[Kea-users] [External] Re: Kea HA Basic HTTP Authentication seems to accept any credentials
Richard Sent (TCNA)
richard.sent at toyotaconnected.com
Tue Jan 20 17:39:02 UTC 2026
Understood, thanks. To confirm, this means the basic-auth-{user|password} only control the credentials presented by one HA peer to another but are not used by the second peer for authentication, correct?
Does this mean that when HTTP authentication is required we have to disable the dedicated HA listener and open another control socket? The docs still refer to kea-ctrl-agent (https://kea.readthedocs.io/en/stable/arm/hooks.html#multi-threaded-configuration-ha-mt) which was deprecated so I don't fully understand the implications / downsides compared to when the DHCP4 server opens the socket itself.
Or perhaps having a dedicated control socket for HA traffic is unnecessary.
Something like:
--8<---------------cut here---------------start------------->8---
{
"Dhcp4": {
"hooks-libraries": [{
"library": "/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_lease_cmds.so",
"parameters": { }
}, {
"library": "/opt/homebrew/Cellar/kea/3.0.2/lib/kea/hooks/libdhcp_ha.so",
"parameters": {
"high-availability": [{
// ...
"multi-threading": {
"http-dedicated-listener": false,
}
}]
}
}],
"control-sockets": [
{
"socket-type": "http",
"socket-address": "127.0.0.1",
"socket-port": 8004, // general use
"authentication": {
"type": "basic",
"realm": "kea-dhcpv4-server",
"clients": [
{
"user": "admin",
"password": "12345678"
} ]
}
},
{
"socket-type": "http",
"socket-address": "127.0.0.1",
"socket-port": 8005, // Specific to HA
"authentication": {
"type": "basic",
"realm": "kea-dhcpv4-server",
"clients": [
{
"user": "ha-admin",
"password": "foobar"
} ]
}
}
]
}
}
--8<---------------cut here---------------end--------------->8---
More information about the Kea-users
mailing list