Security of Karaf console

No problem, I assume you’re on a Debian variant (openHABian etc):

1. Generate the key

Start by generating the private and public key for the client you use to connect:

ssh-keygen

This will ask you a set of questions, and output a private and a public key file (by default this is /home/<username>/.ssh/id_rsa.pub where <username> is probably openhabian.

2. Copy the public key

Read in the public key string and copy it, for example if you use the command:

cat /home/<username>/.ssh/id_rsa.pub

You get the output:

ssh-rsa AAAABcdefghAAAA <username>@<server>

copy all of the AAAABcdefghAAAA bit as we’ll use that later.

3. Use the copied key in the Karaf keylist.

Simply edit ${OPENHAB_USERDATA}/etc/keys.properties to contain the following line above the _g_\admingroup line:

openhab=AAAABcdefghAAAA,_g_:admingroup

No need to restart openHAB.

4. Use the ssh client to connect to openHAB console

The command will be:

ssh -p 8101 openhab@localhost

and will not ask for a password. If you’re connecting externally, then replace localhost with the server address.

5. (Optional) use openhab-cli to connect to openHAB console

The command follows the same syntax that Karaf uses:

openhab-cli console -k <privatekey>

where <privatekey> is the private key generated in step 1.

4 Likes