[ntp:hackers] Protocol specification modification for MS-SNTP
tglassey at earthlink.net
Thu Jul 9 15:46:49 UTC 2009
Martin Burnicki wrote:
> Dave Mills wrote:
>> I might not have been clear. The resonse to a symmetric active request
>> is unconditionally a symmetric pasive packet. If authentirated, an
>> association is mobilized. There is no way a symmetric active peer can
>> tell if an association has been mobilized or not. This is all consistent
>> with the spec and no enable bit is necessary.
> That's IMHO a good solution and I appreciate this.
>> I continue to be uncomfortable with an agenda that says compile the code
>> whether or not it might be used. Is there some way you can tell from the
>> environment that Samba is active? Thie Autokey code is compiled only if
>> OpenSSL is present by default. This puppy is getting downright huge and
>> needs to be potty trained.
> In my opinion the problem is that nowadays only few people build the NTP
> package on their final target systems.
Martin - I totally understand this point but I have to also paint the
other side of the coin. We rebuild NTP on each machine its to run on and
do not use binaries. The reason is that the general case compliers may
or may not have our special extensions to GLIB2.0 and other tool suites.
> Not only the Windows port is shipped as a set of binaries, also Linux,
> Solaris, and (AFAIK) FreeBSD provide binary packages which are precompiled by
> the maintainers of the OS or distribution.
Yes but the users of those will have no idea about their compilation or
working operations and since there is no 'reliability guarentee' none of
this code can be used in commercial production in audited environments.
All LINUX kits install NTP from some form of container - whether its a
binary one of a source one. FreeBSD is different and NTP for it is
supplied through the /usr/ports collection of applications and their
FreeBSD specific patches.
> So, for example, only the
> maintainers need to have the openSSL headers installed. On the end user's
> target system it is sufficient to have the openSSL libs installed.
Except again if the users are also not sticking with distributions of
OpenSSH or OpenSSL that are supplied with their systems they also need
the headers to enable recompiling.
> Similarly, the end user can decide whether he wants to have the Samba daemon
> running or not, and I don't believe he would be happy to recompile the NTP
> daemon just because Sambe shall be running but the NTP installation package
> comes with support for Samba authentication disabled.
I understand the point but there are in fact many who still build from
source and this group will actually grow I think.
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.375 / Virus Database: 270.13.8/2226 - Release Date: 07/08/09 21:51:00
More information about the hackers