Is OSGI Console a security risk?

stefanbode · March 2, 2017, 9:55am

Even if it is not likely that someone else is in my LAN, I encrypt as much as possible to avoid this problem. For the webinterface everything is fine with AUTH. But I can connect to the OSGI console without any login and do ALL changes.

Question:

Can I disable OSGI console?
Can I just run it on the adapter 127.0.0.1 (loopback)? == not reachable from outside of the machine
Can I bring in user/password (ssh) authentication?

Thanks for your help

watou · March 2, 2017, 10:02am

Are you speaking of openHAB 1.x or 2.x?

stefanbode · March 2, 2017, 10:06am

I’m using 1.8 still. If there is a difference we should discuss both because I plan to move soon because of Alexa:slight_smile:

hmerk · March 2, 2017, 10:09am

Using openHAB 2.0, Karaf console is secured with username and password and it is limited to local login.

watou · March 2, 2017, 11:56am

No further changes are planned for the 1.x runtime, so I think upgrading to 2.0 (or a 2.1 snapshot) is probably your best course of action.