Installing isc-dhcp-client-noddns on Trusty and then upgrade to Xenial
with a local archive of a modified Xenial's isc-dhcp-client to replace
isc-dhcp-client-noddns package to isc-dhcp-client during release upgrade
from Trusty to Xenial work as expected with a completed successful
release upgrade.
+Replaces:
+ isc-dhcp-client-noddns (<< 4.2.4-7ubuntu12.8+noddnsbuild1),
Capture after upgrade :
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
# dpkg -l | grep -i dhcp
ii isc-dhcp-client 4.3.3-5ubuntu12.7 amd64
DHCP client for automatically obtaining an IP address
rc isc-dhcp-client-noddns 4.2.4-7ubuntu12.8+noddnsbuild1 amd64
Dynamic DNS (DDNS) enabled DHCP client
ii isc-dhcp-common 4.3.3-5ubuntu12.6 amd64
common files used by all of the isc-dhcp packages
# lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 707 root 6u IPv4 16437 0t0 UDP *:bootpc
# ls -altr /sbin/dhclient*
-rwxr-xr-x 1 root root 15219 Jan 11 09:12 /sbin/dhclient-script
-rwxr-xr-x 1 root root 487248 Jan 11 09:12 /sbin/dhclient
The only thing that could be improve that I can't think of right now, is
to not make isc-dhcp-client-noddns not turn into "rc" state by making
sure its configuration files doesn't remain.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1176046
Title:
isc-dhcp dhclient listens on extra random ports
Status in isc-dhcp package in Ubuntu:
Fix Released
Status in isc-dhcp source package in Trusty:
In Progress
Status in isc-dhcp source package in Xenial:
Fix Released
Status in isc-dhcp source package in Yakkety:
Fix Released
Bug description:
[Impact]
In trusty, there is only 1 version of dhclient, including #define NSUPDATE,
which introduce DDNS functionnality.
The DDNS functionnality, generate 2 random extra ports between 1024-65535.
Impact reported by users :
"One impact of these random ports is that security hardening becomes more
difficult. The purpose of these random ports and security implications are
unknown."
"We have software that was using one of the lower udp ports but it happened
to collide with dhclient which seems to allocate 2 random ports."
There is a randomization mechanism in libdns that prevent dhclient to take
the sysctl values into account (net.ipv4.ip_local_port_range &
net.ipv4.ip_local_reserved_ports) to workaround this, and after discussion
isc-dhcp upstream doesn't want to rely on kernel for randomization.
There is no realtime configuration to disable the feature or workaround this.
The only possible way is at compile time.
I also talk with upstream maintainers, and there is no way they will
accept to reduce the range (1024-65535) for security reason. Reducing
the port range may facilitate the spoofing.
Xenial has separated dhclient in two packages :
isc-dhcp-client pkg : dhclient with DDNS functionality disabled (no random
extra ports)
isc-dhcp-client-ddns : dhclient with DDNS functionality enabled (with random
extra ports)
The goal here is to reproduce the same situation in Trusty, for this
bug to be less painful for at least users that doesn't require DDNS
functionnality.
[Test Case]
Run a Trusty image with following package :
isc-dhcp-client
isc-dhcp-common
```
dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc
dhclient 1110 root 20u IPv4 11516 0t0 UDP *:64589 # <----------- extra random
port
dhclient 1110 root 21u IPv6 11517 0t0 UDP *:7749 # <----------- extra random
port
```
[Regression Potential]
* none expected
I did the split such that users will automatically get isc-dhcp-client-ddns
installed but users bothered by this bug then will have the option to switch to
the one without it by uninstalling (isc-dhcp-client-ddns),
so existing Trusty users can continue to use this DDNS functionality after
the SRU without any necessary intervention.
With isc-dhcp-client-ddns :
dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc
dhclient 1110 root 20u IPv4 11516 0t0 UDP *:64589 # <----------- extra random
port
dhclient 1110 root 21u IPv6 11517 0t0 UDP *:7749 # <----------- extra random
port
Without isc-dhcp-client-ddns :
dhclient 1110 root 6u IPv4 11535 0t0 UDP *:bootpc
Note that this is how Xenial does it.
[Other Info]
* See :
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046/comments/19 to
look at my discussion with rbasak on if that approach would be acceptable for
SRU.
[Original Description]
Ubuntu 13.04 Server 64-bit. Fresh install. Only one network adapter.
dhclient process is listening on two randomly chosen udp ports in
addition to the usual port 68. This appears to be a bug in the
discovery code for probing information on interfaces in the system.
Initial research of the code also suggested omapi, but adding omapi
port 9999 to /etc/dhcp/dhclient.conf only opened a forth port with the
two random udp ports still enabled.
Version of included distro dhclient was 4.2.4. I also tested with the
latest isc-dhclient-4.2.5-P1 and got the same results.
Debian has the same bug:
http://forums.debian.net/viewtopic.php?f=10&t=95273&p=495605#p495605
One impact of these random ports is that security hardening becomes
more difficult. The purpose of these random ports and security
implications are unknown.
Example netstat -lnp output:
udp 0 0 0.0.0.0:21117 0.0.0.0:*
2659/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:*
2659/dhclient
udp6 0 0 :::45664 :::*
2659/dhclient
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1176046/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
