Config file format - (Was: [ntp:hackers] FreeBSD serial ports)
jpp at cloudview.com
Sat Feb 19 21:08:07 PST 2005
Harlan Stenn wrote:
>I'm all for all the security we can reasonably provide.
>If somebody wants -c http://... that's fine with me.
>If they want -c https://... that's find with me to.
>Security is a good thing, and we all know that one needs to be root
>(at least under Unix) to start ntpd. This will only be an issue when
>ntpd gets started, and again, if somebody doesn't want to use it they
>don't have to.
>I have seen way too many internal networks with broken ntp.conf files
>that could be very easily solved by using this mechanism, as it would allow
>an internal server (protected networks) to feed clients an ntp.conf file that
>is tailored for their particular subnet.
I tend to agree particularly if in the https option it actually checks
the cert it gets back to see that it's not be revoked or if it is self
signed that it's fingerprint matches a local copy.
I tend to agree with Dave on the security thing - there is a lot to be
said for not inventing new security mechanisms - using https (openssl)
is fine because a lot of people are testing it.
I know ntpd maintains a lot of state - clearly the back end supports
dynamic updates because the current config mechanism supports it so why
can't a new config parse the file and only update what's changed? That
way remote config method becomes "change the file and ping the server to
reload it" - the server gets it from the known secure place using https
and all is right in the world of security.
The other nice thing about an http(s) based config option is that
embedded systems can use it in a way that can be fixed later - load the
config from the manufacturers site unless the user overrides. This
means that problems like the hard coded servers going away can be fixed.
As for dumping state - that's a different issue - I have no problem with
having a way of telling the server to dump state - *if* the config file
specifies that it's allowed and where. As long a there is no way to
overwrite the config (ie a hard coded test that state file != config file)
More information about the hackers