NTP internal server? - NTP

This is a discussion on NTP internal server? - NTP ; Hal Murray wrote: >>Old vulnerabilities that have been fixed are not a problem of much >>concern to me. I run a recent version of ntpd that does not exhibit >>these vulnerabilities. If people chose, for whatever reason, to run a ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 28 of 28

Thread: NTP internal server?

  1. Re: NTP internal server?

    Hal Murray wrote:

    >>Old vulnerabilities that have been fixed are not a problem of much
    >>concern to me. I run a recent version of ntpd that does not exhibit
    >>these vulnerabilities. If people chose, for whatever reason, to run a
    >>ten year old version of ntpd they must accept the associated risks and
    >>inferior performance. Since the modern, improved and fixed version is
    >>freely available to all I don't see any reason why anyone who needs NTP
    >>and is concerned about security should not run it.

    >
    >
    > How about:
    > If it ain't broke, don't fix it.
    >
    > Lots of people get their version of (x)ntp from their hardware
    > vendor. Most of them are not time geeks, they just need something
    > that's good enough. They depend on their vendor to fix security
    > problems in packages like ntp.
    >


    Perhaps the vendors do fix security problems. If so, the simplest
    approach, for most, would be to grab an up to date copy of the reference
    implementation, build it, and distribute it. Clearly most vendors do
    not do this! In the case of OpenVMS it is understandable since the
    reference implementation contains enough "Unixisms" that it will not
    build on VMS (I've tried). For Solaris and Linux the build should be
    straightforward. I expect that the build for AIX and HP-UX should also
    be straightforward.

  2. Re: NTP internal server?

    Richard B. Gilbert wrote:
    > Hal Murray wrote:
    >
    >>> Old vulnerabilities that have been fixed are not a problem of much
    >>> concern to me. I run a recent version of ntpd that does not exhibit
    >>> these vulnerabilities. If people chose, for whatever reason, to run
    >>> a ten year old version of ntpd they must accept the associated risks
    >>> and inferior performance. Since the modern, improved and fixed
    >>> version is freely available to all I don't see any reason why anyone
    >>> who needs NTP and is concerned about security should not run it.

    >>
    >>
    >>
    >> How about:
    >> If it ain't broke, don't fix it.
    >>
    >> Lots of people get their version of (x)ntp from their hardware
    >> vendor. Most of them are not time geeks, they just need something
    >> that's good enough. They depend on their vendor to fix security
    >> problems in packages like ntp.
    >>

    >
    > Perhaps the vendors do fix security problems. If so, the simplest
    > approach, for most, would be to grab an up to date copy of the reference
    > implementation, build it, and distribute it. Clearly most vendors do
    > not do this! In the case of OpenVMS it is understandable since the
    > reference implementation contains enough "Unixisms" that it will not
    > build on VMS (I've tried). For Solaris and Linux the build should be
    > straightforward. I expect that the build for AIX and HP-UX should also
    > be straightforward.

    Suse forex ( as of 9.1 through 10.1 ) are still based in ntp-stable-4.2.0a-20050816.tar.bz2
    with a plethora of patches. :
    -rw-r--r-- 1 root root 187 2006-01-26 11:22 conf.logrotate.ntp
    -rw-r--r-- 1 root root 2023 2006-01-26 11:22 conf.ntp.conf
    -rw-r--r-- 1 root root 6326 2006-01-26 11:22 conf.ntp.init
    -rw-r--r-- 1 root root 310 2006-01-26 11:22 conf.ntp.reg
    -rw-r--r-- 1 root root 2543 2006-01-26 11:22 conf.sysconfig.ntp
    -rw-r--r-- 1 root root 430 2006-01-26 11:22 conf.sysconfig.syslog-ntp
    -rw-r--r-- 1 root root 251 2006-06-29 14:30 NetworkManager-ntp
    -rw-r--r-- 1 root root 519 2006-01-26 11:22 ntp.1.gz
    -rw-r--r-- 1 root root 327 2006-01-26 11:22 ntp-4.1.1.SuSE-Config.diff
    -rw-r--r-- 1 root root 6949 2006-01-26 11:22 ntp-4.2.0a-no_ipv6_stack.diff
    -rw-r--r-- 1 root root 1532 2006-01-26 11:22 ntp-4.2.0.ntpdate_overflow.diff
    -rw-r--r-- 1 root root 23909 2006-01-26 11:22 ntp-4.2.0-rh-manpages.tar.gz
    -rw-r--r-- 1 root root 25894 2006-01-26 11:22 ntp-codecleanup.patch
    -rw-r--r-- 1 root root 406 2006-01-26 11:22 ntpd-maxmonmen.patch
    -rw-r--r-- 1 root root 1635 2006-01-26 11:22 ntpd-using_wrong_group.diff
    -rw-r--r-- 1 root root 271146 2004-03-05 18:35 NTP-FAQ-3.4.tar.bz2
    -rw-r--r-- 1 root root 780 2006-01-26 11:22 ntp-linuxcaps.diff
    -rw-r--r-- 1 root root 2273 2006-01-26 11:22 ntp-manpages.patch
    -rw-r--r-- 1 root root 1995 2006-01-26 11:22 ntp-ntptrace_doc.diff
    -rw-r--r-- 1 root root 243 2006-01-26 11:22 ntp-ntptrace_sbinpath.diff
    -rw-r--r-- 1 root root 292 2006-01-26 11:22 ntp-segfault_on_invalid_device.d
    iff
    -rw-r--r-- 1 root root 634 2006-01-26 11:22 ntp-stable-4.2.0a-20050816-locon
    ly.patch
    -rw-r--r-- 1 root root 2112658 2006-01-26 11:22 ntp-stable-4.2.0a-20050816.tar.b
    z2
    -rw-r--r-- 1 root root 521 2006-01-26 11:22 README.SUSE
    -rw-r--r-- 1 root root 756 2006-01-26 11:22 xntp-lib64.patch
    -rw-r--r-- 1 root root 670 2006-01-26 11:22 xntp-posix_options.diff

