After reinstalling OH2.5M5 on openHABian I now have to provide credentials for running openhab-cli console

This is a good find but it doesn’t explain why @shutterfreak is unable to configure the public key in keys.properties. Are there potentially two issues at play here?

I don’t think so, I just created a key and that works fine,with or without the encryption.enabled set. @shutterfreak, are you sure the key has been copied correctly in /var/lib/openhab2/keys.properties

Yes, I’m pretty sure.

Here’s the full script.

$ ssh openhabian@openhab
Linux openhab 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 18 17:38:22 2019 from 192.168.0.1

###############################################################################
###############  openhab  #####################################################
###############################################################################
##        Ip = 192.168.0.10
##   Release = Raspbian GNU/Linux 10 (buster)
##    Kernel = Linux 4.19.75-v7+
##  Platform = Raspberry Pi 3 Model B Plus Rev 1.3
##    Uptime = 0 day(s). 6:12:48
## CPU Usage = 0.51% avg over 4 cpu(s) (4 core(s) x 1 socket(s))
##  CPU Load = 1m: 0.06, 5m: 0.08, 15m: 0.12
##    Memory = Free: 0.03GB (3%), Used: 0.91GB (97%), Total: 0.95GB
##      Swap = Free: 0.67GB (98%), Used: 0.01GB (2%), Total: 0.68GB
##      Root = Free: 24.20GB (87%), Used: 3.57GB (13%), Total: 28.99GB
##   Updates = 0 apt updates available.
##  Sessions = 1 session(s)
## Processes = 129 running processes of 32768 maximum processes
###############################################################################

              Welcome to            __  _____    ____  _
            ____  ____  ___  ____  / / / /   |  / __ )(_)___ _____
           / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  / / __ `/ __ \
          / /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ / / /_/ / / / /
          \____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/_/\__,_/_/ /_/
              /_/
                  openHAB 2.5.0~M5-1 (Milestone Build)


Looking for a place to get started? Check out 'sudo openhabian-config' and the
documentation at https://www.openhab.org/docs/installation/openhabian.html
The openHAB dashboard can be reached at http://openhab:8080
To interact with openHAB on the command line, execute: 'openhab-cli --help'

[20:43:30] openhabian@openhab:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/openhabian/.ssh/id_rsa): 
/home/openhabian/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/openhabian/.ssh/id_rsa.
Your public key has been saved in /home/openhabian/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9S7ATQTPahd9+udZUQ7bFie53a6mHtAB1CUuC/3Avh4 openhabian@openhab
The key's randomart image is:
+---[RSA 2048]----+
|        .o+....  |
|         * +.. . |
|        . @ + =.o|
|       . B O + O=|
|        S * = o.*|
|       . o + . o.|
|          E o . +|
|         . o ..+o|
|          ..oo...|
+----[SHA256]-----+
[20:43:58] openhabian@openhab:~$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf openhabian@openhab

So the public SSH key of the openhabian user is:

AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf

Now let’s edit the openhab user settings:

[20:47:24] openhabian@openhab:~$ sudo bash
[sudo] password for openhabian: 
[20:47:33] root@openhab:/home/openhabian# cd ~openhab/etc
[20:47:50] root@openhab:/var/lib/openhab2/etc# vim keys.properties

Now I edit the entry for the openhabian user as per the Karaf documentation:

[20:50:08] root@openhab:/var/lib/openhab2/etc# cat keys.properties 
################################################################################
#
#    Licensed to the Apache Software Foundation (ASF) under one or more
#    contributor license agreements.  See the NOTICE file distributed with
#    this work for additional information regarding copyright ownership.
#    The ASF licenses this file to You under the Apache License, Version 2.0
#    (the "License"); you may not use this file except in compliance with
#    the License.  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS,
#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#    See the License for the specific language governing permissions and
#    limitations under the License.
#
################################################################################

#
# This file contains the valid users who can log into Karaf. Each line have to be of
# the format:
#
# USER=KEY,ROLE1,ROLE2,...
#
# All users and roles entered in this file are available after Karaf startup
# and modifiable via the JAAS command group. These users reside in a JAAS domain
# with the name "karaf"..
#

#
# For security reason, the default auto-signed key is disabled.
# The user guide describes how to generate/update the key.
#
#karaf=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
openhabian=AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Time to test if it works. First we’ll exit from the root shell and then we’ll try accessing the openhab account (Karaf):

[20:52:17] root@openhab:/var/lib/openhab2/etc# exit
exit
[20:52:21] openhabian@openhab:~$ pwd
/home/openhabian
[20:52:25] openhabian@openhab:~$ openhab-cli console

Logging in as openhab
Password:  

So it fails. As does:

[20:53:42] openhabian@openhab:~$ ssh -p 8101 openhab@localhost
Password authentication
Password: 

Or:

[20:54:32] openhabian@openhab:~$ ssh -p 8101 openhab@localhost -i ~/.ssh/id_rsa
Password authentication
Password: 

The user is openhab, not openhabian.

