On Tue, 08.11.16 16:49, Stephen Gallagher (sgallagh(a)redhat.com) wrote:
For as long as I can recall, Fedora has shipped with a default
hostname of
"localhost.localdomain"[1]. This default was "safe" for a very long
time because
we also shipped an /etc/hosts entry that routed this hostname to the loopback
device for the benefit of some older system services (like sendmail).
However, having the default be the same on all systems introduces other
problems, notably with regards to acting as a client to FreeIPA or Active
Directory domain controllers.
When enrolling with one of these DCs, the machine's current hostname (up to the
first dot) is used to uniquely identify the machine into the domain. If the
machine's hostname is not unique in that domain, the enrollment will either fail
or the machine will take over that name (depending on the server-side
implementation). Neither case is likely to be what the user intended.
Some information on competing platforms:
Windows deals with this on for its systems by assigning all new machines a
random hostname of the form WIN-XXXXXXXXXXX (that's a strict count of 11 random
characters of either capital letters or decimal numerals after the WIN- prefix).
This is because there is a 15-character maximum limit on the machine-name in
Active Directory, after which it is simply truncated (which is a bad behavior,
but one we have to deal with).
Mac OS X and Ubuntu both require the user to pick a machine name at install time
explicitly. They do not autogenerate one at all.
SUSE generates a random name of the format linux-XXXXXX (I'm not sure how many
random characters).
My proposal is that we should consider changing the default hostname for Fedora
26 to be either FED-XXXXXXXXXXX or FEDORA-XXXXXXXX. The former allows for a
longer random string and therefore lower risk of collision in large
environments, while the latter would also provide improved branding for
Fedora[2]. Our default BASH shell prompt includes the current machine's hostname.
Thoughts on how to generate these random strings are of course up for
discussion. Given that initial machine creation may have limited available
entropy, we may want to avoid just calling out to /dev/random. Dusty Mabe
suggested in on IRC that one option might be to use either the first or last
8/11 characters from /etc/machine-id, since presumably those would be
sufficiently random.
Other operating systems, notably security-focussed ones like ChromeOS,
go the other way, and try to remove as many identifiers as possible
that could be used to track users. In fact, at LPC we discussed even
making /etc/machine-id an optional concept in that context, so that
there really would not be any useful local ID that could leak to
external systems.
I must say I sympathise with ChromeOS approach there, I think it would
make sense to default to more secure default in this regard, rather
than opening this all up.
Now, I can see that it is useful for systems that install the IPA
client to behave differently here, and use some better hostname for
them, but I think this should only happen on those systems: I think a
good solution would be continue to use "localhost" as the Fedora
default hostname, but make the IPA enrollment code smart enough, so
that it recognizes that "localhost" is not useful as a public hostname
(it really should know this anyway!), and if it sees that
automatically changes the hostname to something more useful for IPA
clients. (changing the hostname in this case is easy, there's a
friendly bus API for that in hostnamed)
Hence, please keep this specific to IPA clients, don't let this leak
into the Fedora defaults.
(Also, please do not leak /etc/machine-id as it is — or any parts of
it — into identifiers that are passed onto the untrusted networks, in
particular as suffixes of hostnames. Instead, hash it with some
cryptographic, keyed hash function, and use a fixed, application-specific
key. That way the ID will be properly unique, and is derived in a
constant way from the machine ID but there's no way to derive the
original machine ID from the app-specific one. I figure this
recommendation should be added to the man page.)
Lennart
--
Lennart Poettering, Red Hat