Niklas Hambüchen
2017-May-27 15:46 UTC
Replacing of non-alphanumeric chars in Name can be confusing
Tinc replaces non-alphanumeric characters in the `Name` field of
tinc.conf by '_' (see [1] and [2]).
This includes hyphens ('-'), which are often used in host names.
That is quite surprising, and can easily lead to misconfigurations,
especially because there doesn't seem to be a warning if you configure
`Name = node-1`, and on the other machines the host file
/etc/tinc/myvpn/hosts/node-1, as no such replacement is done on the
files in the file system.
It's especially troublesome because the way that tinc replaces chars in
the host name is an undocumented implementation detail, so when
configuring tinc, you can't really know how you have to call your
.../hosts/... files because you don't know guaranteed what replacements
tinc will perform.
The man page https://www.tinc-vpn.org/documentation-1.1/tinc.conf.5 says
"If Name is $HOST, but no such environment variable exist, the
hostname will be read using the gethostname() system call."
Now of course one can say "well, it doesn't say that the gethostname()
is *used*, just that it is *read*, so technically that's right", but
sysadmin who just got really confused wouldn't appreciate that fact.
Thus, I would like to request one of the following changes:
1) The tinc man page makes explicit characters are allowed in the
`Name`, and tinc bails out if that is not honoured.
or
2) The tinc man page makes explicit characters are allowed in the
`Name`, and details what replacements are done, so that the
administrator can place correctly substituted .../hosts/... files.
or
3) Tinc performs the same replacements it does to `Name` fields with
non-alphanumeric .../hosts/... files, and mentions this in the man page.
Of those, (3) seems ugly and requires a directory scan.
I prefer (1), as administrators are still very likely to get it
accidentally wrong, especially when setting up tinc in automated
deployments.
Thank you!
Niklas
[1]
https://github.com/gsliepen/tinc/blob/5c344f297682cf11793407fca4547968aee22d95/src/net_setup.c#L341
[2] https://github.com/gsliepen/tinc/blob/1.1/src/net_setup.c#L389
Guus Sliepen
2017-May-27 16:56 UTC
Replacing of non-alphanumeric chars in Name can be confusing
On Sat, May 27, 2017 at 05:46:17PM +0200, Niklas Hambüchen wrote:> Tinc replaces non-alphanumeric characters in the `Name` field of > tinc.conf by '_' (see [1] and [2]).Only if you use Name = $something. This is clearly mentioned in the manpage. In particular, it says: Name may only consist of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _), and is case sensitive. So it's clear about what names are normally allowed. It then goes on to mention: If Name starts with a $, then the contents of the environment variable that follows will be used. In that case, invalid characters will be converted to underscores. This was done specifically to make it easy to use Name = $HOST, and still work when the hostname contains hyphens. However, since some operating systems don't provide the equivalent of $HOST, or when tinc is run in a restricted environment where $HOST is not set, tinc will use gethostname() as a convenience. But there is no reason to expect that this would suddenly allow hyphens. So I believe your suggestions 1) and 2) are already implemented! I know it was not perhaps the best choice for tinc to prevent the use of the hyphen in Names, however it would be problematic to allow it for two backwards-compatibility reasons: all versions of tinc up to now will disconnect from any nodes that send any information about nodes with hyphens in their name, and the possible ambiguity when you have node names ending in -up or -down. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20170527/c5f53044/attachment.sig>