RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
When the FIPS mode was enabled and hostnames specified in ntp.conf couldn't be resolved on start, the resolving process of ntpd is not be able to configure the main process later and it won't be using the servers for synchronization.

The problem is that ntpd uses a random MD5 key when no request key was specified in the config and MD5 is not allowed in the FIPS mode.

Version-Release number of selected component (if applicable):
ntp-4.2.6p5-25.el7_3.1.x86_64

How reproducible:
Most of the time

Steps to Reproduce:
1. enable FIPS mode
2. disable chronyd service, enable ntpd service
3. reboot

Actual results:
The "ntpq -pn" command reports that no NTP servers are used and the system log contains an "ntpd_intres[729]: MAC encrypt: digest init failed" error message.

Expected results:
ntpq -pn lists all servers specified in ntp.conf.

Additional info:

Created attachment 1271436 [details]
Use SHA1 request key by default to fix delayed name resolving in FIPS mode

With this patch ntpd will use by default a random SHA1 key instead of an MD5 key, which is still allowed in the FIPS mode.

Verified. Fixed.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0855