[ntp:hackers] Protocol specification modification for MS-SNTP

Andrew Bartlett abartlet at samba.org
Mon Jul 6 21:53:33 UTC 2009


On Mon, 2009-07-06 at 21:28 +0000, David Mills wrote:
> Folks,
> 
> The Samba folks have modified ntpd to support Microsoft authentication, 
> which requies some bending of the protocol specification and 
> implementation. I'd like to make it much simpler, reduce the code 
> clutter and support alternative digest algorithms. The present protocol 
> specification requires a nonzero key ID and MD5 digest algorithm by 
> default. The ntpd never generates a MAC with a zero key ID. 

The Key ID is not zero in MS-SNTP authentication.  It is the little
endian RID of the machine account. 

What is zero is the MAC (16 bytes).  (How could the key ID be zero?
What otherwise would determine what key to use to sign the reply?)

> The current 
> MS-SNTP code uses a 20-octet all-zero MAC, causing ntpd to hand the 
> packet off to another program which fills in the MAC. This makes
> MS-SNTP 
> "legal" and much more likely to be supported by "official" servers. I 
> propose to add something like this, either to the protocol
> specification 
> or as an addendum:
> 
> "A received MAC with a zero key ID is a special case. By default, the 
> packet is treated as if the MAC were not present, so is not 
> authenticated. On output the MAC is returned exactly as received and
> the 
> packet is not authenticated. As a configurable option, an output
> packet 
> with zero key ID can be passed to another program that fills in the
> MAC."

This simply needs to be reworded to be 'an all Zero MAC (with a non-zero
key id) is a special case...'

Thanks,


Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ntp.org/pipermail/hackers/attachments/20090707/da03398a/attachment.bin 


More information about the hackers mailing list