[ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7

David L. Mills mills at udel.edu
Tue Mar 29 00:53:48 UTC 2011


When all else fails, read the documentation. There were good reasons to 
change the configuration in minor ways.

1. There was a huge vulnerability if the identity file was specified by 
the server, but the correct file was not specified by the client. The 
scheme devolved to TC with no warring to the user.
2. Multiple secure groups (including anycast and pool) sharing the same 
broadcast network are supported. The primary intent is to provide an 
engineered selection of pool servers from the same DNS collection.
3. Configuration is much simpler and for the TC identity scheme requires 
no arguments on the ntp-keygen program or crypto  configuration command.
4. Configuration for prior versions is possible; see the documentation.

I sent you a message requesting to test this before deployment.


.Dave Hart wrote:

>For ntpd 4.2.4 and earlier, Steve Kostecke patiently worked out
>step-by-step instructions, and refined them over time heping people to
>use them, as seen on the page referenced above.
>For 4.2.6 ntp-keygen and autokey got an overhaul which makes those
>instructions useless.  To investigate http://bugs.ntp.org/1840 and
>http://bugs.ntp.org/1864 filed by Rich Schmidt about ntpd 4.2.7
>crashing when attempting to use Autokey, and to test a change to
>remove a presumed unneeded line of code (ntp_crypto.c:2984) identified
>through static analysis, I once again have tried to get a basic
>Autokey setup working.
>So far I have spent hours and achieved nothing but failure and
>humiliation.  This is with Rich holding my hand telling me what to do.
> I'm so pissed off I want a baseball bat and an effigy.  Now, granted,
>I'm not scratching an itch to secure my NTP, I'm scratching an itch to
>reproduce a fault and fix it, so i'm not typical, but if i were trying
>to secure my NTP, I'd use symmetric key.
>Autokey is very clever in dealing with some unique challenges other
>PKI OpenSSL client code doesn't have to.  Anyone attempting to
>configure it should be on payroll, if not time and a half.
>(insert series of profanities here)
>Dave Hart
>questions mailing list
>questions at lists.ntp.org

More information about the questions mailing list