[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Danny Mayer mayer at ntp.org
Sat Aug 22 18:09:53 UTC 2009


Dave Hart wrote:
> On Mon, Aug 17, 2009 at 10:24 PM, Hal Murray wrote:
> 
>> Perhaps I'm confused about what the dumpcfg command does. Â I was expecting
>> ntpq to extract the current config tree over the net and write it to a file
>> on the system running ntpq. Â It sounds as though ntpd is writing it on the
>> system running ntpd.
> 
> That's right.  Returning the output to ntpq might be useful, but it's
> challenging since you're dealing with small packets and a datagram
> protocol with no guarantees of delivery or order.

I don't see that at all. We do this with ntpq -p and there are no
problems doing so and it gets one packet (equal to one row of the list)
at a time. While UDP does not guarantee delivery, the order is kept by
sending one line at a time as we currently do with peers. The order IS
important here since subsequent lines in the config file act as
modifiers to prior lines (restrict is a good example of this).
> 
>>> The file permission allows only owner to read because ntp.conf can
>>> contain a password (crypto pw).
>> I don't use any passwords so I haven't thought about this area yet. Â Security
>> is important, very important. Â My head hurts thinking about having to hide my
>> config files.
> 
> Most people don't have anything to hide in ntp.conf.  The passphrases
> used for authenticated ntpq are stored in a separate file.  "crypto
> pw" is used with autokey to decrypt identity files encrypted with
> ntp-keygen -p.
> 

This needs to be secured by some sort of restriction to allow operators
to restrict access to the file. Some people need it and it should not be
enabled by default.

>> Is there any overview documentation covering security issues in ntpd and/or
>> friends?
> 
> Not that I'm aware of.
> 

We need one. Most of the documentation on security (apart from what we
have on the support wiki concerning restrict options) don't really
address any of these issue.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the hackers mailing list