Openhabian console login fails

Continuing the discussion from Ssh connection to karaf no longer possible:

I just got this same issue today on openHAB 2.5.0-1 (Release Build). I had just changed permissions to establish setup of ssh using a key for auto-logging into openhabian:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

After that (and it may not have been the triggering event), the password habopen stopped working for logging into console:

[11:24:38] openhabian@openhab:~$ openhab-cli console

Logging in as openhab
Password:  
Password:  
No more authentication methods available

Next, I changed the console password (using openhabian-config) and tried again to login to the console. That did not work.

Next, I stopped openhab (sudo systemctl stop openhab2.service), cleared the cache (sudo openhab-cli clean-cache), then did a reboot.

After reboot, I tried again to login to the console, and now there is a different result, but still no success:

11:33:53] openhabian@openhab:~$ openhab-cli console

Logging in as openhab
Password:  
Session is being closed

After waiting a minute, I tried again, and got the first result (No more authentication methods available) again.

With the newer Karaf the password habopen is required.

The default habopen used to work, but after the ssh actions I described, it stopped working as a password, so I changed it. openhabian requires a 10-character password, so it cannot be “reestablished” as habopen.

What worked was using this instruction to reset the password for the openhab user from the command line:

sudo sed -i -e "s/openhab = .*,/openhab = securePassword,/g" /var/lib/openhab2/etc/users.properties

Substitute securePassword with your desired password.

Then, stop openhab and reboot.

Even though openhabian has a password reset, it apparently does not work, so you have to do it this way.

It’s not at all clear what is going on. ~/.ssh/authorized_keys is completely unrelated to the Karaf console so the change made to that is not relevant. However, the ~/.ssh chmod may have messed up something. As a general rule, nothing inside ~/.ssh should have the execute permission set.

The password/ssh certificate for the Karaf console is managed by $OH_USERDATA/etc/users.properties and $OH_USERDATA/etc/keys.properties. To manually change the password (in case openhabian-config is causing problems) edit $OH_USERDATA/etc/users.properties and replace {CRYPT}blahblahblah....blah{CRYPT} with the new password. Then try to log in again. Karaf will encrypt the password as soon as you successfully log in.

If you want to cofigure certificate logins, exit $OH_USERDATA/etc/keys.properties and copy your SSH public key (in ~/.ssh/id_rsa.pub usually) for the openhab user following the example for the karaf user in that file.

OK, that did just what I described above, it replaced the stuff between the {CRYPT} tags for the openhab user.

Please file an issue. See How to file an Issue.

Thanks Rich. Issue filed here.

Resurrecting this for OH3

I’m trying to get logged in to a fresh install of openhabian OH3 and getting the same issue described above:

openhabian@openhabian:~ $ openhab-cli console

Logging in as openhab
Password:
Password:
No more authentication methods available

I’ve attempted to reset the password using openhabian-config as well as the method described here (modifying /srv/openhab-userdata/etc/users.properties) but neither seems to be working. Any further suggestions for this new version?

