[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Brian Utterback via the NTP Bugzilla bugzilla at ntp.org
Fri Sep 11 14:59:02 UTC 2009


Additional Comments From brian.utterback at sun.com (Brian Utterback)
Submitted on 2009-09-11 14:59

While I won't go so far as to say that the ntpq authentication is as bad as
having no security, I do think that it is not enough to make this feature safe. 

Consider that there is no key exchange protocol here, in most cases the keys
will go in clear text across the wire. Consider that to use broadcast and
multicast, keys must be used, so that putting 

trustedkey 1 
requestkey 1 
controlkey 1 

into the ntp.conf file will open your system up to be bricked by your untrusted
clients. Will the average admin know what they have to do to allow the time to
flow, but prevent the clients from brickifying? Also consider that the admin
might like to delegate control but will not realize that he is putting his
system at risk?

The original model of authorization in NTP was based by protocol, but we have
blurred that by moving functions out of ntpdc into ntpq. The authorization model
is no longer adequate. Until we implement a system of authorization and
authentication that can distinguish between:


and authorize them separately, we cannot add any features into the unsafe-write
category, at least not by default. 

So, my personal view is that this feature, as it stands, must be delivered as a
build time, opt-in feature. Otherwise, existing configurations will suddenly
cause an unacceptably risky situation without any warning. 

Brian Utterback <brian.utterback at sun.com>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list