Bug 70557
Summary: | no server entry in /etc/ntpd.conf | ||
---|---|---|---|
Product: | [Retired] Red Hat Public Beta | Reporter: | Harald Hoyer <harald> |
Component: | redhat-config-date | Assignee: | Brent Fox <bfox> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | limbo | CC: | chris.ricker, gczarcinski, mattdm |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-01-21 01:46:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 67218, 79579 |
Description
Harald Hoyer
2002-08-02 14:20:53 UTC
I've got a few questions here. 1) The user is selecting from a list of hostnames, not IP's. The "server" line appears to accept hostnames instead of IP's. However, the "restrict" line expects an IP in dotted-quad form (according to the docs at file:///usr/share/doc/ntp-4.1.1a/accopt.htm) Do I need to do a lookup on the hostname to get an IP address in order to do the restrict entry? 2) Why should more than one server be required? Things seem to work ok with only one server specified. I know that technically it's correct to have more than one, but is it really necessary? MacOS X and Windows XP seem to get by with having only one server specified. I think it would be really confusing to a new user to have to select a primary and then a secondary time server. I've changed the code so that a "server" line is added if one does not currently exist, but I'm still uncertain about the "restrict" line. ping? pong... back from holidays well, if you do not "restrict" the access, then everyone can modify your server... Ok, it should be implemented in redhat-config-date-1.5.4-1 in dist-8.0.1. It could use some testing. *** Bug 67916 has been marked as a duplicate of this bug. *** *** Bug 74462 has been marked as a duplicate of this bug. *** I have installed redhat-config-date-1.5.5-1 from rawhide. Close but not a winner. You now have a restrict statement but it does not work. You plug in the server's name such as time.nist.gov rather than its ip address such as 192.43.244.18. The ntp code cannot current handle the name (I have submitted a RFE to bugs). Error message is written to /var/log/messages: ntpd[15033]: getnetnum: "time.nist.gov" invalid host number, line ignored *** Bug 78542 has been marked as a duplicate of this bug. *** I am coming around to see that perhaps /etc/ntp.conf should ONLY use ip addresses and have suggest so. Perhaps /etc/init.d/ntpd should be changed to dynamically lookup the named servers and modify the /etc/ntp.conf file when ntpd is started. I think I like the answer I gave in a recent email better:
> hostnames are not trustable so they are not usable for security purposes
This is an excellent point. Perhaps redhat-config-date should bullet proof
things better and only plug in ip addresses into /etc/ntp.conf. The
redhat-config-date program should lookup and display the ipaddress for the
server specified and have the user confirm it. Then plug in ip addresses.
Another alternative is to dynamically lookup and plug in ip addresses when
ntpd is started. While this is more robust in that it can respond to a
server changing its ip address, it suffers from the risk of being spoofed.
Robustness could be handled by redhat-config-date handling more than one
server.
I have changed redhat-config-date to write the IP to the 'restrict' line and the domain name to the 'server' line. See if redhat-config-date-1.5.7-3 doesn't fix the problem. Please reopen if the problem persists. QA, please verify. With redhat-config-date-1.5.7-4, I'm getting the following written to /etc/ntp.conf when setting up against clock.corp.redhat.com: restrict 172.16.52.228 mask 255.255.255.255 nomodify notrap noquery server clock.corp.redhat.com So, this appears to be correct . . . least it's working! better would be: server 172.16.52.228 I'd rather leave it the way it is because I want the domain name to appear in the box when the user runs the tool again. Harald, would it be bad to leave it the wa y it is? How about putting in the hostname in a comment? And maybe a comment explaining why the ip address must be used. Brent, why not put server 172.16.52.228 in the config file, and in r-c-date, have it reverse-resolve the IP address and display the hostname in the dialog or better, display hostname (ip.add.re.ss) (though I realize space might preclude that) ? Using IP rather than hostname in the config file is preferable from a security stance... Ok, I convert it into the IP now before writing to the file, then I call socket.gethostbyaddr(IP)[0] to get the host name. This has the drawback of not necessarily resolving back to the same name that you typed in if the machine uses a hostname alias for the ntp service. For example, if you type 'clock.corp.redhat.com', it will resolve back to kerberos.corp.redhat.com, but I guess that's a small price to pay for security. Please test with redhat-config-date-1.5.7-5. And where have you put the updated package for testing by us mere mortals? New packages should get pushed to Rawhide every morning at 8:00 EST or something like that. Fix confirmed with redhat-config-date-1.5.7-6. |