[ntp:hackers] Autokey weedwack

David L. Mills mills at udel.edu
Mon Dec 31 15:40:53 UTC 2007


Harlan,

The save/restore options are indeed and with much emphasis a very bad 
idea. The program is not designed for interactive use. The guiding 
principle in the progarm design is that a configuration file is created 
using a text editor and used only once when initializing the media. 
Subsequently, a single one-word command with no options is used to 
update the media. See the /usr/local/etc/keys.sh files on the various 
backroom macnhines.

Dave

Harlan Stenn wrote:

> Brian wrote:
>
>> David L. Mills wrote:
>>
>>> documentation HTML pages have been rewriten. The source code
>>> documentation has for ntp_crypto.c and ntp-keygen.c has been revised.
>>> Disregard the ntp-keygen program on-line options display and man page,
>>> which are largely irrelevant and erroneous in places. Especially do not
>>> use the configuration file save/restore feature, which is highly
>>> dangerous relative to the way the options are designed to be used and
>>> could result in unintended update of previously downloaded keys. The
>>> ntp-keygen and authentication options pages have details and examples.
>>
>> If the save and load features of libopts are toxic for ntp-keygen, then
>> those options should just
>> be disabled.
>
>
> The on-line options display and man page Dave cites will be updated as
> soon as anybody gets the chance to do so.
>
> The save/restore features could be useful in a number of scenarios I can
> imagine.
>
> The save/restore feature is separate from the .ntprc file.
>
> That there can be situations where it would be Bad to use either the
> .ntprc file or a restore file is entirely possible. That is not to say
> that there are *no* situations where these capabilites would not be
> useful.
>
> So at this point I'm inclined to simply remember this thread to the best
> of my ability (assuming I will be the one to look at it), in conjunction
> with my favorite "between the lines" bible quote:
>
> Blessed are those who get what they deserve.
>
> H




More information about the hackers mailing list