[SOLVED] Access karaf from machine other than localhost

Can I open karaf up to my network?

I run on windows, and it’d be useful if I could access karaf from one of my linux machines. But I don’t know where the restriction is set.

Yes, but it’s a security risk :slight_smile:
https://karaf.apache.org/manual/latest-2.x/users-guide/remote-console.html
In OH2: /var/lib/openhab2/etc/org.apache.karaf.shell.cfg

set sshHost = 0.0.0.0

An useful information might be found in offial openhab docs: http://docs.openhab.org/administration/console.html#bind-console-to-all-interfaces

Yeah I found it. Only a security risk inside my network right? (I don’t use cloud connector by a VPN)

Correct :slight_smile: (not a big security hole, but I wanted to mention it :stuck_out_tongue:)
I didn’t know that we had a doc entry for that! Thanx @splatch

The risk posed by the SSH port in OpenHAB isn’t really because it’s a SSH port, it’s because it uses a well-known username/password that is difficult to change. Personally I wish that the SSH implementation would accept SSH key-based authentication and allowed me to turn off password authentication completely. There’s nothing in the config files that appear to allow that - I have no idea if the underlying implementation allows that.

It’d also be good if there was something in the web UI that allowed changing the password. I think that it would also be a good idea if the SSH console was disabled until the password was changed as well.

yeah key based authentication would be cool.

It does.
Create a DSA 1024bit key, enable it in /var/lib/openhab2/etc/keys.properties for user openhab:
Example using the default and disabled key (don’t use this one! :slight_smile:) for the karaf user

openhab=AAAAB3NzaC1kc3MAAACBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAAAAFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QAAAIEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoAAACBAKKSU2PFl/qOLxIwmBZPPIcJshVe7bVUpFvyl3BbJDow8rXfskl8wO63OzP/qLmcJM0+JbcRU/53JjTuyk31drV2qxhIOsLDC9dGCWj47Y7TyhPdXh/0dthTRBy6bqGtRPxGa7gJov1xm/UuYYXPIUR/3x9MAZvZ5xvE0kYXO+rx,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles

and you are ready to go.

I don’t think that you can turn off passwd auth entirely on the other hand.

Sources:
https://karaf.apache.org/manual/latest/security
https://karaf.apache.org/manual/latest/remote

1 Like

Warning: If you are on Snapshot releases and you upgrade, this file will be overwritten and you will have to change it back again (from 127.0.0.1 to 0.0.0.0)
The keys.properties and/or user.properties files will remain the same, so no need to re-apply your ssh key or re-adjust your openhab user password.