notrust alternative? - NTP

This is a discussion on notrust alternative? - NTP ; In article , Richard B. Gilbert wrote: > "sunblok" and "sunburn" are two servers on my local network. On > "sunblok" I can say "peer sunburn" and on "sunburn" I can say "peer > sunblok". It works! I believe this ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 39 of 39

Thread: notrust alternative?

  1. Re: notrust alternative?

    In article ,
    Richard B. Gilbert wrote:

    > "sunblok" and "sunburn" are two servers on my local network. On
    > "sunblok" I can say "peer sunburn" and on "sunburn" I can say "peer
    > sunblok". It works!


    I believe this constitutes symmetric active, when Dave Mills is
    talking about symmetric passive, where only one side actually
    has the association configured.

  2. Re: notrust alternative?

    David Woolley wrote:

    > In article ,
    > Richard B. Gilbert wrote:
    >
    >
    >>"sunblok" and "sunburn" are two servers on my local network. On
    >>"sunblok" I can say "peer sunburn" and on "sunburn" I can say "peer
    >>sunblok". It works!

    >
    >
    > I believe this constitutes symmetric active, when Dave Mills is
    > talking about symmetric passive, where only one side actually
    > has the association configured.


    Is "symmetric passive" different from just saying, in ntp.conf:
    "server sunblok iburst"? For the record, that works without problems too!

  3. Re: notrust alternative?

    Richard,

    As I said, the auth switch is enabled by default. See the documentation
    for the definition of ephemeral association and persistent association.
    Persistent associations are mobilized from the configuration file and
    are not affected by the auth swithc. Ephemeral associations are
    mobilized upon arrival of a broadcast or symmetric mode message and are
    affected by the auth switch.

    See the documentatino on the symmetric key and public key cryptography.
    Symmetric key cryptography is not affected by address translation.
    Public key cryptography requires the server and client to have the same
    (interchanged) addresses.

    I say again with emphasis. With the default configuration (no disable
    auth) ephemeral associations cannot be mobilized unless authenticated,
    symmetric or public. Earlier on this thread such associations were in
    fact mobilized without authentication, suggesting somebody tampered with
    the default auth setting. It is extremely important that the source of
    this insult be identified; it represents a serious denial of service
    vulnerability.

    Dave

    Richard B. Gilbert wrote:
    > David L. Mills wrote:
    >
    >> Richard,
    >>
    >> You may have misunderstood what the enable/disable auth does. It has
    >> nothing to do with the autentication method or lack of it. If the
    >> switch is enabled (enable auth), then associations cannot be mobilized
    >> unless authentication parameters have been configured and the
    >> symmetric active or broadcast client is correctly authenticated.

    >
    >
    > I think I'm still missing something! I don't have disable auth nor
    > enable auth. Therefore it defaults to "enable auth".
    >
    > Correct so far?
    >
    > I have an NTP keys file with symmetric keys that I use only to access
    > the privileged functions of ntpq and ntpdc. I do not authenticate any
    > server! I am, apparently, able to mobilize associations! But if I
    > understand you, I should not be able to mobilize associations. "sunblok"
    > and "sunburn" are two servers on my local network. On "sunblok" I can
    > say "peer sunburn" and on "sunburn" I can say "peer sunblok". It works!
    >
    > Since I am behind a NAT router/firewall on an RFC-1918 private network,
    > my understanding is that your public key authentication scheme cannot be
    > used because the IP address of my machine is not the address seen
    > externally and the IP address of the machine is part of the
    > authentication scheme.
    >
    >


  4. Re: notrust alternative?

    On 2006-11-05, David L. Mills wrote:

    > All users: Don't put "disable auth" in your configuration file unless
    > you understand the resulting vulnerability and your network cannot be
    > connected to the public Internet under any circumstances. Also, make
    > sure the Linux and FreeBSD and others do not provide NTP software with
    > that switch disabled.


    For what it's worth, FreeBSD does not disable this switch.

    Ceri
    --
    That must be wonderful! I don't understand it at all.
    -- Moliere

  5. Re: notrust alternative?

    "Richard B. Gilbert" wrote:

    > Is "symmetric passive" different from just saying, in ntp.conf:
    > "server sunblok iburst"? For the record, that works without problems too!


