Project

General

Profile

Bug #853

If used with the proxy, the dhcpd server is open for connections from any server

Added by Marcello de Sousa over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
DHCP
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

When using :

omapi-port 7911;

The dhcpd api server will listen to any host. You might need to add something like this to provide basic security:

key omapi_key {
algorithm HMAC-MD5;
secret "XXXXXXXXX";
};
omapi-key omapi_key;

At first sight, it looks logic to me that the foreman's "subnet" settings should get an extra field "omapi_key".
If that field is not empty, "foreman-proxy/lib/proxy/dhcp/server/isc.rb" should issue an extra command ("OMSHELL key omapi_key XXXXXXXXX") when connecting to the dhcpd server.


Related issues

Related to Smart Proxy - Bug #947: Foreman UI doesn't report omapi_key error properlyNew2011-05-26

Associated revisions

Revision bf8dfda6 (diff)
Added by Ohad Levy over 9 years ago

fixes #853 - If used with the proxy, the dhcpd server is open for connections from any server

Revision 3e042b2c (diff)
Added by Ohad Levy over 9 years ago

refs #853 - fixes typo

Revision 025b5ad0 (diff)
Added by Ohad Levy over 9 years ago

partial fix - refs #853

History

#1 Updated by Ohad Levy over 9 years ago

You are correct.

at the moment its best to protect it via iptables, as its not possible to define which interfaces to bind to (ideally lo).

I guess we should add both the secret key (as a configuration option on the proxy similar to dns setup), and potentially allow to use a remote isc server as well.

#2 Updated by Ohad Levy over 9 years ago

  • Status changed from New to Ready For Testing
  • % Done changed from 0 to 100

#3 Updated by Marcello de Sousa over 9 years ago

I don't think this code is working 100%.
I've changed it to:

def omcmd cmd, msg=nil
      if cmd == "connect" 
        @om = IO.popen("/bin/sh -c '/usr/bin/omshell 2>&1'", "r+")
         if SETTINGS.dhcp_key_name and SETTINGS.dhcp_key_secret
          @om.puts "key #{SETTINGS.dhcp_key_name} \"#{SETTINGS.dhcp_key_secret}\"" 
         end
        @om.puts "server #{name}" 
        @om.puts "connect" 
        @om.puts "new host" 
(...)

And a typo ("gsub" instead of "sub"):
logger.debug "omshell: executed - #{SETTINGS.dhcp_key_secret.nil? ? cmd : cmd.gsub(SETTINGS.dhcp_key_secret,"[filtered]")}" 

then it seems to work.

There's one problem, if the key is incorrect (I forced an incorrect key) Foreman's interface is not reporting the error. In the proxy.log (in debug mode) I can see the error:

(...)
E, [2011-05-03T17:51:57.835019 #10819] ERROR -- : Omshell failed:
> > > obj: <null>
, > obj: host
, > obj: host
, hardware-address = 00:0c:29:38:71:62
, > can't open object: connection reset by peer
, obj: host
, hardware-address = 00:0c:29:38:71:62
, > can't destroy object: not connected
, obj: host
, hardware-address = 00:0c:29:38:71:62
, >
E, [2011-05-03T17:51:57.835393 #10819] ERROR -- : Failed to remove DHCP reservation for  => 192.168.115.156 / 00:0c:29:38:71:62: No response from DHCP server

#4 Updated by Ohad Levy over 9 years ago

  • Status changed from Ready For Testing to Closed
  • Assignee set to Ohad Levy

Marcello, I'm closing this ticket, if you want to follow up on the error, please create a new ticket.

it would be great if you could update the wiki with the new settings as well.

Also available in: Atom PDF