Reconfiguring SSH access to Apache Karaf
Using Apache Karaf via its local console provides the user with superb command and control capabilities over their OSGi container. Apache Karaf's remote console extends this experience to remote consoles, and as such, presents systems builders with an opportunity to further harden their systems. In this recipe, we'll change Karaf's default remote connection parameters.
Getting ready
The ingredients of this recipe include the Apache Karaf distribution kit, access to JDK, and a source code editor. The sample configuration for this recipe is available at https://github.com/jgoodyear/ApacheKarafCookbook/tree/master/chapter1/chapter1-recipe6.
How to do it…
- The first step is editing the shell configuration. Apache Karaf ships with a default shell configuration file. It's a good practice to edit entries in the
etc/org.apache.karaf.shell.cfg
file to point to the non-default ports as a security precaution. Consider the following code:# # Via sshPort and sshHost you define the address you can login into Karaf. # sshPort = 8102 sshHost = 192.168.1.110
In the preceding sample configuration, we defined the port for SSH access to
8102
and setsshHost
to an IP address of the host machine (the default value, 0.0.0.0, means the SSHD service is bound to all network interfaces). Restricting access to particular network interfaces can help reduce unwanted access. - The next step is restarting Karaf. After editing the configuration, we must restart Karaf. Once restarted, you'll be able to connect to Karaf using an SSH client command as follows:
ssh –p 8102 karaf@127.0.0.1
Upon connection, you'll be prompted for your password.
There's more…
Changing the default remote access configuration is a good start. However, system builders should also consider changing the default karafuser/password
combination found in the users.properties
file.
You might also decide to generate a server SSH key file to simplify remote access. Information regarding this configuration can be found at http://karaf.apache.org/manual/latest/users-guide/remote.html.