1 files changed, 38 insertions, 0 deletions

diff --git a/framework/src/onos/tools/package/bin/onos-secure-ssh b/framework/src/onos/tools/package/bin/onos-secure-ssh
new file mode 100755
index 00000000..3f541dbe
--- /dev/null
+++ b/framework/src/onos/tools/package/bin/onos-secure-ssh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# -----------------------------------------------------------------------------
+# Enables secure access to ONOS console by removing default users & keys.
+# -----------------------------------------------------------------------------
+
+rm -f $(dirname $0)/onos
+
+set -e
+
+# Scan arguments for user/password or other options...
+while getopts u:p: o; do
+    case "$o" in
+        u) user=$OPTARG;;
+        p) password=$OPTARG;;
+    esac
+done
+password=${password:-$user} # password defaults to the user if not specified
+let OPC=$OPTIND-1
+shift $OPC
+
+cd $(dirname $0)/../apache-karaf-*/etc
+USERS=users.properties
+KEYS=keys.properties
+
+# Remove the built-in users and keys to secure the access implicitly.
+egrep -v "^(karaf|onos)[ ]*=" $USERS > $USERS.new && mv $USERS.new $USERS
+egrep -v "^(#karaf|onos)[ ]*=" $KEYS > $KEYS.new && mv $KEYS.new $KEYS
+
+# Remove any previous known keys for the local host.
+ssh-keygen -f "$HOME/.ssh/known_hosts" -R [localhost]:8101
+
+# Swap the onos client to use the SSH variant.
+ln -s $(dirname $0)/onos-ssh $(dirname $0)/onos
+
+# If user and password options were given, setup the user/password.
+if [ -n "$user" -a -n "$password" ]; then
+    echo "$user = $password,_g_:admingroup" >> $USERS
+fi
\ No newline at end of file