Unable to access karaf console on RPi with openHABian

I am running OH2 on an RPi3, which is running openHABian. Yesterday, after I updated to openHAB 2.0.0~20170108034429 (Build #736), I needed to adjust some log levels for debugging, but I found I was unable to access the karaf console as I have in the past. I enter


and I am prompted for a an openhab password. I don’t recall having ever seen that behavior in the past. I tried my password (my account is authorized to use sudo) as well as the root password on my system. Nothing works.

I searched and found a section of the openHABian hassle-free RPi image thread where a similar issue is discussed. I went through the process recommended there with no success. I also tried deleting /var/lib/openhab2/etc/host.key and restarting OH2 as recommended by @ThomDietrich, still no joy.

I verified my OH2 installation with:

dpkg --verify openhab2-offline

The verification indicated that no files are missing or modified.

Is there anything else I should try?

Asking for the password is not an expected change, we’ll have to look into this. However the real issue here is, that you are simply using the wrong password :slight_smile: http://docs.openhab.org/administration/console.html

Well, I tried that as follows:

[07:04:39] root@rpi3:~# ssh openhab@localhost -p 8101
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the DSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:2
  remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R [localhost]:8101
DSA host key for [localhost]:8101 has changed and you have requested strict checking.
Host key verification failed.
[07:06:00] root@rpi3:~# sed -i 2d ~/.ssh/known_hosts 
[07:06:34] root@rpi3:~# ssh openhab@localhost -p 8101
The authenticity of host '[localhost]:8101 ([]:8101)' can't be established.
DSA key fingerprint is 84:cb:b5:5a:1f:b5:17:e6:98:1b:36:d8:59:51:a0:26.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:8101' (DSA) to the list of known hosts.
Password authentication
Password authentication
Password authentication

[07:07:16] root@rpi3:~# passwd openhab
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
[07:07:53] root@rpi3:~# ssh openhab@localhost -p 8101
Password authentication
Password authentication

Still no joy. Note that, just be sure, I set the openhab password to the default per the doc you brought to my attention.

I’ve just tested both paths. After supplying the habopen password I was able to login.

The first SSH/fingerprint error is related to you deleting the host.key, that’s to be expected. Please also note, that passwd openhab will not have any effect, as the password for the karaf console is configured here: /var/lib/openhab2/etc/users.properties

@ThomDietrich, thanks for helping out – success!

The info about the habopen password helps me better understand what’s going on here. I’m an old hand with linux, but not necessarily with OH.

Yours and other reported problems brought forth the idea to revert that change for openHAB 2.0 final.
Please check this issue for further developments: https://github.com/openhab/openhab-docs/issues/168

It’s reverted. You may see some transitioning effects but everything should work as before now.

Thanks again for your help, Thom.

I always learn a bit more about OH2 whenever something changes that affects me and my use of OH2 :wink:

1 Like

Hi all,

I guess I’m doing something dumb, but this doesn’t seem to work for me (on a recent openhabian install).

[20:26:06] pi@openHABianPi:~$ ssh openhab@localhost -p 8101 Password authentication Password: Password authentication Password: Password authentication Password:

(I’m using the ‘habopen’ password).

Hi @Edward_Moyse,

have you tried to reset the password to something else using the openhabian-config command?
You can do this when you bind the karaf console to all interfaces.

More info here.

1 Like

Awesome! That worked - I think I accidentally changed the password, not reading that prompt properly. Anyway it works now. Thanks again!

I just updated from the last available openhab2-offline package (I guess it was from January, 4th) to the final stable release and ran into the problem, that the karaf client now asks for a password. With the habopen password it works but I don’t want to enter it every time. Connecting to karaf via ssh works without having to enter a password, so the key configuration should be fine I guess.
While searching for a solution I stumbled upon this thread, which exaclty describes my problem. But if I understand things right the change that led to this issue was reverted, right? Or didn’t this make it into the final package but only to the current snapshot package?

No that change back was part of the 2.0.0 GA stable.

