[ntp:hackers] UDel security

mayer mayer at gis.net
Thu May 12 09:57:18 PDT 2005


----- Original Message Follows -----
> Guys,
> 
> The department staff has closed all access from outside 128.4 to only
> a  few carefully watched public machines and closed off all RPC ports 
> except NTP and a couple of others. The 128.4 NTP test machines on the 
> campus and backroom subnets are currently open to ssh (only). I should
> probably change that to require login to pogo first before allowing 
> access to other machines. Will this be a problem for the legitimate 
> testers and hackers?

>From my point of view as a developer, as long as I can SSH into pogo
as necessary that's fine. I usually SSH to pogo before I go anywhere
else anyway. This sounds like a good choice.

> 
> Most of our machines are now closed access via NTP unless 
> cryptographically authenticated. I intend to do that for all campus 
> servers, including those that are now open access. UDel will thus turn
> into a black hole for everything except the web and a few portholes
> like  our campus, department public servers.

I'm not sure I understand how you are closing access via NTP unless
cryptographically authenticated since the Autokey scheme authenticates
the server to the client rather than the other way round. We've
had a number of discussions on this issue. Or did I misunderstand
what you are saying?

> 
> I am asking the ISC to regularize the Autokey group key provision via 
> the web. Can we set up a scheme that allows registration and retrieval
> of a group key for designated machines? I am open to any scheme that 
> provides cryptographically secure storage and retrieval of a group key
> for any specific registered group.
> 

Are you talking about the autokey key distribution scheme that Steve
set up? Or is this something else? What keys would be distributed and
for what machines?

Danny

> Dave
> 




More information about the hackers mailing list