[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Hal Murray hmurray at megapathdsl.net
Mon Aug 17 22:24:34 UTC 2009


> Definitely a SMP.  Since it is currently available to anyone without
> authentication, restricting to a single directory seemed wise.  Once
> it requires authentication, both the pathname and the
> non-existent-target restrictions can be removed as far as I know. 

"currently available to anyone" seems pretty exciting.

Am running a trojan horse?

Does it at least get caught by a nomodify restrict filter?


Perhaps I'm confused about what the dumpcfg command does.  I was expecting 
ntpq to extract the current config tree over the net and write it to a file 
on the system running ntpq.  It sounds as though ntpd is writing it on the 
system running ntpd.


> The file permission allows only owner to read because ntp.conf can
> contain a password (crypto pw).

I don't use any passwords so I haven't thought about this area yet.  Security 
is important, very important.  My head hurts thinking about having to hide my 
config files.

Is there any overview documentation covering security issues in ntpd and/or 
friends?

I assume it's reasonable to setup a system that uses only public keys so I 
don't have to hide anything but the private keys (which are off in a separate 
file).

sshd is pretty paranoid about checking file and directory permissions when 
looking for private keys.  Does ntpd do anything like that?

Has anybody written a simple script to sanity check things like file 
protections?





-- 
These are my opinions, not necessarily my employer's.  I hate spam.





More information about the hackers mailing list