either way I'm fine
2014-07-18 9:04 GMT+02:00 Jean-Baptiste Onofré <j...@nanthrax.net>: > More than a script, I propose: > > karaf@root()> ssh:key-gen > karaf@root()> ssh:key-add > > And in the same area: > > karaf@root()> shell:passwd > > to change the password. > > WDYT ? > > Regards > JB > > > On 07/18/2014 08:40 AM, Achim Nierbeck wrote: > >> +1 for removing >> >> and also +1 for the idea of Matt Sicker, a script for easy generating of >> keys. >> >> regards, Achim >> >> >> 2014-07-18 6:58 GMT+02:00 Jean-Baptiste Onofré <j...@nanthrax.net>: >> >> Hi Freeman, >>> >>> thanks for the update ;) >>> >>> Regards >>> JB >>> >>> >>> On 07/18/2014 02:38 AM, Freeman Fang wrote: >>> >>> +1 to comment out the default public key in keys.properties, it's really >>>> a security hole. >>>> >>>> And about specify the key to bin/client, I just added it weeks ago, >>>> please see KARAF-3059[1] >>>> >>>> [1]https://issues.apache.org/jira/browse/KARAF-3059 >>>> >>>> >>>> ------------- >>>> Freeman(Yue) Fang >>>> >>>> Red Hat, Inc. >>>> FuseSource is now part of Red Hat >>>> >>>> >>>> >>>> On 2014-7-18, at 上午3:44, Jean-Baptiste Onofré wrote: >>>> >>>> Hi all, >>>> >>>>> >>>>> Following a discussion that we had with Christian, I would like to >>>>> raise >>>>> a concern. >>>>> >>>>> Now, on Karaf 2.x/3.x/4.x, the JMX layer is secure using RBAC. The >>>>> MBeanServerBuilder is enabled by default, meaning that it's not >>>>> possible to >>>>> locally connect to the MBean server. >>>>> I think it's good and secure. >>>>> >>>>> However, on the other hand, we have a key enabled by default (in >>>>> etc/keys.properties) and used by default by bin/client. >>>>> So it means that any user that download a Karaf distribution can >>>>> connect >>>>> to any Karaf runtimes by default. >>>>> On one hand we have a very secure JMX layer (even for local >>>>> connection), >>>>> but on the other hand, bin/client can connect to any Karaf running >>>>> instance >>>>> (so not very secure). >>>>> >>>>> I would like to propose the following: >>>>> - in etc/keys.properties, we should comment out the default key. We can >>>>> document how to enable it and how to change the keys. >>>>> - in bin/client, we should be able to specify a key that we want to >>>>> use. >>>>> >>>>> WDYT ? >>>>> >>>>> I already created some Jira about the keys: >>>>> - KARAF-2786: I would change this one by comment out the default key >>>>> - KARAF-2836 to allow to specify multiple keys for an user in >>>>> etc/keys.properties >>>>> - KARAF-2787 to allow to specify the key to bin/client >>>>> >>>>> Thanks, >>>>> Regards >>>>> JB >>>>> -- >>>>> Jean-Baptiste Onofré >>>>> jbono...@apache.org >>>>> http://blog.nanthrax.net >>>>> Talend - http://www.talend.com >>>>> >>>>> >>>> >>>> >>>> -- >>> Jean-Baptiste Onofré >>> jbono...@apache.org >>> http://blog.nanthrax.net >>> Talend - http://www.talend.com >>> >>> >> >> >> > -- > Jean-Baptiste Onofré > jbono...@apache.org > http://blog.nanthrax.net > Talend - http://www.talend.com > -- Apache Member Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead blog <http://notizblog.nierbeck.de/> Software Architect / Project Manager / Scrum Master