    "server xxx" establishes you as a client, "peer xxx" tries to establish
    you as a peer. If ntp.conf on box A has "peer B" and ntp.conf on box B
    has "peer A", that is symmetric-active: each actively requests to peer
    with the other. If box A has "peer B" but box B has no reference to A,
    then B can either treat A as a client (usual behaviour), or in the right
    (or wrong!) circumstances can accept A as an unconfigured peer, and that
    is symmetric-passive. That seems to be what's happening with the original
    poster's setup, with all those extras listed in ntpq -p. Generally it is
    not desirable ...

    --
    Ronan Flood
    working for but not speaking for
    Network Services, University of London Computer Centre
    (which means: don't bother ULCC if I've said something you don't like)

  6. Re: notrust alternative?

    On Sun, 05 Nov 2006 05:17:03 +0000, "David L. Mills" wrote:

    > All users: Don't put "disable auth" in your configuration file unless
    > you understand the resulting vulnerability and your network cannot be
    > connected to the public Internet under any circumstances. Also, make
    > sure the Linux and FreeBSD and others do not provide NTP software with
    > that switch disabled.


    Also check that ntpd is not started with the -A option, which is another
    way of disabling authentication.

    --
    Ronan Flood
    working for but not speaking for
    Network Services, University of London Computer Centre
    (which means: don't bother ULCC if I've said something you don't like)

  7. Re: notrust alternative?

    Dennis,

    You are not reading my messages. Read them again; take them very
    seriously. You are being hacked. Any entries shown in ntpq other than
    those you configured are spurious and the result of tampering in the
    sources that leave here. It's very important to track down how that
    happened. Forget about the +, -, * issues; there are more important
    things going on here.

    Dave

    Dennis Hilberg Jr wrote:

    > Maybe I'm misunderstanding the output of 'ntpq -p'. When I use this command, a large list is printed to the screen (sometimes 60 or
    > more entries in length), of which, the first five of the entries are the servers I have listed in my ntp.conf and the rest I'm
    > assuming are clients, or systems using my server's clock as a synchronization source. Am I correct on that? Most of the time those
    > five servers are the ones that have +, -, or * next to them. Of those five, there's always a * and usually two +. On occasion
    > though, some of the systems in the 'ntpq -p' output OTHER than my five servers have a + next to them. Is this normal, based on my
    > ntp.conf? My concern is that my server might be using systems other than the five I have listed in my ntp.conf as a synchronization
    > source. Perhaps I should have worded my initial post this way, as some replies indicate that I might have failed to explain my
    > situation properly.
    >
    > Here is my ntp.conf again:
    >
    >
    > # Default restriction.
    >
    > restrict default kod nomodify notrap nopeer noquery
    >
    > # Allow free access to localhost.
    >
    > restrict 127.0.0.1
    >
    > # Allow the local network access with the following modified restrictions.
    >
    > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
    >
    > # Synchronization servers. Include at least three, but no more than five.
    >
    > server bigben.cac.washington.edu iburst
    > server montpelier.ilan.caltech.edu iburst
    > server tick.ucla.edu iburst
    > server clock.xmission.com iburst
    > server clepsydra.dec.com iburst
    >
    > # Drift file location
    >
    > driftfile /etc/ntp/drift
    >
    > # Location of the log file
    >
    > logfile /var/log/ntp/ntp.log
    >
    > # NTP monitoring parameters
    >
    > statsdir /var/log/ntp/
    > statistics loopstats peerstats clockstats
    > filegen loopstats file loopstats type day enable
    > filegen peerstats file peerstats type day enable
    > filegen clockstats file clockstats type day enable
    >
    > # Authentication parameters
    >
    > #keys /etc/ntp/keys
    > #trustedkey 2 3 4
    > #controlkey 3 # To access the ntpq utility
    > #requestkey 2 # To access the ntpdc utility
    >
    > Thanks for all the help.
    >
    > Dennis.
    >
    > "Ronan Flood" wrote in message news:eia97n$kn8$1@canard.ulcc.ac.uk...
    > | "Dennis Hilberg Jr" wrote:
    > |
    > | > On one instance I noticed that in the output of 'ntpq -p' one of my server's
    > | > clients was flagged with the '+'. notrust under version 4.2 and later now
    > | > means "Ignore all NTP packets that are not cryptographically authenticated"
    > | > instead of the 4.1 and earlier versions where it meant "Don't trust this
    > | > host/subnet for time." How do I specify with version 4.2 and later that I
    > | > only want the five server entries in the ntp.conf to be trusted for
    > | > synchronization? Or is this automatic, and that particular 'ntpq -p' output
    > | > a fluke?
    > |
    > | 'nopeer' should prevent a client establishing a symmetric-passive
    > | association on your server, so the ntp.conf you show in your later
    > | message should be working. Post the output of 'ntpq -p' showing
    > | your client listed (with or without '+') and 'ntpq -classoc',
    > | and 'ntpq "-crv nnn"' where nnn is the number of the association
    > | (assID) for your client in the lassoc output.
    > |
    > | Hmm, "ntpdc -ncreslist" will show the active restrictions, so check
    > | that matches your ntp.conf.
    > |
    > | --
    > | Ronan Flood
    > | working for but not speaking for
    > | Network Services, University of London Computer Centre
    > | (which means: don't bother ULCC if I've said something you don't like)
    >
    >