Hm, any Idea why it doesn’t work for me though? Here is how it looks like.

root@vdr:~# ssh openhab@localhost -p 8101

                          __  _____    ____
  ____  ____  ___  ____  / / / /   |  / __ )
 / __ \/ __ \/ _ \/ __ \/ /_/ / /| | / __  |
/ /_/ / /_/ /  __/ / / / __  / ___ |/ /_/ /
\____/ .___/\___/_/ /_/_/ /_/_/  |_/_____/
    /_/                        2.0.0
                               Release Build

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown openHAB.

root@vdr:~# /usr/share/openhab2/runtime/bin/client
client: Ignoring predefined value for KARAF_HOME
Logging in as openhab
root@vdr:~# /usr/share/openhab2/runtime/bin/client -k ~/.ssh/id_rsa
client: Ignoring predefined value for KARAF_HOME
Error starting ssh agent for: org/bouncycastle/openssl/PEMParser
Logging in as openhab
Authentication failed

/var/lib/openhab2/etc/keys.properties is populated with the key of ~/.ssh/id_rsa.pub for both root and openhab

…and to prove that the keys inside the keys.properties files are exactly the same as in id_rsa.pub:

root@vdr:~# grep openhab= /var/lib/openhab2/etc/keys.properties| sed 's/openhab=//' | sed 's/,_g_.*//' | md5sum
a24d2cbcc5be43e9ff049c44ed68f361  -
root@vdr:~# grep root /var/lib/openhab2/etc/keys.properties  | sed 's/root=//' | sed 's/,_g_.*//' | md5sum
a24d2cbcc5be43e9ff049c44ed68f361  -
root@vdr:~# cat ~/.ssh/id_rsa.pub | sed 's/ssh-rsa //' | sed 's/ root@.*//'  | md5sum
a24d2cbcc5be43e9ff049c44ed68f361  -

May be that points towards the root cause:

root@vdr:~# /usr/share/openhab2/runtime/bin/client -k ~/.ssh/id_rsa -v
client: Ignoring predefined value for KARAF_HOME
Error starting ssh agent for: org/bouncycastle/openssl/PEMParser
Logging in as openhab
616 [sshd-SshClient[6b26e945]-nio2-thread-2] WARN org.apache.sshd.client.keyverifier.AcceptAllServerKeyVerifier - Server at / presented unverified RSA key: a6:af:a6:6a:04:95:a9:17:69:63:a8:0e:c2:fc:a6:e7
660 [sshd-SshClient[6b26e945]-nio2-thread-3] WARN org.apache.sshd.client.session.ClientSessionImpl - Exception caught
	at org.apache.sshd.agent.common.AgentDelegate.getIdentities(AgentDelegate.java:40)
	at org.apache.sshd.client.auth.UserAuthPublicKey.init(UserAuthPublicKey.java:79)
	at org.apache.sshd.client.session.ClientUserAuthServiceNew.tryNext(ClientUserAuthServiceNew.java:212)
	at org.apache.sshd.client.session.ClientUserAuthServiceNew.processUserAuth(ClientUserAuthServiceNew.java:178)
	at org.apache.sshd.client.session.ClientUserAuthServiceNew.process(ClientUserAuthServiceNew.java:131)
	at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:80)
	at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:431)
	at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:326)
	at org.apache.sshd.client.session.ClientSessionImpl.handleMessage(ClientSessionImpl.java:306)
	at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:780)
	at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:308)
	at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)
	at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)
	at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
	at sun.nio.ch.Invoker$2.run(Invoker.java:218)
	at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Authentication failed

I mean these seem to be just WARNINGs, but I suppose this may lead to the abortion of the public key login…

This Jboss-Fuse bug description is about the same error message: https://issues.jboss.org/browse/ENTESB-5157?_sscc=t

This apache bug report here as well:

I am having this same problem. I reset the password and still can’t log in, Anyone have any ideas??

You need to post more details than “same”. How old is your setup? What did you do that could have caused the issue? What did you try?

1 Like