabian@openhab:~$ openhab-cli console -k ~/.ssh/id_rsa

Logging in as openhab
Password:

Remark: Karaf reports it’s on version 4.2.7.

rlkoshak · November 18, 2019, 4:01pm

Logging in to the Karaf console is something you have to configure. By default it only supports password based authentication.

To not have your password requested, you must configure SSH certificates.

If you can ssh to your RPi then you already have SSH certificates. They are located in ~/.ssh.

In order to log into the Karaf console using an SSH certificate, you must give the Karaf console a copy of the public key part of the certificate (~/.ssh/id_rsa.pub most likely). You do this by editing keys.properties.

Correct, because keys.properties by default is not configured to allow log in with SSH certificates. So you need to add a line for the openhab user and supply the public key on that line.

If you can log into your host using SSH certificated than you already have keys generated. You just need to add the ones you already have to keys.properties.

Those instructions work for me. I just redid it to make sure on both OH 2.5 M5 and 2.5 snapshot #1759. There must be something wrong with how you are doing it or something different about your setup.

Same here.

shutterfreak · November 18, 2019, 4:16pm

I routinely log onto my RPi with ssh from any other computer, but all I have configured is that I can log in without password from specific accounts external to the RPi. Those have an entry in ~openhabian/.ssh/authorized_keys with keys generated on those remote accounts.

But I never did anything to generate a key pair for the openhabian user. So I must conclude that this is some nonstandard thing that the openhabian installer takes care of during the first-time installation.

When I generate the key pair for the openhabian user and have it stored in ~/.ssh/ then the only files I see in ~/.ssh/ are:

~/.ssh/id_rsa - the private key of the openhabian user (generated by running ssh-keygen)
~/.ssh/id_rsa.pub - the public key of the openhabian user (needed by Karaf in ~openhab/etc/keys.properties) (generated by running ssh-keygen)
~/.ssh/known_hosts - list of known (trusted) ssh remote hosts
~/.ssh/authorized_keys - list of trusted keys that can log in without providing a password

I have no clue why it’s not working.

Bruce_Osborne · November 18, 2019, 4:18pm

And in a default OpenHABian installation, up until Milestone 5 the command openhab-cli console logged you in without requesting a password. Milestone 5 now prompts for a password.

shutterfreak · November 18, 2019, 4:18pm

Precisely.

Benjy · November 18, 2019, 4:23pm

This isn’t unique to openHABian or even the apt/yum repositories.

Running $OPENHAB_HOME/runtime/bin/client would log you into the console without a prompt for a password if you were running a default configuration (most people would be I assume). So this looks like a change/regression in the milestone.

shutterfreak · November 18, 2019, 4:34pm

Apparently not:

$ $OPENHAB_HOME/runtime/bin/client
Logging in as openhab
Password:

and:

$OPENHAB_HOME/runtime/bin/client -k ~/.ssh/id_rsa
Logging in as openhab
Password:

It appears that with OH 2.5 M5 something changed with respect to either certificate handling or ssh with the Karaf upgrade.

Just to make sure I’m correctly understanding how it is supposed to work:

From the openhabian account, generate a private and public key with the ssh-keygen tool. By default, a key pair will be generated in ~/.ssh/ with a default name id_rsa and id_rsa.pub (you can choose a different encryption scheme than rsa, the filename will then reflect this). Note that by using this naming scheme, you shouldn’t have to explicitly provide the key file to ssh.
Copy the public key to $OPENHAB_HOME/etc/keys.properties as in:

openhab=PUBLIC_KEY_GOES_HERE,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Now you should be able to access the Karaf console from the openhabian user account without providing a password… which sadly no longer works as of OH2.5 M5.

The only nonstandard packages I’m running are zram (installed through openhabian-config) and fail2ban. There’s also an nginx reverse proxy running, but as far as I remember, that was also installed through openhabian-config.

Bruce_Osborne · November 18, 2019, 4:44pm

Agreed. Karaf was updated to a newer version.

Upgrade Karaf tooling and openHAB TP to 4.2.7 (#1197) (details / githubweb )

rlkoshak · November 18, 2019, 4:48pm

For line 2, make sure that you only copied the key part of id_rsa.pub, not the “ssh-rsa” at the beginning and <username>@<server> at the end. Make sure the spaces are also excluded. Only the random string that makes up the public key should be in PUBLIC_KEY_GOES_HERE. A stray space or any other information can render the key unusable.

fail2ban, nginx, etc. would not have anything to do with this. Either there is a regression/change in the Karaf Console or something wrong with your keys.properties I think. I just in the past couple days set up my keys.properties on two different openHAB instances successfully and both are running Karaf 4.2.7. On is installed through openHABian and the other is running in Docker.

Benjy · November 18, 2019, 5:18pm

I don’t think this is specifically related to changes in Karaf, I’ve just run a standalone instance of Karaf 4.2.7 and can access the console using the client executable without a default password fine. There must be some other change in the milestone causing it.

Bruce_Osborne · November 18, 2019, 5:21pm

Thanks @Benjy. Let us know if there is anything we can test.

Benjy · November 18, 2019, 6:58pm

Found the cause, a change in Karaf 4.2.7 has meant that encrypting passwords always prompts for password entry. You can test this by installing a standalone version of Karaf, and editing the following line in apache-karaf-4.2.*/etc/org.apache.karaf.jaas.cfg

encryption.enabled = true

In Karaf 4.2.6 I am able to login, however in Karaf 4.2.7 it prompts for a password. openHAB’s default is to set this variable to true (${OPENHAB_USERDATA}/etc/org.apache.karaf.jaas.cfg), hence seeing the issue now.

