[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command
Dave Hart
davehart at gmail.com
Tue Aug 18 06:55:28 UTC 2009
On Mon, Aug 17, 2009 at 10:24 PM, Hal Murray wrote:
>
> "currently available to anyone" seems pretty exciting.
>
> Am running a trojan horse?
I don't believe so.
> Does it at least get caught by a nomodify restrict filter?
I haven't tested it. Undoubtedly before long "dumpcfg" (or
"saveconfig"?) will require authentication like ntpq :config, meaning
you need a passphrase in a key file pointed to by ntp.conf, containing
a key whose ID is listed after trustedkey and given as the requestkey
or controlkey (I use the same key ID for both, but only one controls I
believe).
> Perhaps I'm confused about what the dumpcfg command does. I was expecting
> ntpq to extract the current config tree over the net and write it to a file
> on the system running ntpq. It sounds as though ntpd is writing it on the
> system running ntpd.
That's right. Returning the output to ntpq might be useful, but it's
challenging since you're dealing with small packets and a datagram
protocol with no guarantees of delivery or order.
>> The file permission allows only owner to read because ntp.conf can
>> contain a password (crypto pw).
>
> I don't use any passwords so I haven't thought about this area yet. Security
> is important, very important. My head hurts thinking about having to hide my
> config files.
Most people don't have anything to hide in ntp.conf. The passphrases
used for authenticated ntpq are stored in a separate file. "crypto
pw" is used with autokey to decrypt identity files encrypted with
ntp-keygen -p.
> Is there any overview documentation covering security issues in ntpd and/or
> friends?
Not that I'm aware of.
> I assume it's reasonable to setup a system that uses only public keys so I
> don't have to hide anything but the private keys (which are off in a separate
> file).
>
> sshd is pretty paranoid about checking file and directory permissions when
> looking for private keys. Does ntpd do anything like that?
>
> Has anybody written a simple script to sanity check things like file
> protections?
Not as far as I know on both counts.
Cheers,
Dave Hart
More information about the hackers
mailing list