  8. Re: notrust alternative?

    That was my problem all along. My server is Mandriva 2007 Free, and I'm using the version of ntp that is included with the distro,
    4.2.0@1.1161-r. In /etc/sysconfig/ntpd the -A option is enabled by default. I removed that and took out 'enable auth' in my
    ntp.conf, restarted ntpd, and now everything works the way David Mills says it should.

    Now the question...why would Mandriva disable authentication by default?? After what David Mills has said, and what I've been
    dealing with, that seems rather insecure.

    Thanks a lot Ronan for pointing this out. I feel embarrased for not noticing it was running with the -A option by default. I just
    didn't pay attention. But hopefully this will help someone else out.

    Thank you everyone for the help,

    Dennis

    "Ronan Flood" wrote in message news:einhmc$6tm$1@canard.ulcc.ac.uk...
    | On Sun, 05 Nov 2006 05:17:03 +0000, "David L. Mills" wrote:
    |
    | > All users: Don't put "disable auth" in your configuration file unless
    | > you understand the resulting vulnerability and your network cannot be
    | > connected to the public Internet under any circumstances. Also, make
    | > sure the Linux and FreeBSD and others do not provide NTP software with
    | > that switch disabled.
    |
    | Also check that ntpd is not started with the -A option, which is another
    | way of disabling authentication.
    |
    | --
    | Ronan Flood
    | working for but not speaking for
    | Network Services, University of London Computer Centre
    | (which means: don't bother ULCC if I've said something you don't like)
    |



  9. Re: notrust alternative?

    "Dennis Hilberg Jr" wrote in message
    news:FO2dnVAu0ozF5tLYnZ2dnUVZ_oidnZ2d@comcast.com. ..
    [...]
    > Now the question...why would Mandriva disable authentication by default??


    Welcome to the wonderful world of modern commodity computing. Where
    a vendor will distribute a product with gaping holes in the default
    setup, because it cuts down on support calls.

    Horrified question: "They would do that?"
    World-weary answer: "Every time."

    Groetjes,
    Maarten Wiltink



  10. Re: notrust alternative?

    Ronan Flood wrote:
    > "Richard B. Gilbert" wrote:
    >
    >
    >>Is "symmetric passive" different from just saying, in ntp.conf:
    >>"server sunblok iburst"? For the record, that works without problems too!

    >
    >
    > "server xxx" establishes you as a client, "peer xxx" tries to establish
    > you as a peer. If ntp.conf on box A has "peer B" and ntp.conf on box B
    > has "peer A", that is symmetric-active: each actively requests to peer
    > with the other. If box A has "peer B" but box B has no reference to A,
    > then B can either treat A as a client (usual behaviour), or in the right
    > (or wrong!) circumstances can accept A as an unconfigured peer, and that
    > is symmetric-passive. That seems to be what's happening with the original
    > poster's setup, with all those extras listed in ntpq -p. Generally it is
    > not desirable ...
    >


    Some of those lines in the ntpq -p banner were stratum two and could
    have been peers. The rest were stratum three so I don't see how they
    could have been peers; don't peers have be of equal strata?


