Remove openhab password

I strongly recommend not using sshpass unless there is absolutely no other way. Luckily there is a way and it’s not all that difficult. See:

The key is stored in a file at /var/lib/openhab2/etc/. Technically we are not supposed to be editing the files in this folder and they are considered system files, not user-space files. But there are some things we just can’t do without changing these files, like changing the Karaf console password. I know that when using Docker, changes to these files are preserved. I’m reasonably sure that when using apt or openHABian to update these files get overwritten and therefore returned to the default.

Note that this is a double edged sword. For example, I had changes made to my logging config that I kept for a long time and more and more junk kept showing up in my openhab.log as new versions came out. Eventually I compared my version with the version in github and there were about 50 new lines added that I was missing.

I don’t think there is a good answer for this except to remember to reapply the changes to the files in /var/lib/openhab/etc after an upgrade.

2 Likes

Not on my systems. I have always been promted to enter password (habopen) when I ssh to Karaf from putty.

I tried that but it didn’t work. I also read the other thread.

if I understand things correctly all I need to do is add my ssh public key to var/lib/openhab2/etc/keys.properties with my ssh key
something like this

openhab=AAAAB3NzBAAK3AQABAQDzp2EARaC1ycPADAknbqMAAnG2b/84Ziass9z+FSntPXsLR7useXRNKR18JRLZaoVuWvsah/Qj2fcIebyN9sQ+lfaeyNSBWRhBIfrOamDTJ65NEuJLkIsu+PDwymxp0SbQdwVfXeykKK4HcUN4wt0P/W/99k3onOBejkcjzxSNybHL10wAck/9+Vm+6QZDOra6nf+A/Y4dsOQ7i7bfuGQmfXVkJfFWnpD3woeqDwzY54dle76aR+z4ilgyEX9dX8NL1PtPd8D3rSOXmyt9PZdb6ulYbsC1B7LGzS1vWlCkS8EurhbikSBZf+J7vpDFgU1SXTxmlqHBLrD+PIGFazP5PikvXyQ1QVJ,_g_:admingroup

I can confirm that the login to karaf console with ssh key works in that way.
Hven’t checked the behavior with 2.5.5-1.

@rlkoshak can you please advise if I am doing something wrong?

All I really know is documented on those pages better than I can write here. I can also confirm that it works for me. hat command are you using to access the console? Are you logging in as user openhab?

ssh -p 8101 openhab@localhost

I personally use openhab-cli console.

This is how I log in. And it has always asked for password.

1 Like

Unless you configure ssh keys per the instructions linked to above it will always ask for a password. The point of ssh certificates is to authenticate with “something you have” (i.e. the certificate) as opposed to “something you know” (i.e. password). For completeness, bio-metrics like fingerprints would be “something you are”. Multi-factor authentication would be using two or more of the three.

I am not logged as user openhab.
I am using pi@localhost instead.

Correct. Check admingroup is defined in users.properties, too.

You can’t log into the openHAB Karaf console using user pi. You’ve never be able to log into the Karaf console using the user pi.

I dont mind the password. Setting up a certificate is far more difficult, than just write the damn password :smiley:

In fact, you could use whichever user you want, if first setting up the user to be allowed to login to karaf :slight_smile:

For simple login, just add a line to $OPENHAB_USERDATA/etc/users.properties (like the one for user openhab), write down the password, openHAB will encrypt the password while startup.

For passwordless login, use private/public key. Create the key with ssh-keygen and copy the key to
$OPENHAB_USERDATA/etc/keys.properties. Format is

username=your-public-key-here,_g_:admingroup

Now use

ssh username@localhost -i private.key -p8101 

No need to say, don’t set a password when creating the key.

2 Likes

They shouldn’t do. /var/lib/openhab2/etc is a configuration folder, where only a specific set of files are replaced on an update, the files @Udo_Hartmann mentioned above should be left untouched by the update and won’t be overwritten.

it’s common practice in linux distributions that during an update edited/changed configuration files are being detected and the user will be asked for which action ( keep edited file, overwrite edited file in case a newer maintainer version is avaiable; do a diff and edit the file manually ) needs to be done.

I’ve had files replaced in that folder before I think. But maybe I’m mistaken. I’ve only one apt based installation and I almost never update it because it’s 100 miles away and fixing problems is a bit challenging.

That’s correct and this is what it will do (if it’s not one the specific files listed). It only comes up with these warnings and prompts if the file has changed on the maintainer’s side.

I had to test because that’s certainly something that should be fixed asap, it was our goal to have the update of all types of installation exhibit the same behaviour:

ben@server:~ $ echo "ben = testpass,_g_:admingroup" | sudo tee -a /var/lib/openhab2/etc/users.properties
  ben = testpass,_g_:admingroup
ben@server:~ $ tail -n2 /var/lib/openhab2/etc/users.properties
  _g_\:admingroup = group,admin,manager,viewer,systembundles
  ben = {CRYPT}13D249F2CB4127B40CFA757866850278793F814DED3C587FE5889E889A7A9F6C{CRYPT},_g_:admingroup
ben@server:~ $ sudo apt upgrade
  [...]
  The following packages will be upgraded:
    openhab2
  1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
  [...]
  Unpacking openhab2 (2.5.6~S139-1) over (2.5.5~S108-1) ...
  Setting up openhab2 (2.5.6~S139-1) ...
  [...]
ben@server:~ $ tail -n2 /var/lib/openhab2/etc/users.properties
  _g_\:admingroup = group,admin,manager,viewer,systembundles
  ben = {CRYPT}13D249F2CB4127B40CFA757866850278793F814DED3C587FE5889E889A7A9F6C{CRYPT},_g_:admingroup

Phew :sweat_smile:

1 Like

It’s been a long time and my memory may be from OH 1.6 for all I know. Or I’m thinking of /etc/defaults or something like that. Or it might be something openHABian did. I just can’t remember any specifics.

1 Like

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.