Bug 179914

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.7.12) Gecko/20050915

Description of problem:
Activating autokey (public key authentication) in ntpd while running as non-root user (ntp) is only partially working. At this time I was only able to activate the default TC authentication scheme, while the others (at least IFF) is only working when ntpd is running as root.

To get TC working while running as user ntp I took the following steps:

1) ntpd requires a read-writable crypto seedfile for autokey. Since user ntp cannot (and should not!) read/write "/root/.rnd", I had to create a new seedfile using "openssl rand -out /var/lib/ntp/random 1024; chown ntp:ntp /var/lib/ntp/random; chmod 0600 /var/lib/ntp/random" and adapted the ntp config (see attachment). I'd suggest to patch the sources to make this the default (ntpd and ntp-keygen!).

2) To make this work, the SELinux policy has to be changed (see attachment).

3) The owner of "/etc/ntp" must be exactly "ntp:ntp" (don't ask me why; maybe an internal check in ntp).

4) For easier debugging I've activated the cryptostats file. This required the creation of "/var/log/ntp" and an entry in the ntp config. The default of "statsdir" points to "/var/NTP"! I'd suggest to fix this too and integrate the logdir for ntp in the package.

5) To create the neccessary certificates I had to do the following on both hosts: "cd /etc/ntp; RANDFILE=/var/lib/ntp/random ntp-keygen -T -p somepass; chown root:ntp ntpkey_*; chmod 0640 ntpkey_*"

After this steps I was able to successfully use TC to authenticate a symmetric-active mode (peer) session between to hosts.

However extending autokey to use the (enhanced) IFF scheme was not possible, both hosts remain in the .INIT. state (no errors in syslog or elsewhere). I had to execute ntpd as root to make it work.

Version-Release number of selected component (if applicable):
ntp-4.2.0.a.20040617-4

How reproducible:
Always

Steps to Reproduce:
Two hosts are required. All steps have to be done on both hosts:

1. Install the ntp rpm and the selinux policy source
2. Put the attached SELinux policy files in the source tree and recreate/install the policy
3. Put the attached ntp.conf in /etc (fix the peer address for the two hosts). "chown root:ntp /etc/ntp.conf; chmod 0640 /etc/ntp.conf"
4. "openssl rand -out /var/lib/ntp/random 1024; chown ntp:ntp /var/lib/ntp/random; chmod 0600 /var/lib/ntp/random"
5. "mkdir /var/log/ntp; chown ntp:ntp /var/log/ntp; chmod 0750 /var/log/ntp"
6. cd /etc/ntp. Make sure the directory is empty (except keys and step-tickers). "chown ntp:ntp /etc/ntp; chmod 0750 /etc/ntp"
7. "RANDFILE=/var/lib/ntp/random ntp-keygen -T -I -p somepass; chown root:ntp ntpkey_*; chmod 0640 ntpkey_*"
8. "RANDFILE=/var/lib/ntp/random ntp-keygen -e -q somepass -p somepass". Paste the output of this command in a file on the other host (name it as in the output) and create there a symlink from this file to "ntpkey_iff_thishostname". Repeat this step in the other direction too.
9. Start both ntp daemons and wait a bit.

Actual Results:  Nothing happens. The cryptostats file shows the exchange of both host certificates, but the exchange will not be completed. The IFF key for the other host will be repeatedly loaded, but both hosts remain in the .INIT. state ("ntpq -p"). Maybe you will get some opcode errors in the cryptostats file.

Expected Results:  The authentication phase should complete and both hosts should synchronize. Removing the user definition from "/etc/sysconfig/ntpd", "chown root:root /etc/ntp" and restarting ntpd shows the correct behaviour.

Additional info: