Bug 2170 - Default /etc/ntp.conf permits easy remote control of XNTPD
Default /etc/ntp.conf permits easy remote control of XNTPD
Product: Red Hat Raw Hide
Classification: Retired
Component: xntp3 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-04-13 17:11 EDT by Chris Siebenmann
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-04-14 20:21:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Siebenmann 1999-04-13 17:11:11 EDT
The default /etc/ntp.conf specifies a key file and key
IDs for all three sorts of keys; the default key file
contains default/sample keys. The net effect is that a
NTP server started without commenting out this section
of the ntp.conf file will allow anyone on the Internet
who knows the default /etc/ntp/keys contents -- ie most
everyone who can read an RPM file somehow -- to perform
remote control of the NTP daemon. This allows anyone on
the Internet to control the local clock (delete all the
configured peers, add a set of peers under your control
that feeds the target system bogus time), among other

 I strongly urge RedHat not to ship an /etc/ntp.conf
with keys enabled. With the requestkey, controlkey,
and trustedkey statements commented out, the daemon
will not allow this remote control. (I would suggest
commenting out the line that specifies a key file too.)
I'd also suggest a strong comment in both files that one
should NOT use the default values, so people aren't
tempted to just uncomment things and run that way.
Comment 1 Cristian Gafton 1999-04-14 20:21:59 EDT

Note You need to log in before you can comment on or make changes to this bug.