[ntp:hackers] UDel security
mayer at gis.net
Thu May 12 09:57:18 PDT 2005
----- Original Message Follows -----
> The department staff has closed all access from outside 128.4 to only
> a few carefully watched public machines and closed off all RPC ports
> except NTP and a couple of others. The 128.4 NTP test machines on the
> campus and backroom subnets are currently open to ssh (only). I should
> probably change that to require login to pogo first before allowing
> access to other machines. Will this be a problem for the legitimate
> testers and hackers?
>From my point of view as a developer, as long as I can SSH into pogo
as necessary that's fine. I usually SSH to pogo before I go anywhere
else anyway. This sounds like a good choice.
> Most of our machines are now closed access via NTP unless
> cryptographically authenticated. I intend to do that for all campus
> servers, including those that are now open access. UDel will thus turn
> into a black hole for everything except the web and a few portholes
> like our campus, department public servers.
I'm not sure I understand how you are closing access via NTP unless
cryptographically authenticated since the Autokey scheme authenticates
the server to the client rather than the other way round. We've
had a number of discussions on this issue. Or did I misunderstand
what you are saying?
> I am asking the ISC to regularize the Autokey group key provision via
> the web. Can we set up a scheme that allows registration and retrieval
> of a group key for designated machines? I am open to any scheme that
> provides cryptographically secure storage and retrieval of a group key
> for any specific registered group.
Are you talking about the autokey key distribution scheme that Steve
set up? Or is this something else? What keys would be distributed and
for what machines?
More information about the hackers