[kea-dev] kea-ctrl-agent on unix socket

Andreas Hasenack andreas at canonical.com
Tue Mar 14 12:57:20 UTC 2023


Hi,

together with my colleagues I'm packaging isc-kea for Ubuntu, and
Debian as a consequence.

After using the software for a while, and writing tests for it, we
realized that once you install the kea-ctrl-agent, any unprivileged
local user has unrestricted API access and can do naughty things like
kill the service, read the config file (which might have passwords for
database backends), manage leases, etc.

I know one can add http basic auth to the service, or even not install
it of course. But I think it should be a bit more secure by default
out of the box, and still be usable.

We can create a random user/password at install time, but I was
wondering if you ever considered having kea-ctrl-agent listen on its
own unix socket, and have kea-shell use that? Controlling localhost
access would be much simpler: one could just chmod/chown the socket
appropriately and then the local admin of the system can decide who to
add to the group that can use the api locally.

What we are considering for now is to either not start the service by
default (kind of against the policy of debian packaging), or create a
user with a random password in postinst, use `password-file` and
`user-file` under authentication.clients, and document that behavior,
but maybe there is another simpler way that is being used out there?


More information about the kea-dev mailing list