Bug #853
closed
If used with the proxy, the dhcpd server is open for connections from any server
Description
When using :
omapi-port 7911;
The dhcpd api server will listen to any host. You might need to add something like this to provide basic security:
key omapi_key {
algorithm HMAC-MD5;
secret "XXXXXXXXX";
};
omapi-key omapi_key;
At first sight, it looks logic to me that the foreman's "subnet" settings should get an extra field "omapi_key".
If that field is not empty, "foreman-proxy/lib/proxy/dhcp/server/isc.rb" should issue an extra command ("OMSHELL key omapi_key XXXXXXXXX") when connecting to the dhcpd server.
Updated by Ohad Levy over 13 years ago
You are correct.
at the moment its best to protect it via iptables, as its not possible to define which interfaces to bind to (ideally lo).
I guess we should add both the secret key (as a configuration option on the proxy similar to dns setup), and potentially allow to use a remote isc server as well.
Updated by Ohad Levy over 13 years ago
- Status changed from New to Ready For Testing
- % Done changed from 0 to 100
Applied in changeset bf8dfda678ec7e59053585c357a79df3b9d340cb.
Updated by Marcello de Sousa over 13 years ago
I don't think this code is working 100%.
I've changed it to:
def omcmd cmd, msg=nil
if cmd == "connect"
@om = IO.popen("/bin/sh -c '/usr/bin/omshell 2>&1'", "r+")
if SETTINGS.dhcp_key_name and SETTINGS.dhcp_key_secret
@om.puts "key #{SETTINGS.dhcp_key_name} \"#{SETTINGS.dhcp_key_secret}\""
end
@om.puts "server #{name}"
@om.puts "connect"
@om.puts "new host"
(...)
And a typo ("gsub" instead of "sub"):
logger.debug "omshell: executed - #{SETTINGS.dhcp_key_secret.nil? ? cmd : cmd.gsub(SETTINGS.dhcp_key_secret,"[filtered]")}"
then it seems to work.
There's one problem, if the key is incorrect (I forced an incorrect key) Foreman's interface is not reporting the error. In the proxy.log (in debug mode) I can see the error:
(...) E, [2011-05-03T17:51:57.835019 #10819] ERROR -- : Omshell failed: > > > obj: <null> , > obj: host , > obj: host , hardware-address = 00:0c:29:38:71:62 , > can't open object: connection reset by peer , obj: host , hardware-address = 00:0c:29:38:71:62 , > can't destroy object: not connected , obj: host , hardware-address = 00:0c:29:38:71:62 , > E, [2011-05-03T17:51:57.835393 #10819] ERROR -- : Failed to remove DHCP reservation for => 192.168.115.156 / 00:0c:29:38:71:62: No response from DHCP server
Updated by Ohad Levy over 13 years ago
- Status changed from Ready For Testing to Closed
- Assignee set to Ohad Levy
Marcello, I'm closing this ticket, if you want to follow up on the error, please create a new ticket.
it would be great if you could update the wiki with the new settings as well.