  11. Re: notrust alternative?

    On 2006-11-06, Dennis Hilberg Jr wrote:

    > That was my problem all along. My server is Mandriva 2007 Free,
    > and I'm using the version of ntp that is included with the distro,
    > 4.2.0@1.1161-r. In /etc/sysconfig/ntpd the -A option is enabled by
    > default.


    The logical thing to do is report this to Mandriva as a bug.
    But there does not appear to be a public Bug Tracking System at
    http://www.mandriva.com/

    There are some mandrake / mandriva related Usenet (e.g.
    alt.os.linux.mandrake) and Google (e.g. Mandriva Linux) news groups.
    You may find more assistance there.

    --
    Steve Kostecke
    NTP Public Services Project - http://ntp.isc.org/

  12. Re: notrust alternative?

    >>> In article , "Richard B. Gilbert" writes:

    Richard> Some of those lines in the ntpq -p banner were stratum two and
    Richard> could have been peers. The rest were stratum three so I don't see
    Richard> how they could have been peers; don't peers have be of equal
    Richard> strata?

    No.

    server/peer is independent of strata.

    H

  13. Re: notrust alternative?

    Harlan Stenn wrote:

    >>>>In article , "Richard B. Gilbert" writes:

    >
    >
    > Richard> Some of those lines in the ntpq -p banner were stratum two and
    > Richard> could have been peers. The rest were stratum three so I don't see
    > Richard> how they could have been peers; don't peers have be of equal
    > Richard> strata?
    >
    > No.
    >
    > server/peer is independent of strata.
    >
    > H


    But how can the relationship be symmetric if the strata are different?
    If a stratum 2 and a stratum 3 server peered, the stratum 3 could get
    time from the stratum 2 but the stratum 2 would never take time from the
    stratum 3! I suppose there could be situations where the stratum of one
    or both was variable. . . .

  14. Re: notrust alternative?

    >But how can the relationship be symmetric if the strata are different?
    >If a stratum 2 and a stratum 3 server peered, the stratum 3 could get
    >time from the stratum 2 but the stratum 2 would never take time from the
    >stratum 3! I suppose there could be situations where the stratum of one
    >or both was variable. . . .


    The stratum of a server isn't fixed. It changes as network links
    break, servers come and go, or recursively as the stratum of a
    server/peer changes.

    --
    The suespammers.org mail server is located in California. So are all my
    other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
    commercial e-mail to my suespammers.org address or any of my other addresses.
    These are my opinions, not necessarily my employer's. I hate spam.


  15. Re: notrust alternative?

    Richard,

    A symmetric active association "peer xxx" will cause the authenticated
    peer to mobilize a symmetric passive association no matter what the
    stratum is. The selection algorithm will treat a symmetric passive
    associaiton in the same way as client associations. either or both the
    symmetric associations lose or gain outside sources or each other, they
    will reconfigure as expected by the particular stratum assignments.

    I would think most configurations intended for mutual backup would use
    explicit symmetric active configurations and avoid symmetric passive as
    a fallback mode.

    Dave

    Richard B. Gilbert wrote:

    > Ronan Flood wrote:
    >
    >> "Richard B. Gilbert" wrote:
    >>
    >>
    >>> Is "symmetric passive" different from just saying, in ntp.conf:
    >>> "server sunblok iburst"? For the record, that works without
    >>> problems too!

    >>
    >>
    >>
    >> "server xxx" establishes you as a client, "peer xxx" tries to establish
    >> you as a peer. If ntp.conf on box A has "peer B" and ntp.conf on box B
    >> has "peer A", that is symmetric-active: each actively requests to peer
    >> with the other. If box A has "peer B" but box B has no reference to A,
    >> then B can either treat A as a client (usual behaviour), or in the right
    >> (or wrong!) circumstances can accept A as an unconfigured peer, and that
    >> is symmetric-passive. That seems to be what's happening with the
    >> original
    >> poster's setup, with all those extras listed in ntpq -p. Generally it is
    >> not desirable ...
    >>

    >
    > Some of those lines in the ntpq -p banner were stratum two and could
    > have been peers. The rest were stratum three so I don't see how they
    > could have been peers; don't peers have be of equal strata?
    >


  16. Re: notrust alternative?

    I reported this to Mandriva as a bug. Their bug tracking system is located at http://qa.mandriva.com. The bug is #27079,
    http://qa.mandriva.com/show_bug.cgi?id=27079.