However, KARAF-5217 implies that should have been in intended from a while back. @Kai wdyt? Is it worth commenting on the issue or making a new one? Seems like a regression for a default password.

rlkoshak · November 18, 2019, 7:10pm

This is a good find but it doesn’t explain why @shutterfreak is unable to configure the public key in keys.properties. Are there potentially two issues at play here?

Benjy · November 18, 2019, 7:28pm

I don’t think so, I just created a key and that works fine,with or without the encryption.enabled set. @shutterfreak, are you sure the key has been copied correctly in /var/lib/openhab2/keys.properties

shutterfreak · November 18, 2019, 7:55pm

Yes, I’m pretty sure.

Here’s the full script.

$ ssh openhabian@openhab
Linux openhab 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 18 17:38:22 2019 from 192.168.0.1

###############################################################################
###############  openhab  #####################################################
###############################################################################
##        Ip = 192.168.0.10
##   Release = Raspbian GNU/Linux 10 (buster)
##    Kernel = Linux 4.19.75-v7+
##  Platform = Raspberry Pi 3 Model B Plus Rev 1.3
##    Uptime = 0 day(s). 6:12:48
## CPU Usage = 0.51% avg over 4 cpu(s) (4 core(s) x 1 socket(s))
##  CPU Load = 1m: 0.06, 5m: 0.08, 15m: 0.12
##    Memory = Free: 0.03GB (3%), Used: 0.91GB (97%), Total: 0.95GB
##      Swap = Free: 0.67GB (98%), Used: 0.01GB (2%), Total: 0.68GB
##      Root = Free: 24.20GB (87%), Used: 3.57GB (13%), Total: 28.99GB
##   Updates = 0 apt updates available.
##  Sessions = 1 session(s)
## Processes = 129 running processes of 32768 maximum processes
###############################################################################

              Welcome to            __  _____    ____  _
            ____  ____  ___  ____  / / / /   |  / __ )(_)___ _____
           / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  / / __ `/ __ \
          / /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ / / /_/ / / / /
          \____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/_/\__,_/_/ /_/
              /_/
                  openHAB 2.5.0~M5-1 (Milestone Build)


Looking for a place to get started? Check out 'sudo openhabian-config' and the
documentation at https://www.openhab.org/docs/installation/openhabian.html
The openHAB dashboard can be reached at http://openhab:8080
To interact with openHAB on the command line, execute: 'openhab-cli --help'

[20:43:30] openhabian@openhab:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/openhabian/.ssh/id_rsa): 
/home/openhabian/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/openhabian/.ssh/id_rsa.
Your public key has been saved in /home/openhabian/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9S7ATQTPahd9+udZUQ7bFie53a6mHtAB1CUuC/3Avh4 openhabian@openhab
The key's randomart image is:
+---[RSA 2048]----+
|        .o+....  |
|         * +.. . |
|        . @ + =.o|
|       . B O + O=|
|        S * = o.*|
|       . o + . o.|
|          E o . +|
|         . o ..+o|
|          ..oo...|
+----[SHA256]-----+
[20:43:58] openhabian@openhab:~$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf openhabian@openhab

So the public SSH key of the openhabian user is:

AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf

Now let’s edit the openhab user settings:

[20:47:24] openhabian@openhab:~$ sudo bash
[sudo] password for openhabian: 
[20:47:33] root@openhab:/home/openhabian# cd ~openhab/etc
[20:47:50] root@openhab:/var/lib/openhab2/etc# vim keys.properties

Now I edit the entry for the openhabian user as per the Karaf documentation:

[20:50:08] root@openhab:/var/lib/openhab2/etc# cat keys.properties 
################################################################################
#
#    Licensed to the Apache Software Foundation (ASF) under one or more
#    contributor license agreements.  See the NOTICE file distributed with
#    this work for additional information regarding copyright ownership.
#    The ASF licenses this file to You under the Apache License, Version 2.0
#    (the "License"); you may not use this file except in compliance with
#    the License.  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS,
#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#    See the License for the specific language governing permissions and
#    limitations under the License.
#
################################################################################

#
# This file contains the valid users who can log into Karaf. Each line have to be of
# the format:
#
# USER=KEY,ROLE1,ROLE2,...
#
# All users and roles entered in this file are available after Karaf startup
# and modifiable via the JAAS command group. These users reside in a JAAS domain
# with the name "karaf"..
#

#
# For security reason, the default auto-signed key is disabled.
# The user guide describes how to generate/update the key.
#
#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
openhabian=AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Time to test if it works. First we’ll exit from the root shell and then we’ll try accessing the openhab account (Karaf):

[20:52:17] root@openhab:/var/lib/openhab2/etc# exit
exit
[20:52:21] openhabian@openhab:~$ pwd
/home/openhabian
[20:52:25] openhabian@openhab:~$ openhab-cli console

Logging in as openhab
Password:

So it fails. As does:

[20:53:42] openhabian@openhab:~$ ssh -p 8101 openhab@localhost
Password authentication
Password:

Or:

[20:54:32] openhabian@openhab:~$ ssh -p 8101 openhab@localhost -i ~/.ssh/id_rsa
Password authentication
Password: