Bug #11630
Check what to do wrt. NetworkManager's internal DHCP client vs. isc-dhcp-client
100%
Description
network-manager (1.2.4-2) unstable; urgency=medium
* Demote isc-dhcp-client from Depends to Recommends.
NetworkManager will automatically fall back to the internal dhcp client if
dhclient is not available. (Closes: #826680)
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826680 for details.
It seems to me that if the internal dhcp client has the features we want (e.g. wrt. not sending the hostname on the network), then we should go for it: isc-dhcp-client is lots of old code, and has a history of security issues.
At the very least, we should make sure that whatever happens, without us changing our Git tree, works and is safe.
Subtasks
Related issues
Related to Tails - |
Resolved | 2016-08-25 | |
Related to Tails - Bug #16948: Deal with NetworkManager 1.20+ defaulting to its internal DHCP client | Confirmed |
History
#1 Updated by intrigeri 2016-08-25 07:20:18
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
According to our test suite, current feature/stretch (with isc-dhcp-client) does leak the hostname on the network: dhcp-send-hostname=false
seems to be ignored. The internal DHCP client can’t do much worse => I’ll give it a try.
#2 Updated by intrigeri 2016-08-25 08:04:03
Just switching to the internal DHCP client does not fix the hostname leak. I’ll try other things such as:
- set
dhcp-send-hostname=false
inconfig/chroot_local-includes/etc/NetworkManager/system-connections/Wired connection
(in case the fact that it exists already makes it ignore the defaults we set inconfig/chroot_local-includes/etc/NetworkManager/conf.d/dhcp-hostname.conf
- drop customization of the list of plugins
- set
dhcp-send-hostname=false
directly inNetworkManager.conf
- set
dhcp-send-hostname=false
in a[ip]
block - set
dhcp-send-hostname=false
in a[ip4]
block
#3 Updated by intrigeri 2016-08-25 08:31:04
Once this is fixed, somehow: wake sure that we forbid setting the hostname to a value controlled by the DHCP server.
#4 Updated by intrigeri 2016-08-25 09:07:31
- Status changed from In Progress to Resolved
- % Done changed from 10 to 100
Fixing the DHCP hostname leak seems to be orthogonal to this issue, so I’m going to move this topic to the backburner for a while: as long as Debian does not changes the default we’ll stick to isc-dhclient. It certainly has a not-so-good security history, but at least it’s a separate process (that we confine with AppArmor), and it has been attacked for a while, contrary to the brand new code in NM => it’s not obvious which one is safest, so the status quo wins for now since it’s less work and risk of breakage for us.
#5 Updated by intrigeri 2016-08-25 09:07:40
- related to
Bug #11720: DHCP requests leak hostname on Stretch added
#6 Updated by intrigeri 2019-08-18 11:29:57
- related to Bug #16948: Deal with NetworkManager 1.20+ defaulting to its internal DHCP client added