    Hopefully they will get it taken care of as it seems like a pretty significant security issue to me after having this discussion.

    Dennis

    "Steve Kostecke" wrote in message news:slrnekv7ka.mft.kostecke@stasis.kostecke.net.. .
    | On 2006-11-06, Dennis Hilberg Jr wrote:
    |
    | > That was my problem all along. My server is Mandriva 2007 Free,
    | > and I'm using the version of ntp that is included with the distro,
    | > 4.2.0@1.1161-r. In /etc/sysconfig/ntpd the -A option is enabled by
    | > default.
    |
    | The logical thing to do is report this to Mandriva as a bug.
    | But there does not appear to be a public Bug Tracking System at
    | http://www.mandriva.com/
    |
    | There are some mandrake / mandriva related Usenet (e.g.
    | alt.os.linux.mandrake) and Google (e.g. Mandriva Linux) news groups.
    | You may find more assistance there.
    |
    | --
    | Steve Kostecke
    | NTP Public Services Project - http://ntp.isc.org/



  17. Re: notrust alternative?

    I have seen behavior identical to what Dennis described with a
    pre-built Solaris 8 version of the 4.2.0@1.1161-r daemon that is
    available from Community Software (CSW), http://www.blastwave.org/ if
    your interested. I have "restrict default nopeer" configured. With
    authorization disabled, all of the systems on our network that peered
    my server showed up in its ntpq -p output. With authorization enabled,
    only the systems I had configured on that server showed up. I plopped
    a version 4.2.2p3@1.1577-o daemon that was build from the official
    source, disabled authorization and it behaved normally, no additional
    spurious output from ntpq -p. Something perculiar with 4.2.0@1.1161-r?

    Regardless, this was enough to steer me away from anything pre-built
    and back to the genuine article.

    Bill McGovern
    General Dynamics


  18. Re: notrust alternative?

    Bill,

    In your network the clients should be using server, not peer, unless
    they intend to mobilize a symmetric association. However, without
    notrust they get served anyway, but an association is not mobilized. I
    did that for the original Windows XP client that was using symmetric
    active mode in error. It's hard to figure out how the dominos should
    fall under all kinds of misconfigured clients.

    Dave

    ntplist@gmail.com wrote:
    > I have seen behavior identical to what Dennis described with a
    > pre-built Solaris 8 version of the 4.2.0@1.1161-r daemon that is
    > available from Community Software (CSW), http://www.blastwave.org/ if
    > your interested. I have "restrict default nopeer" configured. With
    > authorization disabled, all of the systems on our network that peered
    > my server showed up in its ntpq -p output. With authorization enabled,
    > only the systems I had configured on that server showed up. I plopped
    > a version 4.2.2p3@1.1577-o daemon that was build from the official
    > source, disabled authorization and it behaved normally, no additional
    > spurious output from ntpq -p. Something perculiar with 4.2.0@1.1161-r?
    >
    > Regardless, this was enough to steer me away from anything pre-built
    > and back to the genuine article.
    >
    > Bill McGovern
    > General Dynamics
    >


  19. Re: notrust alternative?

    Dave,

    Yes, the clients should definitely have been configured with server
    statements, but config files were simply copied in this case, cleanup
    is imminent. My point was to illustrate that with "restrict default
    nopeer" and "disable auth" configured on the server, there is a
    difference in behavior between a built-from-source 4.2.2p3 daemon and
    these (questionable heritage) prebuilt 4.2.0 daemons (CSW and
    Mandrake).

    Bill

    David L. Mills wrote:

    > Bill,
    >
    > In your network the clients should be using server, not peer, unless
    > they intend to mobilize a symmetric association. However, without
    > notrust they get served anyway, but an association is not mobilized. I
    > did that for the original Windows XP client that was using symmetric
    > active mode in error. It's hard to figure out how the dominos should
    > fall under all kinds of misconfigured clients.
    >
    > Dave



+ Reply to Thread
Page 2 of 2 FirstFirst 1 2