Bug 641800

Summary: RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
Product: Red Hat Enterprise Linux 6 Reporter: Nelson Bolyard <nelson>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: low    
Version: 6.1CC: azelinka, kdube, ohudlick, rrelyea, rvokal, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp-4.2.6p5-1.el6 Doc Type: Enhancement
Doc Text:
Feature: Support for authentication with symmetric keys using SHA1 instead of MD5. Reason: MD5 is not considered secure anymore. Result (if any): SHA1 keys can be generated by ntp-keygen and can be configured in /etc/ntp/keys
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 09:48:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 947781    

Description Nelson Bolyard 2010-10-11 06:20:57 UTC 
Description of problem:  
RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets.
Instead it supports only MD5 authentication.
MD5 is not a FIPS-140 approved algorithm.  SHA1 is.
SHA1 authentication is found in all the stable releases from ntp.org.
So, all that is required is to update RHEL ntpd to a current ntp.or release.

Version-Release number of selected component (if applicable):
Any and all to date.

How reproducible:
100%

Steps to Reproduce:
1.  Create an ntp key file containing SHA1 shared secrets
2.  tell ntpd to use it
3.  Watch ntpd report unsupported key type
  
Actual results:
ntpd reports unsupported key type

Expected results:
ntpd handles SHA1 authentication secret without complaint.

Additional info:

Sample SHA1 key file contents are as follows:

11 SHA1 0ef60b47dbd02a720b733aecc9f02de9bec0b2d5  # SHA1 key
12 SHA1 138460338334f6c446de0bf3ea1ddb11800ef9aa  # SHA1 key
13 SHA1 2bb07cccb097a6bc050fa8b6adc70e7adab22cb8  # SHA1 key
14 SHA1 5d621fc257ecb0e07e4310412ada749183915d3e  # SHA1 key
15 SHA1 63c790dbb5b0075743ad421ba02255f44c5c2944  # SHA1 key
16 SHA1 62256590c22ca7e16aea0d7eb764484e9eda6ac6  # SHA1 key
17 SHA1 9a807a7912b0ac5c23220223425960995cd9a4bc  # SHA1 key
18 SHA1 2eab5f09b830d5375239559b3ff62472f633551a  # SHA1 key
19 SHA1 64a7a92b270b806f0971286ce280da68792885d2  # SHA1 key
20 SHA1 91c57e44791b08ee489d4e1191087939d111e696  # SHA1 key

I am a contributor to the ntp project in the area of secure ntp 
(find my name in the various files for current releases) and will 
be happy to answer any questions.
Comment 1 Nelson Bolyard 2010-10-11 06:26:11 UTC 
(Marked as high severity because this is a security issue.)
Comment 3 RHEL Program Management 2011-01-07 15:46:03 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 4 RHEL Program Management 2011-07-06 00:21:37 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 6 Suzanne Logcher 2012-02-14 23:04:04 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 11 errata-xmlrpc 2013-11-21 09:48:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1593.html