What is the output of
ssh -vvv -p 8101 openhab@127.0.0.1

openhabian@openhabian:/srv/openhab-userdata/etc $ ssh -vvv -p 8101 openhab@127.0.0.1
OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 127.0.0.1 is address
debug2: ssh_connect_direct
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 8101.
debug1: Connection established.
debug1: identity file /home/openhabian/.ssh/id_rsa type -1
debug1: identity file /home/openhabian/.ssh/id_rsa-cert type -1
debug1: identity file /home/openhabian/.ssh/id_dsa type -1
debug1: identity file /home/openhabian/.ssh/id_dsa-cert type -1
debug1: identity file /home/openhabian/.ssh/id_ecdsa type -1
debug1: identity file /home/openhabian/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/openhabian/.ssh/id_ed25519 type -1
debug1: identity file /home/openhabian/.ssh/id_ed25519-cert type -1
debug1: identity file /home/openhabian/.ssh/id_xmss type -1
debug1: identity file /home/openhabian/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1
debug1: Remote protocol version 2.0, remote software version APACHE-SSHD-2.5.1
debug1: no match: APACHE-SSHD-2.5.1
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 127.0.0.1:8101 as 'openhab'
debug3: put_host_port: [127.0.0.1]:8101
debug3: hostkeys_foreach: reading file "/home/openhabian/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,zlib,zlib@openssh.com
debug2: compression stoc: none,zlib,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:raldcxqUtXgSUEth0cCrTfV0V47Ovb0FLtieJAMvp+c
debug3: put_host_port: [127.0.0.1]:8101
debug3: put_host_port: [127.0.0.1]:8101
debug3: hostkeys_foreach: reading file "/home/openhabian/.ssh/known_hosts"
debug1: checking without port identifier
debug3: hostkeys_foreach: reading file "/home/openhabian/.ssh/known_hosts"
The authenticity of host '[127.0.0.1]:8101 ([127.0.0.1]:8101)' can't be established.
RSA key fingerprint is SHA256:raldcxqUtXgSUEth0cCrTfV0V47Ovb0FLtieJAMvp+c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:8101' (RSA) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug1: Will attempt key: /home/openhabian/.ssh/id_rsa
debug1: Will attempt key: /home/openhabian/.ssh/id_dsa
debug1: Will attempt key: /home/openhabian/.ssh/id_ecdsa
debug1: Will attempt key: /home/openhabian/.ssh/id_ed25519
debug1: Will attempt key: /home/openhabian/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,password,publickey
debug3: start over, passed a different list keyboard-interactive,password,publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/openhabian/.ssh/id_rsa
debug3: no such identity: /home/openhabian/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/openhabian/.ssh/id_dsa
debug3: no such identity: /home/openhabian/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/openhabian/.ssh/id_ecdsa
debug3: no such identity: /home/openhabian/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/openhabian/.ssh/id_ed25519
debug3: no such identity: /home/openhabian/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/openhabian/.ssh/id_xmss
debug3: no such identity: /home/openhabian/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
Password authentication
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,password,publickey
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
Password authentication
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,password,publickey
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
Password authentication
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive,password,publickey
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

try editing keys.properties add a line
openhab=<key>,_g_:admingroup with your pubkey

Generated and added a key, as suggested, and it’s still asking for a password. Should I also add that key as part of the openhabian ssh login process?

The console has the default password of habopen There is no longer nany way of bypassing that password prompt for the Karaf console

under which account did you generate the key ?
ssh -vvv debugging showed that you run login to openhab console with account openhabian and while trying to login to the console no private key was found under /home/openhabian/.ssh/.
In case the private key is stored in that folder it should be found now.
In case you generated the private, public key pair on an other account you also may try to login running the login process from that account.
To analyze the login process you may again run ssh -vvv and provide the debug output.
Best would be until the process aborts the previous log did not contain all output lines until ssh aborts the trials to login.

Is there anything that can be done of that password never worked in the first place?

• the password is stored in one of the karaf configuration files; it is the same for all users
• the only way to bypass using a password is to use a private/public key pair
• it needs to be set as described by @mstormi
• either use ssh -i /path/to/private/keyfile -p 8101 openhab@localhost while being on OH host
• or use /usr/share/openhab/runtime/bin/client -a 8101 -k /path/to/private/keyfile -p 8101 -u openhab -h localhost while being on OH host

I just added my key back to openHAB (I never added it when I upgraded to OH 3) just like Marcus described and it worked as expected. No prompt for a password.

To change the password for a user you need to edit the users.properties file (not keys.properties). Replace everything between the {CRYPT} tags (including the tags) with your new password. Karaf should automatically places that password with the hashed version of the password when it loads the file again.

Replace everything between the {CRYPT} tags (including the tags) with your new password

THIS was the piece I was missing. Gosh, how embarrassing… I’m able to log in with the original, default password now.