- Platform information:
- Hardware: Raspberry Pi 4 Model B Rev 1.1 w/ 4GB w/ 64GB Samsung PRO Endurance SD card
- OS: openHABian v1.7.1 (Raspbian GNU/Linux 11 (bullseye))
- Java Runtime Environment: OpenJDK Runtime Environment Zulu11.52+13-CA (build 11.0.13+8-LTS)
- openHAB version: 3.2.0 Release
- Issue of the topic: Insecure defaults for default Karaf console network interface
The default network interface for the Karaf console appears to be 0.0.0.0 (all interfaces) rather than the expected 127.0.0.1. My etc/org.apache.karaf.shell.cfg, had sshHost = 0.0.0.0 without any explicit changes from me. I guess I can’t rule out something changing this automatically (such as through openhabian-config) but I had no indication this was changed from the default. I also noticed in services/runtime.cfg that org.apache.karaf.shell:sshHost = 0.0.0.0 was already uncommented, again without any explicit changes from me.
This is counter to what is stated in the documentation (The Console | openHAB) and represents a security risk, since there is much less awareness of this or the need to change the password there.
I noticed this while using the Karaf console to make some changes to the log level while troubleshooting something unrelated. Out of curiosity, I tried connecting to that port directly from my desktop and, to my surprise, it worked
I see from posts like this (Change of org.apache.karaf.shell.cfg by OH3 update?) that making changes to the org.apache.karaf.shell.cfg itself isn’t a good solution since these can be overwritten by updates and that changes should go in services/runtime.cfg. Not sure where this change was introduced but if the openhab project doesn’t control what goes in org.apache.karaf.shell.cfg, maybe the expected default of 127.0.0.1 should be set from runtime.cfg automatically, out of the box, to avoid unexpected changes.
I went ahead and changed it to 127.0.0.1 in both places on my system just to be extra sure, and that did the trick. I can no longer reach the karaf console from outside localhost.
Like I said above, I did not make any explicit changes to these files before finding this, but I did run various routines within openhabian-config, such as updates (don’t remember everything there). If these settings truly aren’t the default, then something there was likely the culprit but this was not at all clear when I ran them.
For whatever it’s worth, runtime.cfg in the openhab-distro repo does appear to have this line commented out (openhab-distro/runtime.cfg at main · openhab/openhab-distro · GitHub) Not sure if that’s the correct place to be looking though.
I’m not sure if this is the correct category for this post but since this appears to be an issue with the defaults, the installation category seemed like the closest fit. (Feel free to move this if you think it should go somewhere else) I would have reported this on github but it wasn’t clear to me what repo it would belong under.
The purpose of this post is to alert people to check this on their install and hopefully get this changed so that people aren’t unknowingly leaving their Karaf console SSH port open on their network with default credentials.