[kea-dev] kea-ctrl-agent on unix socket

Francis Dupont fdupont at isc.org
Wed Mar 15 13:59:26 UTC 2023 

Andreas Hasenack writes:
> After using the software for a while, and writing tests for it, we
> realized that once you install the kea-ctrl-agent, any unprivileged
> local user has unrestricted API access and can do naughty things like
> kill the service, read the config file (which might have passwords for
> database backends), manage leases, etc.

=> there are 3 answers to this issue (BTW if you have local users I am
afraid that when you can't trust them you are already in trouble but
as I am old enough to know the "department server" period I understand
you'd like to have this case securely handled:
 - the first feature which is dedicated to this particular case is
   the HTTP simple authentication
 - you can too use HTTPS aka HTTP over TLS. It moves the issue to the
   PKI configuration but covers larger cases
 - you can use the RBAC hook library: it provides fine grain access control,
   for instance you can allow only read operations to an user group.

> I know one can add http basic auth to the service, or even not install
> it of course. But I think it should be a bit more secure by default
> out of the box, and still be usable.

=> I propose to not enable the service by default.

> We can create a random user/password at install time, but I was
> wondering if you ever considered having kea-ctrl-agent listen on its
> own unix socket,

=> this does not make sense: if you want to use an UNIX socket you do not
need the control agent at all.

> and have kea-shell use that? Controlling localhost
> access would be much simpler: one could just chmod/chown the socket
> appropriately and then the local admin of the system can decide who to
> add to the group that can use the api locally.

=> yes, the access control for UNIX sockets is something both easy
and well understood by admins.

> What we are considering for now is to either not start the service by
> default (kind of against the policy of debian packaging),

=> IMHO it is the best: in most cases it is not required. You can also
use a configuration which makes it not usable e.g. not set the DHCP
server UNIX socket paths.

> or create a
> user with a random password in postinst, use `password-file` and
> `user-file` under authentication.clients, and document that behavior,
> but maybe there is another simpler way that is being used out there?

Regards

Francis Dupont <fdupont at isc.org>

PS: these are personal ideas. Perhaps my colleagues will have better proposals.

More information about the kea-dev mailing list