Logging in as openhab

You are not configuring the information for the account you are ssh’ing from, you are configuring the account you are ssh’ing to. You use user openhab to log into the Karaf console.

openhab@localhost means “as user openhab on the localhost”.

But, because you configured a new openhabian user in keys.properties, the following should work:

ssh -p 8101 localhost # assuming you are logged in as user openhabian
ssh -p 8101 openhabian@localhost

That’s counterintuitive. Here are the last 2 lines of ~openhab/etc/keys.properties after replacing openhabian with openhab before the '=" sign:

openhab=AAAAB3NzaC1yc2EAAAADAQABAAABAQDv3V2lrdCKBd6RZt0As+7S6XoYSEbx1Z9ryI8AwSp9iraGkvw+LCUb3hEQrgvImn6/6TJLO2O07mk0hXaRGlDlsxvTbkfC+gh53QcfrI5xB1oMHvA6YNohPjKQuemUVtjYaCWID/uBEflhxbpErGBIw3Mbi9UuMOoTmonVaGLJs+l4qSx3QT+tc5tBmCAh0RJJeV3i1BPXXmg+U9wDwvNaGgXcfkooceBCY1N2lHtGNW8AMU33SomUUKPDEEDnrTr2vyzUO5aj5HCtf3sO+7oDz19tNWNUnjZDLNRMT3hGHQ3KJcNYBVjH3Q/NE+WnTVR8enZmRfx3mqFOY5MHXKGf,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Now back as the openhabian user, let’s try to log in:

$ openhab-cli console

Logging in as openhab
Password:  

No luck yet. But this used to work. Probably I’ll have to inspect openhab-cli to see what’s going on.

But this now works:

$ ssh -p 8101 openhab@localhost

                          __  _____    ____      
  ____  ____  ___  ____  / / / /   |  / __ )     
 / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  | 
/ /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ /      
\____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/     
    /_/                        2.5.0.M5
                               Milestone Build   

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown openHAB.

openhab>

Why is it counterintuitive. When you use PuTTY to ssh to your RPi from Windows, it doesn’t care what your Windows login is. It only cares what account you want to log into on the RPi. Well, the Karaf Console is like that RPi, it’s completely independent from the login you are coming from.

This is related to the problem that @Benjy identified above which is separate and independent from keys.properties.

As expected. You are logging into the Karaf Console using user openhab which now has the public key properly configured.

I see.

But in the current setup I’m now actually using a key pair owned by the openhabian user to be able to log the openhab user to Karaf?

By the way, the following now also works:

$ openhab-cli console -k ~/.ssh/id_rsa

EDIT: wait a second… I think I am missing part of the chain: the ssh access from openhabian to openhab. There’s currently no .ssh folder in ~openhab hence that part won’t work. Is it correct that I need to configure ssh between access from openhabian to openhab as well as Karaf access from openhab? Those should of course use different keys: one owned by openhabian and one owned by openhab.

Yep. It doesn’t matter who owns the private key. The Karaf Console never sees “openhabian” as the user. All it knows is “allow anyone who to log in to user openhab that possesses the private key that corresponds to the public key.”

There wouldn’t be. That isn’t the user you are logging on to. You are logging on to a user that only exists in the Karaf Console. The stuff that would normally go in ~openhab/.ssh is what you’ve put into keys.properties.

No. You only need to associate a public key with the Karaf user openhab in keys.properties. Then any account that has the corresponding private key can log in the the Karaf user as openhab.

Try to think of the Karaf Console as a completely separate machine. The user accounts that exists on your Raspberry Pi are completely irrelevant, just as your Windows accounts don’t matter when you use PuTTY to access your RPi over the network.

All that matters is that the Karaf user openhab is given a public key and what ever you are logging in to the Karaf console from possesses the private key.

Thanks for your clear explanation.

