Re: What package contains the time daemon?
On 2015-07-26 10:06:05 -0500, John Hasler wrote:
> I wrote:
> > http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm
> >
> > See section 6.6.2, Authentication
>
> Vincent Lefevre writes:
> > I don't see how this can work with public NTP servers!
Actually there's another authentication system: Autokey, which is
a public-key authentication:
https://www.eecis.udel.edu/~mills/ntp/html/autokey.html
but... it is broken!
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687166#55
> If you need authentication you need to use trusted servers.
>
> http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm
First problem: one needs registration. Major problem: "Each registered
user will be assigned a unique encryption key, which will be linked to
the IP address of the user’s system." This assumes a fixed IP address!
> http://www.nist.gov/pml/div688/grp40/upload/-Instructions-for-using-the-NIST-authenticated-Network-Time-Protocol-NTP-server.pdf
> http://support.ntp.org/bin/view/Servers/WebHome
>
> Look through the list for servers that say that they support
> authentication and follow instructions.
It seems that the authentication system is Autokey, but see above.
> > Even without it, though, sucessfully spoofing all four of the servers
> > you use would be challenging.
>
> > I don't see why this would be difficult for someone who controls the
> > local network (e.g. the wifi hotspot).
>
> If your laptop needs precise time and you are a target for such attacks
> take the time daemon offline when use such unreliable connections.
In general, I don't know when the connection is unreliable. Actually
I can assume that most of the time it may be unreliable. So, this is
not a solution.
I also have a desktop machine that is permanently on an unreliable
network (at least with SLAAC attacks several times per year).
> The attacker would not be able to change your clock very fast, though.
> Unless your laptop needs millisecond accuracy for some reason it's hard
> to see what such an attack would accomplish.
I want to be able to set the time if for some reason the clock is
completely incorrect (this occurred from time to time in the past).
So, I probably need to wait for LibreSSL or a new OpenNTPd version...
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: