[ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7

David L. Mills mills at udel.edu
Tue Mar 29 13:36:10 UTC 2011


I didn't mean to cause Steve problems, but something did need to be 
changed, particularly the binding between the trusted host name and the 
group name. Besides fixing the vulnerability, it makes use of non-keygen 
certificates less of a bother. Also, this allows more than one secure 
group to share the same broadcast network. This is the third 
more-or-less trivial change in syntax in fifteen years (frm Autokey 
Version 1).

The -l option was added in order to change the certificate expiration 
time for test and to allow users to make long-lived certificates.


Dave Hart wrote:

> On Tue, Mar 29, 2011 at 12:53 AM, David L. Mills <mills at udel.edu 
> <mailto:mills at udel.edu>> wrote:
>     I sent you a message requesting to test this before deployment.
> I was referring to docs galore as I thrashed about earlier. Â I don't 
> doubt each of your changes was an improvement, but each one also made 
> Steve's 4.2.4 step-by-step guide less useful. Â I was looking at:
> http://www.eecis.udel.edu/~mills/ntp/html/autokey.html 
> <http://www.eecis.udel.edu/%7Emills/ntp/html/autokey.html>
> http://www.eecis.udel.edu/~mills/ntp/html/keygen.html 
> <http://www.eecis.udel.edu/%7Emills/ntp/html/keygen.html>
> http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> http://bugs.ntp.org/1864 <https://bugs.ntp.org/show_bug.cgi?id=1864>
> BTW keygen.html mentions a "-l days" option which ntp-keygen doesn't 
> understand, do you want me to fix the options processing so it does? 
> Â Or get rid of that item from the docs?
> I'm not the dimmest bulb on the block, but when I was interested in 
> reproducing the crash reported in bug 1864 and 1840, I didn't manage 
> to. Â And I spent several hours trying. Â The crash may be a bug I 
> introduced in ntp_config "generic FIFO" code that replaced the 
> degenerate use of priority queues as FIFOs in Sachim's original 
> ntp.conf parser rewrite. Â I was focused on getting past the 
> configuration issues to debug the configuration code, not on setting 
> up a working Autokey.
> That said, Steve has kindly dove in head first and is extracting me 
> from my confusion one step at a time. Â I never forgot that you wanted 
> me to test pool + autokey operation, I just feared and loathed the 
> idea of setting up autokey again from scratch and have had other 
> things to keep me busy. Â I'm optimistic Steve will be able to help me 
> get a working setup to test pool + autokey and also to see if 
> ntp_crypto.c:2984 really is unneeded.
> Cheers,
> Dave Hart

More information about the questions mailing list