Following Christian Schneider's blog post, How to hack into any default apache karaf installation, I checked to see if my default Karaf installation (4.0.5) is insecure:
Some simple steps to check if your karaf installations is open.
- Check the "etc/org.apache.karaf.shell.cfg" for the attribute sshPort. Note this port number. By default it is 8101
- Do "ssh -p 8101 karaf@localhost". Like expected it will ask for a password. This may also be dangerous if you do not change the default password but is quite obvious.
- Now just do bin/client -a 8101. You will get a shell without supplying a password. If this works then your server is vulnerable
As expected. It is vulnerable. So I tried to secure it following the instructions as described:
How to secure your server?
- Simply remove the public key of the karaf user in the "etc/keys.properties". Unfortunately this will stop the bin/client command from working.
- Also make sure you change the password of the karaf user in "etc/users.properties".
I shut down the Karaf server using the halt command. Then I changed the karaf password in etc/users.properties and deleted the file etc/keys.properties. Then I started the server again with bin/karaf. Then in a new terminal I tested to see if the installation was secure by trying to ssh into the server. I validated that ssh login now requires the newly configured password. Finally, I tried using the bin/client -a 8101 command.
At this point, as explained in the blog post, I expected the command to fail:
Unfortunately this will stop the bin/client command from working.
I noticed after running bin/client -a 8101 there is a new file etc/host.key that either bin/client or the container itself auto generated. Rather than failing the command succeeded and I was presented with the Karaf console.
Does this means the container is still vulnerable to this attack vector?
