Bug 179914 - ntpd (non-root) autokey not working
ntpd (non-root) autokey not working
Status: CLOSED DUPLICATE of bug 177052
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ntp (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Lichvar
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-03 15:32 EST by Peter Pramberger
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-04 03:30:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Example NTP config (324 bytes, application/octet-stream)
2006-02-03 15:33 EST, Peter Pramberger
no flags Details
Directory listing of /etc/ntp (916 bytes, text/plain)
2006-02-03 15:34 EST, Peter Pramberger
no flags Details
Log output (2.51 KB, text/plain)
2006-02-03 15:35 EST, Peter Pramberger
no flags Details
SELinux policy extension (389 bytes, text/plain)
2006-02-03 15:35 EST, Peter Pramberger
no flags Details
SELinux policy extension (383 bytes, text/plain)
2006-02-03 15:35 EST, Peter Pramberger
no flags Details
Example NTP config (324 bytes, text/plain)
2006-02-03 15:36 EST, Peter Pramberger
no flags Details
SELinux policy extension (440 bytes, text/plain)
2006-02-05 06:56 EST, Peter Pramberger
no flags Details
New version for testing (2.30 MB, application/octet-stream)
2006-02-05 06:57 EST, Peter Pramberger
no flags Details
Source RPM (2.37 MB, application/octet-stream)
2006-02-05 07:02 EST, Peter Pramberger
no flags Details

  None (edit)
Description Peter Pramberger 2006-02-03 15:32:26 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.7.12) Gecko/20050915

Description of problem:
Activating autokey (public key authentication) in ntpd while running as non-root user (ntp) is only partially working. At this time I was only able to activate the default TC authentication scheme, while the others (at least IFF) is only working when ntpd is running as root.

To get TC working while running as user ntp I took the following steps:

1) ntpd requires a read-writable crypto seedfile for autokey. Since user ntp cannot (and should not!) read/write "/root/.rnd", I had to create a new seedfile using "openssl rand -out /var/lib/ntp/random 1024; chown ntp:ntp /var/lib/ntp/random; chmod 0600 /var/lib/ntp/random" and adapted the ntp config (see attachment). I'd suggest to patch the sources to make this the default (ntpd and ntp-keygen!).

2) To make this work, the SELinux policy has to be changed (see attachment).

3) The owner of "/etc/ntp" must be exactly "ntp:ntp" (don't ask me why; maybe an internal check in ntp).

4) For easier debugging I've activated the cryptostats file. This required the creation of "/var/log/ntp" and an entry in the ntp config. The default of "statsdir" points to "/var/NTP"! I'd suggest to fix this too and integrate the logdir for ntp in the package.

5) To create the neccessary certificates I had to do the following on both hosts: "cd /etc/ntp; RANDFILE=/var/lib/ntp/random ntp-keygen -T -p somepass; chown root:ntp ntpkey_*; chmod 0640 ntpkey_*"

After this steps I was able to successfully use TC to authenticate a symmetric-active mode (peer) session between to hosts.

However extending autokey to use the (enhanced) IFF scheme was not possible, both hosts remain in the .INIT. state (no errors in syslog or elsewhere). I had to execute ntpd as root to make it work.

Version-Release number of selected component (if applicable):
ntp-4.2.0.a.20040617-4

How reproducible:
Always

Steps to Reproduce:
Two hosts are required. All steps have to be done on both hosts:

1. Install the ntp rpm and the selinux policy source
2. Put the attached SELinux policy files in the source tree and recreate/install the policy
3. Put the attached ntp.conf in /etc (fix the peer address for the two hosts). "chown root:ntp /etc/ntp.conf; chmod 0640 /etc/ntp.conf"
4. "openssl rand -out /var/lib/ntp/random 1024; chown ntp:ntp /var/lib/ntp/random; chmod 0600 /var/lib/ntp/random"
5. "mkdir /var/log/ntp; chown ntp:ntp /var/log/ntp; chmod 0750 /var/log/ntp"
6. cd /etc/ntp. Make sure the directory is empty (except keys and step-tickers). "chown ntp:ntp /etc/ntp; chmod 0750 /etc/ntp"
7. "RANDFILE=/var/lib/ntp/random ntp-keygen -T -I -p somepass; chown root:ntp ntpkey_*; chmod 0640 ntpkey_*"
8. "RANDFILE=/var/lib/ntp/random ntp-keygen -e -q somepass -p somepass". Paste the output of this command in a file on the other host (name it as in the output) and create there a symlink from this file to "ntpkey_iff_thishostname". Repeat this step in the other direction too.
9. Start both ntp daemons and wait a bit.

Actual Results:  Nothing happens. The cryptostats file shows the exchange of both host certificates, but the exchange will not be completed. The IFF key for the other host will be repeatedly loaded, but both hosts remain in the .INIT. state ("ntpq -p"). Maybe you will get some opcode errors in the cryptostats file.

Expected Results:  The authentication phase should complete and both hosts should synchronize. Removing the user definition from "/etc/sysconfig/ntpd", "chown root:root /etc/ntp" and restarting ntpd shows the correct behaviour.

Additional info:
Comment 1 Peter Pramberger 2006-02-03 15:33:44 EST
Created attachment 124120 [details]
Example NTP config
Comment 2 Peter Pramberger 2006-02-03 15:34:43 EST
Created attachment 124121 [details]
Directory listing of /etc/ntp
Comment 3 Peter Pramberger 2006-02-03 15:35:08 EST
Created attachment 124122 [details]
Log output
Comment 4 Peter Pramberger 2006-02-03 15:35:36 EST
Created attachment 124123 [details]
SELinux policy extension
Comment 5 Peter Pramberger 2006-02-03 15:35:55 EST
Created attachment 124124 [details]
SELinux policy extension
Comment 6 Peter Pramberger 2006-02-03 15:36:13 EST
Created attachment 124125 [details]
Example NTP config
Comment 7 Peter Pramberger 2006-02-04 10:09:16 EST
Steps 7 and 8 in "Steps to Reproduce" are wrong. The correct procedure is:

7. On the first host run "RANDFILE=/var/lib/ntp/random ntp-keygen -T -I -p
somepass; chown root:ntp ntpkey_*; chmod 0640 ntpkey_*". Copy the resulting
ntpkey_IFFpar* file to "/etc/ntp" on the second host.
8. On the second host link the copied file to "ntpkey_iff_hostname2" and then
run "RANDFILE=/var/lib/ntp/random ntp-keygen -T -q somepass -p somepass; chown
root:ntp ntpkey_*; chmod 0640 ntpkey_*".
Comment 8 Peter Pramberger 2006-02-05 06:54:01 EST
It seems this has been fixed in some version after stable-20040617; I've tested
with stable-20060127, and it works running as non-root.
Comment 9 Peter Pramberger 2006-02-05 06:56:04 EST
Created attachment 124201 [details]
SELinux policy extension
Comment 10 Peter Pramberger 2006-02-05 06:57:33 EST
Created attachment 124202 [details]
New version for testing
Comment 11 Peter Pramberger 2006-02-05 07:02:11 EST
Created attachment 124203 [details]
Source RPM
Comment 12 Miroslav Lichvar 2006-05-04 03:30:47 EDT
Thanks for the extensive description. The problem is caused by a memory lock
limit, which is insufficient. Fix for that is planned for the upcoming RHEL
update. Closing as duplicate.

*** This bug has been marked as a duplicate of 177052 ***

Note You need to log in before you can comment on or make changes to this bug.