[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command
hmurray at megapathdsl.net
Mon Aug 17 22:24:34 UTC 2009
> Definitely a SMP. Since it is currently available to anyone without
> authentication, restricting to a single directory seemed wise. Once
> it requires authentication, both the pathname and the
> non-existent-target restrictions can be removed as far as I know.
"currently available to anyone" seems pretty exciting.
Am running a trojan horse?
Does it at least get caught by a nomodify restrict filter?
Perhaps I'm confused about what the dumpcfg command does. I was expecting
ntpq to extract the current config tree over the net and write it to a file
on the system running ntpq. It sounds as though ntpd is writing it on the
system running ntpd.
> The file permission allows only owner to read because ntp.conf can
> contain a password (crypto pw).
I don't use any passwords so I haven't thought about this area yet. Security
is important, very important. My head hurts thinking about having to hide my
Is there any overview documentation covering security issues in ntpd and/or
I assume it's reasonable to setup a system that uses only public keys so I
don't have to hide anything but the private keys (which are off in a separate
sshd is pretty paranoid about checking file and directory permissions when
looking for private keys. Does ntpd do anything like that?
Has anybody written a simple script to sanity check things like file
These are my opinions, not necessarily my employer's. I hate spam.
More information about the hackers