Generate karaf ssh key during installation

[ThomDietrich]

Discussed with @BClark09 here: https://community.openhab.org/t/openhabian-hassle-free-rpi-image/13379/408

The apt installation (and an upgrade conditionally) should generate the karaf key in advance.

[BClark09]

Post install, (but not upgrade) we might be able to background run a single command connection to Karaf, but where the key is stored I have no idea (yet).

[watou]

Another option is to fix it in documentation; in other words, make sure no one is legitimately surprised by it. People could be just as surprised by a pegged CPU at an unexpected time as they would be by the long delay/timeout on first use.

[ThomDietrich]

fix it in documentation

I don't think that's a valid option. Of course we could do that but would feel like making users aware of a bug, it's not a fix. Preparing the system for usage is really something that should be done by the system before the actual usage. The post installation routine of apt would be the right place for that. I've seen this with other packages like gitlab. Regarding the Karaf question, maybe @kaikreuzer or @EliasGabrielsson have an idea?

[watou]

@ThomDietrich I think it's perfectly valid to document that time must be spent computing a cryptographic key before it's first used, and for users that never ssh into their Karaf instance, why force them to wait minutes on every fresh install for something they never need? I don't see it as being like a bug at all, just lacking sufficient explanation in the documentation. Is openHAB doing something different than what other products distributed with Karaf do? There is certainly good guidance out there. And we are all definitely entitled to share our suggestions without being told they're invalid.

[ThomDietrich]

I for sure didn't want to insult you, I'm very sorry if my concerns came out wrong.

It is my humble opinion, that the moment when the first ssh connection doesn't do anything for minutes or throws a timeout error at you feels like a bug of openHAB and I've discussed this problem with users on the forum more than once. Hence my argument that this should be improved on the system side. The installation to take a few minutes longer to prepare openHAB for the user to be used doesn't sound like a problem to me, but yet again, that's just my personal opinion.

[watou]

Thank you for clarifying, @ThomDietrich. It's great we're all passionate about getting things right. 😄

[kaikreuzer]

Regarding the Karaf question, maybe @kaikreuzer or @EliasGabrielsson have an idea?

You mean where the key might be stored? No sorry, I would have to investigate this myself...

[theoweiss]

A possible way to go (assumed we have a script for generating the key) is to interactively ask the user in postinst if he wants to create the ssh server key. It seems like debconf is the tool to use.

[ThomDietrich]

I've solved the "How?".

The file in question is /var/lib/openhab2/etc/host.key Annoyingly this file is in a karaf internal format but that can be changed, thanks to this issue / this PR.

The first thing that needs to be done over at openhab-distro is switching from the internal key format to a PEM format. I've tested this step independently. openHAB will automatically create and use the host.key file just as before.

sed -i "s/hostKeyFormat = simple/hostKeyFormat = PEM/" /var/lib/openhab2/etc/org.apache.karaf.shell.cfg

After this is settled, key creation in postinst would simply need to call:

openssl genrsa -out /var/lib/openhab2/etc/host.key 4096

I've tested the whole process and everything seems to behave as expected. The only thing missing is hardening permissions for this file.

Btw. The key generation needed 44 seconds, 10 seconds and 14 seconds while testing on my RPi3.

---

Testing:

openssl genrsa -out /var/lib/openhab2/etc/host.key 4096
ssh-keygen -yf host.key > host.pub  # only for testing
ssh-keygen -lf host.pub             # --> 46:f1:2e:35:3a:60:92:bf:dc:36:14:f7:cf:fb:fa:f2
systemctl restart openhab2.service  # the key is getting cached
ssh openhab@localhost -p 8101       # --> RSA key fingerprint is 46:f1:2e:35:3a:60:92:bf:dc:36:14:f7:cf:fb:fa:f2

[BClark09]

Excellent, what happens if you try to ssh into a new instance of openHAB without generating the host.pub key first. Does Karaf generate it for you still?

[ThomDietrich]

Yep ;)

$ ssh openhab@localhost -p 8101
RSA key fingerprint is 46:f1:2e:35:3a:60:92:bf:dc:36:14:f7:cf:fb:fa:f2.

$ sudo rm /var/lib/openhab2/etc/host.key

$ sudo systemctl restart openhab2.service

$ ssh openhab@localhost -p 8101
... waiting ...
RSA key fingerprint is 43:5a:6e:0c:3d:42:1b:d0:2d:56:6d:af:3c:e4:8d:2f.

[ThomDietrich]

One more test case: Switching hostKeyFormat back and forth between simple and PEM also triggers a recreation of the key.

[BClark09]

More Excellent! Now in our opinions what would be the best choice, to have this prompt at first install as @theoweiss has suggested (which can be force "yes"ed by openHABian) or to make this part of everyone's install routine. Personally, I'm for the former.

[ThomDietrich]

I have no strong notion here. I would leave that to whoever is so kind to implement it ;) As a non-technical end user I wouldn't know if I want a Karaf ssh key generated and wouldn't mind waiting 10-30 seconds longer. @watou How fast is the above command on your machine?

[EliasGabrielsson]

Good research on the ssh key.

About the key-generation time consumption, a guess is that this i connected to available entropy. Eg. when the entropy is low the system needs to generate more before the whole key can be generated.

More entropy is generated when things changes on a system, check it with cat /proc/sys/kernel/random/entropy_avail. If one minute is a problem I guess we could generate the key in a background process while the rest of the system installs as it then generates more entropy per second.

But I don't think this is a problem. 30 or 31 minutes doesn't make any different when installing.

[watou]

openssl genrsa -out /var/lib/openhab2/etc/host.key 4096

Is the openssl package a prerequisite to the openhab2 package? The install should not assume the openssl command is available.

How fast is the above command on your machine?

Three runs took either 45, 35, or 53 seconds on my Raspberry Pi 2 Model B. There are slower processors out there that are still candidates to run openHAB. I remain concerned that these seconds will be spent by users who will never ssh into their Karaf consoles.

pi@habpi2:~ $ time openssl genrsa -out /tmp/host.key 4096
Generating RSA private key, 4096 bit long modulus
....................................................++
..................................................................................................................................................++
e is 65537 (0x10001)

real    0m44.629s
user    0m44.370s
sys 0m0.040s
pi@habpi2:~ $ time openssl genrsa -out /tmp/host.key 4096
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................++
...........................++
e is 65537 (0x10001)

real    0m34.908s
user    0m34.810s
sys 0m0.000s
pi@habpi2:~ $ time openssl genrsa -out /tmp/host.key 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................................................................................................................++
..........++
e is 65537 (0x10001)

real    0m53.269s
user    0m53.040s
sys 0m0.050s

[theoweiss]

Great work @ThomDietrich! I'm with @watou and think we should not bother non ssh users with the key generation. I suggest to go for debconf and ask the user (the answer could be preseeded for openHABian). Furthermore we should check if openssl or ssh-keygen is available for the key generation and skip the generation step if non of both exists (possibly we could also use karaf itself but I found no quick solution without the need for coding).

[ThomDietrich]

Sounds good to me. Especially in light of @watou 's argument that openssl might not be available on every system. Thanks for considering openHABian in your usecases ;)

[BClark09]

Since we are unable to use the generated key, I couldn't find a way of getting Karaf console to generate a key without starting up and closing an instance of it. @ThomDietrich, are we okay to close this issue for now?

[ThomDietrich]

Would have been nice to solve this issue... We will have to stay with the documentation solution for now. Thanks everyone for for your efforts. Closing the ticket.

[BClark09]

If I find anything that will allow us to do this smoothly post-install I'll let you know for sure!