Red Hat Bugzilla – Bug 139673
RFE: prepare crypto-operations
Last modified: 2007-11-30 17:10:54 EST
Description of problem:
ntp supports authentication of servers. The package could do something
to make the setup easier:
1. create a keysdir, e.g. under /etc/ntp/crypto. Add this to ntp.conf
(a) 'keysdir /etc/ntp/crypto', or
(b) configure it the default path (preferred); this path is currently
/usr/local/etc (accordingly doc)
2. handle the '.rnd' file which is required for the crypto operation;
this file must be read- and writable by ntpd. It is searched at
$HOME/.rnd or $RANDFILE. Unfortunately, $HOME is /etc/ntp which is
a really bad place for writable files, so:
(a) define $RANDFILE in the initscripts, or
(b) change the user's homedirectory, or
(c) add 'crypto randfile <location>' to ntp.conf
A good place for .rnd might be /var/lib/ntp or a subdirectory there
(might be needed because of SELinux labeling).
Users will have to create the keys himself, e.g. with
| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen -T'
on the server, and
| cd /etc/ntp/crypto && su ntpd -c 'ntp-keygen'
on the clients. There exist other methods for handling groups of
server also. See 'keygen.html' in the ntp-docs for details.
These change will require some SELinux changes also:
* a new ntpd_keyfile_t and ntpd_rndfile_t type
* a corresponding labeling of the crypto-dir and .rnd file
* adapted permissions
Implemented in ntp-4.2.4p2-2.fc8.
Thanks for the report.