... | ... | @@ -28,19 +28,17 @@ Kea uses the DHCPv4 and DHCPv6 protocols, which assume the server will open priv |
|
|
|
|
|
The three primary Kea deamons (`kea-dhcp4`, `kea-dhcp6` and `kea-dhcp-ddns`) all support a control channel, which is implemented as UNIX socket. The control channel is disabled by default, but most configuration examples have it enabled as it's a very popular feature. It opens a UNIX socket. To read from or write to this socket, generally root access is required, although if Kea is configured to run as non-root, the owner of the process can write to it. Access can be controlled using normal file access control on POSIX systems (owner, group, others, read/write).
|
|
|
|
|
|
?? Kea configuration is controlled by a JSON file on the Kea server. This file can be viewed or edited by anyone with file permissions (permissions controlled by the operating system).
|
|
|
Kea configuration is controlled by a JSON file on the Kea server. This file can be viewed or edited by anyone with file permissions (permissions controlled by the operating system). Note that passwords are stored in clear text in the configuration file, so anyone with access to read the configuration file can find this information. As a practical matter, anyone with permissions to edit the configuration file has control over Kea.
|
|
|
|
|
|
## Database connections
|
|
|
|
|
|
Kea can optionally use an external MySQL, PostgreSQL or Cassandra database to store configuration, host reservations or leases. The use of databases is a popular feature, but it is optional. It's also possible to store this data in a flat file on disk.
|
|
|
|
|
|
When using a database, Kea will store and use credentials in the form of username, password, host, port and database name in order to authenticate with the database. **These are stored (how? in clear text in the config file? or where?)** yes, clear text in the config file
|
|
|
When using a database, Kea will store and use credentials in the form of username, password, host, port and database name in order to authenticate with the database. **These are stored in clear text in the configuration file.**
|
|
|
|
|
|
Depending on the database configuration, it's also possible to check if the system user matches the database username. Consult MySQL or PostgreSQL manuals for details.
|
|
|
|
|
|
[how is the username and password stored/protected in Kea?]
|
|
|
|
|
|
As of today, Kea does not support SSL/TLS connection to databases. There is a community contributed patch available for [SSL support for MySQL](https://github.com/isc-projects/kea/pull/15) and [SSL support for Cassandra](https://github.com/isc-projects/kea/pull/118). If the communication channel to the database is a concern, the database can be run locally on the Kea server.
|
|
|
Kea does not support SSL/TLS connection to databases. There is a community contributed patch available for [SSL support for MySQL](https://github.com/isc-projects/kea/pull/15) and [SSL support for Cassandra](https://github.com/isc-projects/kea/pull/118). If the communication channel to the database is a concern, the database can be run locally on the Kea server.
|
|
|
|
|
|
## Kea Logging
|
|
|
|
... | ... | |