[ntp:hackers] UDel security
David L. Mills
mills at udel.edu
Thu May 12 12:20:34 PDT 2005
Danny, Steve, et al,
For some time now access to our department NTP server pogo.udel.edu has
required cryptographic authentication. Read my message as extending this
model to our public NTP server rackety.udel.edu. The other sandbox
machines here have flavor of the moment configurations for testing
purposes that sometimes do and sometimes don't require authentication.
Perhaps my meaning can be clarified by saying the notrust bit is set for
pogo and that I plan to set it on rackety (with due advance notice).
Recent experience at USNO and NIST strongly suggests some form of
mandatory access control is necessary for at least some public servers.
Case in point is at USNO, where the operators want to screen out all
except military customers. Autokey and notrust would seem the natural
defense. To make this work in practice, there needs to be a convenient
way to get the group key. At the moment, I can't find the magic secure
web page that serves as a way to get the group key wrapped in a shell
script that installs the key and links.
What I would like to see at ISC is a secure web page which does this
where the user supplies the server name and password to encrypt the
reply. The group key could be supplied at the time the public list is
updated. I would assume some way would be required to upload the group
key. Is this possible?
Of course, this issue in and of itself has nothing to do with whether or
not the notrust bit is set.
>----- Original Message Follows -----
>>The department staff has closed all access from outside 128.4 to only
>>a few carefully watched public machines and closed off all RPC ports
>>except NTP and a couple of others. The 128.4 NTP test machines on the
>>campus and backroom subnets are currently open to ssh (only). I should
>>probably change that to require login to pogo first before allowing
>>access to other machines. Will this be a problem for the legitimate
>>testers and hackers?
>>From my point of view as a developer, as long as I can SSH into pogo
>as necessary that's fine. I usually SSH to pogo before I go anywhere
>else anyway. This sounds like a good choice.
>>Most of our machines are now closed access via NTP unless
>>cryptographically authenticated. I intend to do that for all campus
>>servers, including those that are now open access. UDel will thus turn
>>into a black hole for everything except the web and a few portholes
>>like our campus, department public servers.
>I'm not sure I understand how you are closing access via NTP unless
>cryptographically authenticated since the Autokey scheme authenticates
>the server to the client rather than the other way round. We've
>had a number of discussions on this issue. Or did I misunderstand
>what you are saying?
>>I am asking the ISC to regularize the Autokey group key provision via
>>the web. Can we set up a scheme that allows registration and retrieval
>>of a group key for designated machines? I am open to any scheme that
>>provides cryptographically secure storage and retrieval of a group key
>>for any specific registered group.
>Are you talking about the autokey key distribution scheme that Steve
>set up? Or is this something else? What keys would be distributed and
>for what machines?
More information about the hackers