Karaf access by sshkey - unable to get it work on a new host, but the same approach is working on few old openhab instances

Jacek_Kaczmarczyk · January 26, 2025, 8:18am

Platform information:

Model           : Raspberry Pi 3 Model B Rev 1.2
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
openjdk 21.0.5 2024-10-15 LTS
openhab Version:     4.3.2 (Build)

i am not able to recreate a karaf console passwordless configuration with keys. I did it more than 8 time on different machines - it’s still working but the exact configuration is not working on 2 new hosts.

Steps:
1.

sudo ssh-keygen -t rsa -f /etc/openhab/openhab.id_rsa
2.

sudo cat /etc/openhab/openhab.id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2w0QfXnY9bg8iKUR4XOdNQqy5IjFiX5qEniwHkde6zobuuozjOtsnFr1V7iOelWFdnK/24j5Ly2f1wGdcDzlaLH6HXzowmWfhwYr9licA4G+ewddssGLrZHEdOpO4bz34PWMQyoJKJyKkLpbfCQkETmAV9wDfda3Ej7ZGxkJcdwV/IfMd5VbB/qhNiFa7Xb5gRSJMlrtqwIZa1cOyWRNkr2jxDwPUN3k/A5MA4+bOIkFAENEAqIwk4f1vfOqqydU908JcRAqbyGqMJbdRicpa/e59XpJn7+Gnul0fTmKCISK2fYXEJW6WhbSZ+LTBCto137w0apKLiOZ9WQh2G9k11eGeIiuK5UE26aZFMc1b3ueSGis6KF1JGoTvZworWugn1EGLfYILuNlnsc6DKeW/PPcsqZPpWBmH/4PrtafDYdi9K1dvFPObcLi2fl1H9jvh06kyYeTsof49bnSXH/BSWs+vHkP0p1rkQqBQwIs0JWmtF5TckfZsHK18s2Oagis= root@home

3. keys.properties
openhab=AAAAB3NzaC1yc2EAAAADAQABAAABgQC2w0QfXnY9bg8iKUR4XOdNQqy5IjFiX5qEniwHkde6zobuuozjOtsnFr1V7iOelWFdnK/24j5Ly2f1wGdcDzlaLH6HXzowmWfhwYr9licA4G+ewddssGLrZHEdOpO4bz34PWMQyoJKJyKkLpbfCQkETmAV9wDfda3Ej7ZGxkJcdwV/IfMd5VbB/qhNiFa7Xb5gRSJMlrtqwIZa1cOyWRNkr2jxDwPUN3k/A5MA4+bOIkFAENEAqIwk4f1vfOqqydU908JcRAqbyGqMJbdRicpa/e59XpJn7+Gnul0fTmKCISK2fYXEJW6WhbSZ+LTBCto137w0apKLiOZ9WQh2G9k11eGeIiuK5UE26aZFMc1b3ueSGis6KF1JGoTvZworWugn1EGLfYILuNlnsc6DKeW/PPcsqZPpWBmH/4PrtafDYdi9K1dvFPObcLi2fl1H9jvh06kyYeTsof49bnSXH/BSWs+vHkP0p1rkQqBQwIs0JWmtF5TckfZsHK18s2Oagis=,_g_\:admingroup

ssh

$ sudo ssh -p 8101 -i /etc/openhab/openhab.id_rsa.pub openhab@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/etc/openhab/openhab.id_rsa.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/etc/openhab/openhab.id_rsa.pub": bad permissions

sudo chmod 400 /etc/openhab/openhab.id_rsa.pub
pi@home:/opt/homekit $ sudo ssh -p 8101 -i /etc/openhab/openhab.id_rsa.pub openhab@localhost
Load key “/etc/openhab/openhab.id_rsa.pub”: error in libcrypto
Password authentication

i end up always on “error in libcrypt” tested on 2 different hosts but similar setup but if i use the same key to ssh into another machine i don’t get the error, my key is just rejected (because it’s nod added) bo its working and loading corectly

debug1: Will attempt key: /etc/openhab/openhab.id_rsa.pub RSA SHA256:yc1uo3/Jza4BK+PrbKSFD9SAbNSE39CtRj4HJ38nfno explicit
debug1: Will attempt key: /home/pi/.ssh/id_rsa RSA SHA256:NswIX0SqSTSImWC1A/4jSIRmtkVAHIO14SZlj0LXVJw explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
**debug1: Offering public key: /etc/openhab/openhab.id_rsa.pub RSA SHA256:yc1uo3/Jza4BK+PrbKSFD9SAbNSE39CtRj4HJ38nfno explicit**
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/pi/.ssh/id_rsa RSA SHA256:NswIX0SqSTSImWC1A/4jSIRmtkVAHIO14SZlj0LXVJw explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
xxxxxxx3@xxxxxxxxx Permission denied (publickey).

Udo_Hartmann · January 26, 2025, 9:41pm

please delete the last =, right before ,_g_\:admingroup

3. keys.properties
openhab=AAAAB3NzaC1yc2EAAAADAQABAAABgQC2w0QfXnY9bg8iKUR4XOdNQqy5IjFiX5qEniwHkde6zobuuozjOtsnFr1V7iOelWFdnK/24j5Ly2f1wGdcDzlaLH6HXzowmWfhwYr9licA4G+ewddssGLrZHEdOpO4bz34PWMQyoJKJyKkLpbfCQkETmAV9wDfda3Ej7ZGxkJcdwV/IfMd5VbB/qhNiFa7Xb5gRSJMlrtqwIZa1cOyWRNkr2jxDwPUN3k/A5MA4+bOIkFAENEAqIwk4f1vfOqqydU908JcRAqbyGqMJbdRicpa/e59XpJn7+Gnul0fTmKCISK2fYXEJW6WhbSZ+LTBCto137w0apKLiOZ9WQh2G9k11eGeIiuK5UE26aZFMc1b3ueSGis6KF1JGoTvZworWugn1EGLfYILuNlnsc6DKeW/PPcsqZPpWBmH/4PrtafDYdi9K1dvFPObcLi2fl1H9jvh06kyYeTsof49bnSXH/BSWs+vHkP0p1rkQqBQwIs0JWmtF5TckfZsHK18s2Oagis,_g_\:admingroup

Jacek_Kaczmarczyk · January 26, 2025, 10:25pm

already tried this no change

Udo_Hartmann · January 26, 2025, 11:56pm

Ah, I see the real failure, you’ll have to use the private key for authentication, not the public key. the public key is copied to keys.properties, the private key is used in the ssh command.

ssh -p 8101 -i /etc/openhab/openhab.id_rsa openhab@localhost

The correct way to set this up:

login as the user which shall be granted access via private/public key
ssh-keygen -t rsa (set a password if you want to)
copy ~/.ssh/id_rsa.pub content (as already made) to keys.properties. The = is not part of the key.
login to openHAB Karaf: ssh username@localhost -p8101 -i ~/.ssh/id_rsa where username will most likely be (but is not necessarily) openhab (i.e. you can use whatever username you want, you just have to write it down in keys.properties)

You don’t need sudo for neither ssh nor ssh-keygen

Jacek_Kaczmarczyk · January 29, 2025, 5:45pm

thank you… don’t what to say you are right it must be private key in ssh command