You mean something like this? http://pastebin.com/yKE2jrLL
I simply logged in and then out again with debug turned on. Nothing really obvious to me 
Indeed, nothing really fancy there. 
Can you do a similar dump after restart - so we will see what happens with fresh start of ssh? Or was it already collected on fresh start?
Yep, that was more interesting⊠http://pastebin.com/GVR3Yb7Q I guess the âOverwriting key (host.key) is disabledâ is the key here? Donât know why it would be disabled thoughâŠ
edit: My Google-Fu is strong today! https://github.com/openhab/openhab-linuxpkg/issues/15 If I understand this correctly, this was due to me installing a pre-2.0 package in which this was broken and then upgrading to 2.0. Generated a key and now Iâm happy 
Hi, i want to update my Synology OH2 #723.
I download latest shapshot and will use this tutorial.
I also download openhab-addons-2.1.0-SNAPSHOT.kar
How to update addons, using kar file?
Thank you.
I usually uninstall and re-install the addon that I want to update via the PaperUI (you need to have âAccess Remote Repositoryâ enabled in Paper UI â Configuration â System â Add-On Management)
If you want to do this offline (using the kar file): place the new Snapshot addon kar file in your addons directory. It should unpack the bindings in OPENHAB_USERDATA\kar\openhab-addons-2.1.0-SNAPSHOT\org\openhab\binding and use the new ones (restart OH2). I havenât tested this⊠check in the console the versions with bundle:list
I did that but there is still an issue, when I try I get this in my log:
12:24:14.862 [WARN ] [vider.SimpleGeneratorHostKeyProvider] - Unable to read key /var/lib/openhab2/etc/host.key: java.io.StreamCorruptedException: invalid stream header: 2D2D2D2D
12:24:14.955 [ERROR] [vider.SimpleGeneratorHostKeyProvider] - Overwriting key (host.key) is disabled: using throwaway java.security.KeyPair@9112d6
Looking at the key it seems right:
-rw-r--r-- 1 openhab openhab 3247 Feb 1 23:14 host.key
turning on SSH logging I get this:
12:29:39.672 [INFO ] [voicerss.internal.VoiceRSSTTSService] - Using VoiceRSS cache folder /var/lib/openhab2/voicerss/cache
12:29:42.067 [INFO ] [pache.sshd.common.util.SecurityUtils] - BouncyCastle not registered, using the default JCE provider
12:29:43.732 [DEBUG] [che.sshd.common.io.nio2.Nio2Acceptor] - Creating Nio2Acceptor
12:29:43.741 [DEBUG] [che.sshd.common.io.nio2.Nio2Acceptor] - Binding Nio2Acceptor to address /127.0.0.1:8101
12:29:47.473 [DEBUG] [ache.sshd.common.io.nio2.Nio2Session] - Creating IoSession on /127.0.0.1:8101 from /127.0.0.1:51412
12:29:47.533 [INFO ] [he.sshd.server.session.ServerSession] - Server session created from /127.0.0.1:51412
12:29:47.537 [DEBUG] [ache.sshd.common.io.nio2.Nio2Session] - Writing 26 bytes
12:29:47.546 [DEBUG] [ache.sshd.common.io.nio2.Nio2Session] - Finished writing
12:29:47.555 [DEBUG] [ache.sshd.common.io.nio2.Nio2Session] - Read 2009 bytes
12:29:47.561 [DEBUG] [he.sshd.server.session.ServerSession] - Client version string: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
12:29:47.586 [WARN ] [vider.SimpleGeneratorHostKeyProvider] - Unable to read key /var/lib/openhab2/etc/host.key: java.io.StreamCorruptedException: invalid stream header: 2D2D2D2D
12:29:47.594 [INFO ] [vider.SimpleGeneratorHostKeyProvider] - Generating host key...
12:29:47.650 [ERROR] [vider.SimpleGeneratorHostKeyProvider] - Overwriting key (host.key) is disabled: using throwaway java.security.KeyPair@75f20c
... and then a bunch of key generation crap
Looking at the insides of the key and it looks like a key:
-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEAvPvJ1P5m2c7Ed8NohGFbxQs7V9sVOpzko8OshhlPwsL4ptS0
.. bunch more lines of BS
-----END RSA PRIVATE KEY-----
what is the inside of the key file supposed to look like? it seems like that the cause of the âinvalid stream header: 2D2D2D2Dâ is the ----- at the front. maybe I didnât follow the generation rules closely enough.
I have a strange phenomenon:
I generated a key pair with
ssh-keygen -t dsa -f openhab.id_dsa
as described in https://karaf.apache.org/manual/latest/security
After that, copied the key-part of openhab.id_dsa.pub to /var/lib/openhab2/etc/keys.properties ,adding username and group (likewise the commented karaf key)
Did a restart of openhab.
Now, if using
/usr/share/openhab2/runtime/bin/client -u openhab -k openhab.id_dsa
I get instant access to the karaf console, where
ssh -p 8101 -i ~/openhab.id_dsa -o "HostKeyAlgorithms=+ssh-dss" openhab@localhost
does not. Why doesnât the login work through ssh? I want to use this to securely login through VSCode, using ssh.exe from Git for Windows. password works as expected.
The same happens to me with dsa keys, rsa keys work as expected. Iâll see if I can find out why.
Can I use rsa keys with karaf? I did not test this yet⊠should be
ssh-keygen -t rsa -f openhab.id_rsa
then?
I believe itâs rsa by default, so: ssh-keygen -f openhab.id_rsa
DSS keys are no longer accepted in most recent SSH packages. I guess Karaf now behaves the same, but I donât know where it keeps its SSH config.
Are you running Pagent or something like that to make your private key available to ssh.exe?
useradata/etc/org.apache.karaf.shell.cfg
I do not see anywhere in this file where one might enable dsa keys though.
The thing is, that in the manual the dsa is explicitly mentioned, so I did set up the key as a dsa. To use it with ssh, I used the option "HostKeyAlgorithms=+ssh-dss" which should suffice (why should there be an option if itâs not possible to use it?) And there is no error message, just the not working key.
But meanwhile I solved the problem by generating an rsa key, no more problems 
and itâs the better option anyway.
So passwordless login is sort of straight forward. I wonder if the user openhab (for login to the karaf console with password) is necessary at all.
I would like to remove it completely to restrict login to key-file.
You can change the default user in system.properties but it might be easier to just add a user of your choice and give that use the same permissions that openhab has.
I think you can do this by just editing users.properties and adding a line that looks just like the one for openhab and then add a line to keys.properties to enable your cert login. I did this a long time ago but lost the config during an update along the way and never went back to re-add it.
Anyway, Iâve looked through the docs and I canât tell if there is a way to turn off the password based login so it appears you do have to provide a password.
I thought about deleting the user openhab in users.properties.
I have indeed defined an additional user which works flawless as far as I see.
Worst case would be that I canât login to karaf anymore, but as I can ssh to the machine, itâs easy to reactivate (which comes with restart of openhab for sure).
Hi Lukasz,
do you know where I can set the remaining SSH config options such as PubkeyAcceptedKeyTypes ?
etc/org.apache.karaf.shell.cfg does not seem to support all the options known in OpenSSHd
Hey,
I donât think this option is supported. Mina-sshd used under the hood is not even aiming to offer all *nix ssh options.
Please take a look on below package for server side:
And parsing logic too:
Feel free to check library bug tracker: https://issues.apache.org/jira/browse/SSHD
Cheers,
Lukasz
So I finally had to bite the bullet and generated a new key (using the old one would have required to override that server side option). Then again, I think that was overdue.
Thanks for your help.