Remove openhab password

Senseh_B · June 2, 2020, 5:15pm

Hello,

I have just upgraded to the newest version of openhab and now it asks me to input a password “habopen” every time I try to access the command-line.

i would like to remove that so I don’t have to enter the password every time. anyone here can advise how i can do that?

Julian_Knocke · June 2, 2020, 7:05pm

I worked around this using sshpass:

ssh raspberrypi -t "sshpass -p 'habopen' ssh openhab@127.0.0.1 -p 8101"

Probably not the most elegant solution, but works.

Bruce_Osborne · June 2, 2020, 7:48pm

That was due to an upstream change in Karaf.

Kim_Andersen · June 2, 2020, 7:51pm

Karaf has always asked for pw on all my systems. I keep it for safeness.

Bruce_Osborne · June 2, 2020, 8:06pm

OpenHAB had the default password saved and automatically applied but security changes in Karaf removed that option.

rlkoshak · June 2, 2020, 8:11pm

I strongly recommend not using sshpass unless there is absolutely no other way. Luckily there is a way and it’s not all that difficult. See:

The key is stored in a file at /var/lib/openhab2/etc/. Technically we are not supposed to be editing the files in this folder and they are considered system files, not user-space files. But there are some things we just can’t do without changing these files, like changing the Karaf console password. I know that when using Docker, changes to these files are preserved. I’m reasonably sure that when using apt or openHABian to update these files get overwritten and therefore returned to the default.

Note that this is a double edged sword. For example, I had changes made to my logging config that I kept for a long time and more and more junk kept showing up in my openhab.log as new versions came out. Eventually I compared my version with the version in github and there were about 50 new lines added that I was missing.

I don’t think there is a good answer for this except to remember to reapply the changes to the files in /var/lib/openhab/etc after an upgrade.

Kim_Andersen · June 2, 2020, 10:52pm

Not on my systems. I have always been promted to enter password (habopen) when I ssh to Karaf from putty.

Senseh_B · June 3, 2020, 1:14am

I tried that but it didn’t work. I also read the other thread.

if I understand things correctly all I need to do is add my ssh public key to var/lib/openhab2/etc/keys.properties with my ssh key
something like this

openhab=AAAAB3NzBAAK3AQABAQDzp2EARaC1ycPADAknbqMAAnG2b/84Ziass9z+FSntPXsLR7useXRNKR18JRLZaoVuWvsah/Qj2fcIebyN9sQ+lfaeyNSBWRhBIfrOamDTJ65NEuJLkIsu+PDwymxp0SbQdwVfXeykKK4HcUN4wt0P/W/99k3onOBejkcjzxSNybHL10wAck/9+Vm+6QZDOra6nf+A/Y4dsOQ7i7bfuGQmfXVkJfFWnpD3woeqDwzY54dle76aR+z4ilgyEX9dX8NL1PtPd8D3rSOXmyt9PZdb6ulYbsC1B7LGzS1vWlCkS8EurhbikSBZf+J7vpDFgU1SXTxmlqHBLrD+PIGFazP5PikvXyQ1QVJ,_g_:admingroup

Wolfgang_S · June 3, 2020, 5:31am

I can confirm that the login to karaf console with ssh key works in that way.
Hven’t checked the behavior with 2.5.5-1.

Senseh_B · June 3, 2020, 2:32pm

@rlkoshak can you please advise if I am doing something wrong?

rlkoshak · June 3, 2020, 2:52pm

All I really know is documented on those pages better than I can write here. I can also confirm that it works for me. hat command are you using to access the console? Are you logging in as user openhab?

ssh -p 8101 openhab@localhost

Bruce_Osborne · June 3, 2020, 2:59pm

I personally use openhab-cli console.

Kim_Andersen · June 3, 2020, 5:12pm

rlkoshak:

All I really know is documented on those pages better than I can write here. I can also confirm that it works for me. hat command are you using to access the console? Are you logging in as user openhab?
ssh -p 8101 openhab@localhost

This is how I log in. And it has always asked for password.

rlkoshak · June 3, 2020, 6:01pm

Unless you configure ssh keys per the instructions linked to above it will always ask for a password. The point of ssh certificates is to authenticate with “something you have” (i.e. the certificate) as opposed to “something you know” (i.e. password). For completeness, bio-metrics like fingerprints would be “something you are”. Multi-factor authentication would be using two or more of the three.

Senseh_B · June 3, 2020, 7:43pm

I am not logged as user openhab.
I am using pi@localhost instead.

mstormi · June 3, 2020, 8:02pm

Correct. Check admingroup is defined in users.properties, too.

rlkoshak · June 3, 2020, 9:25pm

You can’t log into the openHAB Karaf console using user pi. You’ve never be able to log into the Karaf console using the user pi.

Kim_Andersen · June 3, 2020, 9:44pm

I dont mind the password. Setting up a certificate is far more difficult, than just write the damn password

Udo_Hartmann · June 3, 2020, 10:20pm

In fact, you could use whichever user you want, if first setting up the user to be allowed to login to karaf

For simple login, just add a line to $OPENHAB_USERDATA/etc/users.properties (like the one for user openhab), write down the password, openHAB will encrypt the password while startup.

For passwordless login, use private/public key. Create the key with ssh-keygen and copy the key to
$OPENHAB_USERDATA/etc/keys.properties. Format is

username=your-public-key-here,_g_:admingroup

Now use

ssh username@localhost -i private.key -p8101

No need to say, don’t set a password when creating the key.

Benjy · June 4, 2020, 12:33am

They shouldn’t do. /var/lib/openhab2/etc is a configuration folder, where only a specific set of files are replaced on an update, the files @Udo_Hartmann mentioned above should be left untouched by the update and won’t be overwritten.