Change karaf password

Hi,
The doku seems to be outdated here. It says:
sudo sed -i -e "s/openhab = habopen/openhab = securePassword/g" /var/lib/openhab2/etc/users.properties

However the passwords seems to be hashed now.

Apart from that the users.properties file is readable by everyone by default. This should be changed!

1 Like

I’m not 100% certain of this as I’ve done a lot of things since I set this up but I have no recollection of changing the permissions on these folders, but the permissions on my userdata/etc folder only have permissions for user openhab. This means no other user (beyond root and openhab) can cd to, ls, or open any file in that folder.

So the permissions of the files in that folder do not really matter. They could be 777 yet still only openhab and root can get to them.

Clearly, it would be better practice to also make the files inside that folder be only user readable as well but it isn’t a huge security problem since the parent directory protects them.

Though I might add that in my configuration, the file is indeed only user readable.

I did not create these files nor have I changed any permissions on these files. Before this posting I didn’t know that they existed. This is all OH’s doing. So perhaps you are running with an older version of OH 2 or a userdata folder created with an older version of OH before these permissions were made more secure.

As for the docs being out of date, it does indeed need to be updated with instructions. The current sed command only works if you have not yet logged in to the console.

According to this from Karaf, when encryption is enabled (which is clearly is now) upon first login Karaf will replace the plain text password with an encrypted/hashed version of the password.

With encryption enabled, the password are encrypted at the first time an user logs in. The encrypted passwords are prefixed and suffixed with {CRYPT}. To re-encrypt the password, you can reset the password in clear (in etc/users.properties file), without the {CRYPT} prefix and suffix. Apache Karaf will detect that this password is in clear (because it’s not prefixed and suffixed with {CRYPT}) and encrypt it again.

Also note that the link above has instructions for how to set up authentication by key instead of password.

So I’m not expert with sed so hesitate to recommend what the correct answer is (probably to manually edit so both cases can be handled with one instruction). Therefore I recommend:

sudo vi /var/lib/openhab2/etc/users.properties

Replace habopen or {CRYPT}bldoijsa;ofdijawfgma{CRYPT} with securePassword.

Finally, in reference to your permissions concerns, the fact that the password is hashed with a pretty good hashing algorithm (SHA-256, see org.apache.karaf.jaas.cfg in the same folder as users.properties) makes me a little less concerned that the file is readable. Obviously I would want to know more about whether the passwords are properly salted, etc. before I would be fully comfortable with that file being that visible.

But ultimately, if you are that concerned about the security of your karaf consol login, you should use ssh keys instead of passwords anyway.

Created an Issue:

How did you install oh? I installed it via the apt repo on ubuntu and also have no clue that I have changed permissions on that folder.

[root@openhab ~]# ls -ld /var/lib/openhab2/
drwxr-xr-x 10 openhab openhab 4096 Feb 18 12:37 /var/lib/openhab2/
[root@openhab ~]# ls -ld /var/lib/openhab2/etc/
drwxr-xr-x 2 openhab openhab 4096 Feb 22 10:07 /var/lib/openhab2/etc/
[root@openhab ~]# ls -l /var/lib/openhab2/etc/users.properties
-rw-r–r-- 1 openhab openhab 1525 Feb 22 10:07 /var/lib/openhab2/etc/users.properties

I run in Docker but the files and folders in /var/lib/openhab2 (i.e. the userdata folder) are created and populated by OH itself when it first runs. Not during installation. So the installation method is irrelevant in this case.

What version did you install most recently?

What version did you first install? That version is what would have created the files and folders in userdata. Subsequent updates would not have changed the permissions on these files and folders.

I’m running the 2.0 Release and I had it recreate my userdata folder about a week or so ago.

I used this http://docs.openhab.org/tutorials/migration.html tutorial to upgrade to oh2 stable

[root@openhab ~]# cat /etc/apt/sources.list.d/openhab2.list
deb http://dl.bintray.com/openhab/apt-repo2 stable main
[root@openhab ~]# dpkg --list | grep openhab
ii openhab-addon-binding-exec 1.8.3 all openHAB Exec Binding
ii openhab-addon-binding-mpd 1.8.3 all openHAB MPD Binding
ii openhab-addon-binding-xbmc 1.8.3 all openHAB XBMC Binding
ii openhab-addon-persistence-mysql 1.8.3 all openHAB mySQL Persistence
ii openhab-addon-persistence-rrd4j 1.8.3 all openHAB RRD4j Persistence
ii openhab-runtime 1.8.3 all openHAB Distribution
ii openhab2 2.0.0-1 all openhab2

Actually it is also writeable by openhab which is also bad security.

For a secure system, OpenHAB should not be the owner of that file and it should only be readable by openhab. So it should be something like:

$ chown root:openhab user.properties
$ chmod 640 user.properties

If openhab was the owner of the file it would be allowed to change its permissions. If openhab can write it, it can easily replace the password with something else. Of course it will not be able to replace the password with the encrypted version if the file in only readable, which is a problem with the current architecture. Overall the way it is handled, is poor security for an application with a web interface and a plugin infrastructure that supports installing quite a few plugins which potentially have a lot of security issues.

Good point.

And actually the config file of larger concern is org.apache.karaf.shell.cfg because that is where you can change the karaf ssh server to accept connections outside of 127.0.0.1. You can add users all day but if you can only connect to it through localhost you aren’t really buying anything. But if you can expose it to all interfaces and then figure out a way to break out of the console that might be more useful.

It is probably a good idea for an issue on the openhab2-distro github project.

Someone would need to spend the time to review all the configs and determine their security import (we’ve identified two already) and setting the permissions appropriately. openhab owns these files as it created them so it should be able to set the permissions and chown them to root.

Though if there are any updates OH needs to make to them after their initial creation (which does happen) it will require manual steps for users to change the permissions on these files so OH can update them as part of the upgrade process. Not a great solution from a usability perspective…

This shouldn’t be possible as long oh does not run as root.
The folder should be created by the apt postinstall script (or similar for non apt)

I stand corrected. I thought if I owned the file I had that permission. Just proved myself wrong thorugh a test.

In that case, the way OH works right now the best that could be done is to set the files as user read only.

These files and folders are not created during apt-get postinstall. They are created by the OH process itself on first run.

I wanted to say that it is the best way to create those files during postinstall, because the postinstall runs as root

I’m sure there are strong and reasonably technical reason why to do not create those files with postinstall.

One thing I can think of right now is that there is no post-install script if one is running on a non-apt-get OS (Fedora, Docker, Windows, OSX, etc.).

I just replaced my crypted password in the file /opt/openhab/userdata/etc/users.properties like this:

  • create a new hash for secure password
echo -n SecurePassword | sha256sum
c89bbbf01fa7840fdbf194a621ef899258e9210d6c77b6f033b6ebfa15f7230d  -

  • replace the crypt string in the file with the new one generated
  • restart openhab

works for me!

1 Like

I don’t think you have to hash the password yourself. My understanding from reading the Karaf docs and comments in that file is if you put in your plain-text password the first time you log in Karaf will replace it with a hashed version itself.

1 Like