[ntp:hackers] 4.2.5p203 adds ntpq dumpcfg command

Dave Hart davehart at gmail.com
Tue Aug 18 06:55:28 UTC 2009


On Mon, Aug 17, 2009 at 10:24 PM, Hal Murray wrote:
>
> "currently available to anyone" seems pretty exciting.
>
> Am running a trojan horse?

I don't believe so.

> Does it at least get caught by a nomodify restrict filter?

I haven't tested it.  Undoubtedly before long "dumpcfg" (or
"saveconfig"?) will require authentication like ntpq :config, meaning
you need a passphrase in a key file pointed to by ntp.conf, containing
a key whose ID is listed after trustedkey and given as the requestkey
or controlkey (I use the same key ID for both, but only one controls I
believe).

> Perhaps I'm confused about what the dumpcfg command does.  I was expecting
> ntpq to extract the current config tree over the net and write it to a file
> on the system running ntpq.  It sounds as though ntpd is writing it on the
> system running ntpd.

That's right.  Returning the output to ntpq might be useful, but it's
challenging since you're dealing with small packets and a datagram
protocol with no guarantees of delivery or order.

>> The file permission allows only owner to read because ntp.conf can
>> contain a password (crypto pw).
>
> I don't use any passwords so I haven't thought about this area yet.  Security
> is important, very important.  My head hurts thinking about having to hide my
> config files.

Most people don't have anything to hide in ntp.conf.  The passphrases
used for authenticated ntpq are stored in a separate file.  "crypto
pw" is used with autokey to decrypt identity files encrypted with
ntp-keygen -p.

> Is there any overview documentation covering security issues in ntpd and/or
> friends?

Not that I'm aware of.

> I assume it's reasonable to setup a system that uses only public keys so I
> don't have to hide anything but the private keys (which are off in a separate
> file).
>
> sshd is pretty paranoid about checking file and directory permissions when
> looking for private keys.  Does ntpd do anything like that?
>
> Has anybody written a simple script to sanity check things like file
> protections?

Not as far as I know on both counts.

Cheers,
Dave Hart


More information about the hackers mailing list