    uwe

  3. Re: NTP internal server?

    >>> In article , "Richard B. Gilbert" writes:

    Richard> Clearly
    Richard> most vendors do not do this! In the case of OpenVMS it is
    Richard> understandable since the reference implementation contains enough
    Richard> "Unixisms" that it will not build on VMS (I've tried).

    While I do not know the particulars of OpenVMS, thre was code to support the
    building of ntp on VMS (perhaps OpenVMS) and nobody has sent in updated
    patches for a long time.

    If nobody intends to submit patches I would be happy to remove any old
    fragments from the codebase.

    H

  4. Re: NTP internal server?

    If folks submit (workable) patches to us they are applied (and they no
    longer need to maintain and support those patches).

    If they do not submit patches to us, we do not have them (and cannot apply
    them), and therefore they get to continue to deal with them.

    I'll also note that 4.2.0a is an older release; 4.2.2 has been out for a
    while and 4.2.4 will be released soon.

    H

  5. Re: NTP internal server?

    Harlan Stenn wrote:
    > If folks submit (workable) patches to us they are applied (and they no
    > longer need to maintain and support those patches).
    >
    > If they do not submit patches to us, we do not have them (and cannot apply
    > them), and therefore they get to continue to deal with them.
    >
    > I'll also note that 4.2.0a is an older release; 4.2.2 has been out for a
    > while and 4.2.4 will be released soon.
    >
    > H

    Just had a look into OpenSuSE 10.2 beta1:
    it uses xntp-4.2.2p3

    I have never done much more than compiling xntp sources upto now.
    i would have to look into the patches to see what they really do
    in the next couple of days.
    Some comments already?

    < from the spec file, comments from me "SUSE" or "## .*" >
    Version: 4.2.2p3
    Release: 9
    Summary: Network Time Protocol daemon (version 4)
    # main source
    Source0: ntp-%version.tar.bz2
    # configuration
    SUSE Source1: conf.logrotate.ntp
    SUSE Source2: conf.ntp.conf
    SUSE Source3: conf.ntp.init
    Source4: conf.sysconfig.ntp
    Source5: conf.sysconfig.syslog-ntp
    Source6: conf.ntp.reg
    # documentation
    Source10: NTP-FAQ-%{ntpfaqversion}.tar.bz2
    Source11: ntp.1.gz
    SUSE Source12: README.SUSE
    Source13: ntp-4.2.0-rh-manpages.tar.gz
    SUSE Source14: NetworkManager-ntp

    SUSE Patch0: ntp-4.1.1.SuSE-Config.diff
    Patch1: ntp-4.2.0.ntpdate_overflow.diff
    Patch2: xntp-posix_options.diff
    Patch3: ntp-segfault_on_invalid_device.diff
    Patch4: ntp-linuxcaps.diff
    Patch5: ntp-codecleanup.diff
    Patch6: ntp-ntptrace_doc.diff
    Patch7: ntp-ntptrace_sbinpath.diff
    Patch8: ntpd-maxmonmen.diff
    Patch10: ntpd-using_wrong_group.diff

