Bug 2170 - Default /etc/ntp.conf permits easy remote control of XNTPD
Summary: Default /etc/ntp.conf permits easy remote control of XNTPD
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: xntp3   
(Show other bugs)
Version: 1.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-04-13 21:11 UTC by Chris Siebenmann
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-04-15 00:21:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Chris Siebenmann 1999-04-13 21:11:11 UTC
The default /etc/ntp.conf specifies a key file and key
IDs for all three sorts of keys; the default key file
contains default/sample keys. The net effect is that a
NTP server started without commenting out this section
of the ntp.conf file will allow anyone on the Internet
who knows the default /etc/ntp/keys contents -- ie most
everyone who can read an RPM file somehow -- to perform
remote control of the NTP daemon. This allows anyone on
the Internet to control the local clock (delete all the
configured peers, add a set of peers under your control
that feeds the target system bogus time), among other
things.

 I strongly urge RedHat not to ship an /etc/ntp.conf
with keys enabled. With the requestkey, controlkey,
and trustedkey statements commented out, the daemon
will not allow this remote control. (I would suggest
commenting out the line that specifies a key file too.)
I'd also suggest a strong comment in both files that one
should NOT use the default values, so people aren't
tempted to just uncomment things and run that way.

Comment 1 Cristian Gafton 1999-04-15 00:21:59 UTC
Done


Note You need to log in before you can comment on or make changes to this bug.