So in fact I need to distribute the keys to whichever account in need of accessing the Karaf console.

To this end I just created a new set of keys named karaf_openhab_id.rsa and karaf_openhab_id.rsa.pub which are only used for logging into Karaf:

1. from the openhabian user account (the regular openhab-cli console access which now always requires a password), and
2. from the openhab user account (useful e.g. for restarting bindings in case of problems).

As long as I explicitly provide the name of the private key in either case, it now works.

For what it’s worth, I couldn’t find any override in /usr/bin/openhab-cli nor in the scripts it runs:

1. /etc/profile.d/openhab2.sh
2. /etc/default/openhab2
   (NOTES:
   1. I have the impression that EXTRA_JAVA_OPTS was reset to the default value (EXTRA_JAVA_OPTS="-Xms250m -Xmx350m") after upgrading from 2.5 M4 to 2.5 M5 so I had to re-add the JSR223/Jython specific extra options for my Jython rules to work again)
3. /etc/openhab-cli/command-overrides.sh

This is related to the potential regression Benjy identified.

Override for what?

You ran a purge. Everything openHAB related was deleted when you did that. So of course any changes you may have made in /etc/default/openhab2 would have been lost.

I was hoping to find an environment variable that could have contained a default key file name or so…

That actually happened before purging the openhab package. Because I encountered so many problems, I decided to remove OH and reinstall it.

If there is a setting like that, it’s going to be on the ssh command. That is what needs access to the private key and it’s completely independent from openHAB or Karaf.

To clarify a few things:

1. There are two ways of logging into to the console, one is by username/password the other is by public and private key combination.

   • The list of keys openHAB’s console knows about are stored in the file keys.properties (by default none), the list of usernames and passwords the console knows about are stored in the users.properties file in the same directory.

2. The openhab-cli console command is simply a shortcut for running the program $OPENHAB_HOME/runtime/bin/client

   • This program is a SSH client distributed with Karaf (which openHAB uses), AFAIK by default it tries a default password (not public/private key pair). It seems passwordless because the client the comes with the distribution should be aware of it’s own setup and tries this first (I could be wrong but that’s my understanding).

3. The regression I identified earlier means that the client no longer uses its own password if encrypted. So asks for one instead.

4. ssh that comes with your Linux distribution uses private/public key combination first, if that’s successful then it the computer you’re connecting to wont ask for a password.

5. openhab-cli console also allows you to use a key when you use the -k <private key> combination, which is why generating one still works.

With the help of this thread I was able to login without password. But I’m still struggling with the user openhab (your point 2).

My user openhab doesn’t have a home directory. Do I need to create it or is there another location where to store the credentials?

If it was created by the install script (apt, yum, or openHABian) than yes, it does have a home directory. But since it’s a system user that directory isn’t under /home. You can navigate to it with the command cd ~openhab and see the full path with pwd. Or you can run the following command to see all of the openhab user’s settings: sudo cat /etc/passwd | grep openhab

Usually the home directory is /var/lib/openhab2

Thanks Rich.

I copied the file id_rsa.pub from ~/.ssh to /var/lib/openhab2/.ssh.
The files and the directory have the same flags as ~/.ssh.

ulrich@gehirn:~ $ sudo ls -la /var/lib/openhab2/.ssh/
insgesamt 28
drwx------  2 openhab openhab 4096 Dez  8 19:28 .
drwxr-xr-x 24 openhab openhab 4096 Dez 17 21:04 ..
-rw-r--r--  1 openhab openhab   54 Dez  8 19:28 config
-rw-------  1 openhab openhab 1679 Dez  8 19:28 id_rsa
-rw-r--r--  1 openhab openhab  395 Dez  8 19:28 id_rsa.pub
-rw-------  1 openhab openhab 2458 Dez  8 19:28 known_hosts
-rw-r--r--  1 openhab openhab 1008 Dez  8 19:28 known_hosts.old

Within OpenHAB I’m using those commands:

Thing	exec:command:execBundleRestartEnOcean	"execBundleRestartEnOcean" @ "logical"
[
	command="/bin/bash /usr/bin/ssh -p 8101 openhab@localhost bundle:restart org.openhab.binding.enocean",
	interval=0,			// never run automatically
	autorun=true
]

which returns

No more authentication methods available
No more authentication methods available

The same for

command="/usr/share/openhab2/runtime/bin/client bundle:restart org.openhab.binding.enocean",

Is there anything wrong with it or is still something missing?