    ## only for amd/intel 64bit
    Patch12: xntp-lib64.diff

    ## these are pribably rather suse specific
    Patch13: ntp-stable-4.2.0a-20050816-loconly.diff
    Patch14: ntp-manpages.diff
    Patch15: ntp-config.diff
    Patch16: ntp-offset.diff
    Patch17: xntp-man-pages.diff

    uwe

  6. Re: NTP internal server?

    Uwe Klein wrote:

    > Richard B. Gilbert wrote:
    >
    >> Hal Murray wrote:
    >>
    >>>> Old vulnerabilities that have been fixed are not a problem of much
    >>>> concern to me. I run a recent version of ntpd that does not exhibit
    >>>> these vulnerabilities. If people chose, for whatever reason, to run
    >>>> a ten year old version of ntpd they must accept the associated risks
    >>>> and inferior performance. Since the modern, improved and fixed
    >>>> version is freely available to all I don't see any reason why anyone
    >>>> who needs NTP and is concerned about security should not run it.
    >>>
    >>>
    >>>
    >>>
    >>> How about:
    >>> If it ain't broke, don't fix it.
    >>>
    >>> Lots of people get their version of (x)ntp from their hardware
    >>> vendor. Most of them are not time geeks, they just need something
    >>> that's good enough. They depend on their vendor to fix security
    >>> problems in packages like ntp.
    >>>

    >>
    >> Perhaps the vendors do fix security problems. If so, the simplest
    >> approach, for most, would be to grab an up to date copy of the
    >> reference implementation, build it, and distribute it. Clearly most
    >> vendors do not do this! In the case of OpenVMS it is understandable
    >> since the reference implementation contains enough "Unixisms" that it
    >> will not build on VMS (I've tried). For Solaris and Linux the build
    >> should be straightforward. I expect that the build for AIX and HP-UX
    >> should also be straightforward.

    >
    > Suse forex ( as of 9.1 through 10.1 ) are still based in
    > ntp-stable-4.2.0a-20050816.tar.bz2


    Sun Solaris 9 and 10 ship with 3-5.93e! I believe that Solaris 8 ships
    with the same version.

    Maybe, after another year or three, the working group will come up with
    an RFC for the current version and some of the dinosaurs will be updated.

  7. Re: NTP internal server?

    Harlan Stenn wrote:

    >>>>In article , "Richard B. Gilbert" writes:

    >
    >
    > Richard> Clearly
    > Richard> most vendors do not do this! In the case of OpenVMS it is
    > Richard> understandable since the reference implementation contains enough
    > Richard> "Unixisms" that it will not build on VMS (I've tried).
    >
    > While I do not know the particulars of OpenVMS, thre was code to support the
    > building of ntp on VMS (perhaps OpenVMS) and nobody has sent in updated
    > patches for a long time.
    >
    > If nobody intends to submit patches I would be happy to remove any old
    > fragments from the codebase.
    >
    > H


    VMS Engineering did a port of 3-93 or 3-95 years ago and I don't think
    anyone has done anything since. I was unable to build a 4.x
    distribution on VMS using the POSIX shell; the scripts didn't work.
    Compiling things by hand didn't work either. I don't recall the details
    but there were calls to functions not part of the NTP distribution nor
    part of the Standard C Run Time Library.

    If you like, I can crank up the system, try it again and tell you where
    it barfed. I suspect though, that you have better things to do than
    assist in a port to a niche O/S like VMS.


  8. Re: NTP internal server?

    Richard B. Gilbert wrote:

    > All right. I give up!! There are many sites that are not allowed to
    > have an internet connection but I think yours is the first I've heard of
    > where the NTP protocol is specifically forbidden.


    I've had it happen at a previous workplace. Network management group
    discovered the option of adjusting the clocks of cisco routers using ntp
    and directly blocked this protocol to all client networks, because
    otherwise clients could compromise network auditing by giving fake ntp
    answers. An enlightment in ntp protocol followed. I had to enlighten them
    often on network protocols. They probably disliked me.

    And nowadays it's customary to block anything that's not explicitly needed
    and understood.

    Koos

    --
    Koos van den Hout, herding Suns and networks as koos@cs.uu.nl
    +31-30-2534104 PGP keyid 0x27513781
    http://idefix.net/~koos/ Use PGP when possible!
    Camp Wireless, wireless Internet access at campsites http://camp-wireless.org/

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2