Securing dhcpd against unauthorised OMAPI control connections

AA-01355

ISC DHCP has support for OMAPI, the Object Mapping Application Protocol Interface.  OMAPI is an API that can be used for limited control over ISC DHCP server operations.  ISC DHCP also includes omshell, a utility which will communicate with the server (if the server is configured to accept OMAPI connections) on the server's control port.

If an OMAPI port is defined in dhcpd.conf, then dhcpd will open a listening socket on that port and will accept inbound connections.

The DHCP server does not provide a mechanism to reject incoming OMAPI connections based on source address

It is therefore recommended that if operators choose to enable OMAPI that they protect their servers by using another mechanism (such as a network firewall) to restrict access to the OMAPI port to connections only from trusted hosts.

If you do not intend to use the OMAPI control port, then we recommend that you ensure that you have not enabled it on your ISC DHCP servers.

OMAPI is not enabled by default, but many sample configurations contain syntax that enables it :

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret Ofakekeyfakekeyfakekey==;
}

Note that in the example above, a secret key has also been specified.  It is important to use a key so that dhcpd can only be controlled by someone running omshell or other client program using that same secret key.

OMAPI allows control over server state, including the ability to shut the server down remotely

Shared keys are the mechanism that the DHCP server uses to verify incoming OMAPI requests from omshell or an OMAPI client program. If you are running a public-facing ISC DHCP server, you are strongly advised to use both network firewalls (to control which source addresses can connect to the OMAPI control channel) and shared keys (to ensure that only authorized clients can give commands on the OMAPI channel.)