[ntp:hackers] ntp-dev ntp_proto.c receive AM_NEWPASS
mayer at ntp.org
Sun Jul 5 01:42:34 UTC 2009
Ronan Flood wrote:
> I've just noticed a code change in ntp-dev ntp_proto.c which I think
> has slightly wider applicability than is stated. In receive(), case
> AM_NEWPASS, there is now a conditional around the code to respond to
> a symmetric active request from an unauthenticated/unpeered client:
> #ifdef WINTIME
> * If authenticated but cannot mobilize an
> * association, send a summetric passive
> * response without mobilizing an association.
> * This is for drat broken Windows clients. See
> * Microsoft KB 875424 for preferred workaround.
> fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL, flags);
> #else /* WINTIME */
> #endif /* WINTIME */
> I think that also affects ntpd clients which use "peer xxx" instead
> of "server xxx" in ntp.conf, as the server does not respond to the
> queries, so will likely break some existing client configs if the
> server is upgraded. Is that the intent? Is WINTIME on or off by
> I have just experienced this when restoring ntp2.usno.navy.mil
> to a config I had pared down during the false leap second situation.
> With "peer ..." I get no response, changing to "server ..." works.
> I suspect the code above is responsible.
You cannot peer with another server unless it also peers with you. You
need to use server for this. I'm not even sure that you should be using
this server in the first place not just because you are not in the US
military but because you are in London and it's not the best NTP server
for your use. This is not just because of the above code.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the hackers