[ntp:questions] What to do for clients less than 4.2.8?

Rob nomail at example.com
Mon Dec 22 10:32:00 UTC 2014

Martin Burnicki <martin.burnicki at meinberg.de> wrote:
> Rob schrieb:
>> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>>> On 21/12/14 10:48, Rob wrote:
>>>> People say "disable crypto" but there is no clear direction in the docs
>>>> on how to do that.  There is no "crypto off" or "disable crypto" config
>>>> directive at first glance.  So how is this done?
>>> I would assume by not enabling it.
>> Ok, but in that case why the worry about the "millions of vulnerable
>> servers" on the internet, I think most users who just want to get and
>> serve time don't spend the week of time needed to get the crypto working
>> and to coordinate with other servers doing the same.
> I think this is because they just didn't understand in which cases these 
> vulnerabilities can be exploited.
> And of course, the information flow was really bad here, so that it is 
> very hard to figure out which systems are affected.

Indeed.  Only after 3 days there was a statement on the pool mailing list
that the problem only affected servers that can be queried.  Well, that
had better be stated in the original release, so that 99.9% of the users
of ntpd could immediately move it to "not for me" and not be worried.

>> So for now I presume it is on by default...  also because of what I saw
>> in the OpenSUSE example config.  (or would the "keys" config directive
>> be the magic enable crypto directive?)
> Unfortunately openSUSE has (symmetric keys) crypto enabled to be able to 
> change ntpd's configuration at runtime via ntpq and/or ntpdc commands. 
> E.g. if the dhcp client receives a DHCP option with the IP of an an NTP 
> server it configures ntpd dynamically to use this server.

Ok, I always immediately cut out such behaviour after installing a system.
I don't want DHCP to modify my NTP settings, or to restart ntpd.
(of course the neat thing about the above solution is that it is not
required to restart ntpd.  in Debian, for example, ntpd is restarted when
a DHCP lease with changed ntp option is received)

I was amazed to see that when updating ntpd from the OpenSUSE update,
the last part of ntp.conf which I commented-out was appended again by
the update script.  So I removed it again.

More information about the questions mailing list