Knowledge Base ISC Main Website Ask a Question/Contact ISC
Securing dhcpd against unauthorised OMAPI control connections
Author: Cathy Almond Reference Number: AA-01355 Views: 7227 Created: 2016-03-04 18:16 Last Updated: 2017-06-22 16:15 0 Rating/ Voters

ISC DHCP has support for OMAPI, the Object Mapping Application Protocol Interface.  OMAPI is an API that can be used for limited control over ISC DHCP server operations.  ISC DHCP also includes omshell, a utility which will communicate with the server (if the server is configured to accept OMAPI connections) on the server's control port.

If an OMAPI port is defined in dhcpd.conf, then dhcpd will open a listening socket on that port and will accept inbound connections.

The DHCP server does not provide a mechanism to reject incoming OMAPI connections based on source address

It is therefore recommended that if operators choose to enable OMAPI that they protect their servers by using another mechanism (such as a network firewall) to restrict access to the OMAPI port to connections only from trusted hosts.

If you do not intend to use the OMAPI control port, then we recommend that you ensure that you have not enabled it on your ISC DHCP servers.

OMAPI is not enabled by default, but many sample configurations contain syntax that enables it :

# dhcpd.conf
# Sample configuration file for ISC dhcpd

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret Ofakekeyfakekeyfakekey==;

Note that in the example above, a secret key has also been specified.  It is important to use a key so that dhcpd can only be controlled by someone running omshell or other client program using that same secret key.

OMAPI allows control over server state, including the ability to shut the server down remotely

Shared keys are the mechanism that the DHCP server uses to verify incoming OMAPI requests from omshell or an OMAPI client program. If you are running a public-facing ISC DHCP server, you are strongly advised to use both network firewalls (to control which source addresses can connect to the OMAPI control channel) and shared keys (to ensure that only authorized clients can give commands on the OMAPI channel.)

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu