Bug 139673 - RFE: prepare crypto-operations
Summary: RFE: prepare crypto-operations
Alias: None
Product: Fedora
Classification: Fedora
Component: ntp (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Brian Brock
Keywords: FutureFeature
Depends On: 249288
TreeView+ depends on / blocked
Reported: 2004-11-17 12:33 UTC by Enrico Scholz
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-06 15:25:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Enrico Scholz 2004-11-17 12:33:02 UTC
Description of problem:

ntp supports authentication of servers. The package could do something
to make the setup easier:

1. create a keysdir, e.g. under /etc/ntp/crypto. Add this to ntp.conf
   (a) 'keysdir /etc/ntp/crypto', or
   (b) configure it the default path (preferred); this path is currently
       /usr/local/etc (accordingly doc)

2. handle the '.rnd' file which is required for the crypto operation;
   this file must be read- and writable by ntpd. It is searched at
   $HOME/.rnd or $RANDFILE.  Unfortunately, $HOME is /etc/ntp which is
   a really bad place for writable files, so:
   (a) define $RANDFILE in the initscripts, or
   (b) change the user's homedirectory, or
   (c) add 'crypto randfile <location>' to ntp.conf

   A good place for .rnd might be /var/lib/ntp or a subdirectory there
   (might be needed because of SELinux labeling).

3. Add

   | crypto

   to ntp.conf

Users will have to create the keys himself, e.g. with

| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen -T'

on the server, and

| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen'

on the clients. There exist other methods for handling groups of
server also. See 'keygen.html' in the ntp-docs for details.

These change will require some SELinux changes also:

* a new ntpd_keyfile_t and ntpd_rndfile_t type
* a corresponding labeling of the crypto-dir and .rnd file
* adapted permissions

Comment 1 Miroslav Lichvar 2007-09-06 15:25:47 UTC
Implemented in ntp-4.2.4p2-2.fc8.

Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.