Bug 139673 - RFE: prepare crypto-operations
RFE: prepare crypto-operations
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ntp (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Lichvar
Brian Brock
: FutureFeature
Depends On: 249288
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-17 07:33 EST by Enrico Scholz
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-06 11:25:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2004-11-17 07:33:02 EST
Description of problem:

ntp supports authentication of servers. The package could do something
to make the setup easier:

1. create a keysdir, e.g. under /etc/ntp/crypto. Add this to ntp.conf
   as
   (a) 'keysdir /etc/ntp/crypto', or
   (b) configure it the default path (preferred); this path is currently
       /usr/local/etc (accordingly doc)

2. handle the '.rnd' file which is required for the crypto operation;
   this file must be read- and writable by ntpd. It is searched at
   $HOME/.rnd or $RANDFILE.  Unfortunately, $HOME is /etc/ntp which is
   a really bad place for writable files, so:
   (a) define $RANDFILE in the initscripts, or
   (b) change the user's homedirectory, or
   (c) add 'crypto randfile <location>' to ntp.conf

   A good place for .rnd might be /var/lib/ntp or a subdirectory there
   (might be needed because of SELinux labeling).

3. Add

   | crypto

   to ntp.conf



Users will have to create the keys himself, e.g. with

| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen -T'

on the server, and

| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen'

on the clients. There exist other methods for handling groups of
server also. See 'keygen.html' in the ntp-docs for details.



These change will require some SELinux changes also:

* a new ntpd_keyfile_t and ntpd_rndfile_t type
* a corresponding labeling of the crypto-dir and .rnd file
* adapted permissions
Comment 1 Miroslav Lichvar 2007-09-06 11:25:47 EDT
Implemented in ntp-4.2.4p2-2.fc8.

Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.