[ntp:hackers] SHA1 for symmetric keys?

Hal Murray hmurray at megapathdsl.net
Fri Dec 11 03:16:28 UTC 2015

brian.utterback at oracle.com said:
> So, here is a question, how difficult would it be to disable MD5 auth? How
> about not building with MD5 but still use SHA-1? I have a mandate to not use
> or even build with MD5 if feasible. If MD5 isn't used, would ntpq still be
> usable? 

I poked around a bit, but only a little bit.

I don't think there is any convenient option to configure to make it not 
build with MD5 support.  It's the other way around - ntp includes MD5 support 
even without the OpenSSL library.

It probably wouldn't be hard to patch the code to ignore (or complain about) 
MD5 keys.  The key file gets read by libntp/authreadkeys.c  If you can't read 
them you can't use them.

I expect ntpq would be happy to use SHA1 keys, but I haven't tried it.  
ntpq.html says ntpq has commands to set the keyid and keytype.

These are my opinions.  I hate spam.

More information about the hackers mailing list