[ntp:questions] What to do for clients less than 4.2.8?

Martin Burnicki martin.burnicki at meinberg.de
Mon Dec 22 10:16:07 UTC 2014


Rob schrieb:
> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>> On 21/12/14 10:48, Rob wrote:
>>> People say "disable crypto" but there is no clear direction in the docs
>>> on how to do that.  There is no "crypto off" or "disable crypto" config
>>> directive at first glance.  So how is this done?
>>
>> I would assume by not enabling it.
>
> Ok, but in that case why the worry about the "millions of vulnerable
> servers" on the internet, I think most users who just want to get and
> serve time don't spend the week of time needed to get the crypto working
> and to coordinate with other servers doing the same.

I think this is because they just didn't understand in which cases these 
vulnerabilities can be exploited.

And of course, the information flow was really bad here, so that it is 
very hard to figure out which systems are affected.

> So for now I presume it is on by default...  also because of what I saw
> in the OpenSUSE example config.  (or would the "keys" config directive
> be the magic enable crypto directive?)

Unfortunately openSUSE has (symmetric keys) crypto enabled to be able to 
change ntpd's configuration at runtime via ntpq and/or ntpdc commands. 
E.g. if the dhcp client receives a DHCP option with the IP of an an NTP 
server it configures ntpd dynamically to use this server.

Martin



More information about the questions mailing list