Bug 479972 - ntpd reveals kernel version on server system
ntpd reveals kernel version on server system
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ntp (Show other bugs)
i686 Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Lichvar
Depends On:
  Show dependency treegraph
Reported: 2009-01-14 06:00 EST by Peder Strand
Modified: 2009-01-14 08:08 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-14 08:08:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peder Strand 2009-01-14 06:00:31 EST
Description of problem:
If you are allowing other systems to syncronize time from an ntpd timeserver you also automatically give away ntpd server version and the exact kernel version of your server system.

Seems to be the same on Fedora, Redhat 4 and 5.

Steps to Reproduce:
ntpq -c readvar your.ntp.server


version="ntpd 4.2.2p1@1.1570-o
processor="i686", system="Linux/2.6.18-92.1.22.el5", leap=00,

There should be a way to turn this behaviour off, or have it turned off permanently.
Comment 1 Miroslav Lichvar 2009-01-14 06:18:21 EST
This can be configured by adding noquery keyword to the restrict command. The default ntp.conf has it included in default restrict, so this shouldn't be a problem:

restrict default kod nomodify notrap nopeer noquery

Maybe you have more restrict commands specified in ntp.conf that allow the clients to query the server?
Comment 2 Peder Strand 2009-01-14 07:32:03 EST
If the noquery option is used then it's no timeserver anymore.

The problem is that if you allow other hosts to syncronize time you must give away the system information too. 

This behaviour seems to compiled in the daemon and cannot be turned off.

It's not good to have the kernel patchlevel on the timeservers accessible for everyone.

One way to solve it might be a patch applied in the ntp source rpm, preventing this information to be sent to the remote server.
Comment 3 Miroslav Lichvar 2009-01-14 08:08:43 EST
No, noquery just denies ntpq and ntpdc queries. See the ntp_acc(5) manpage or documentation in /usr/share/doc/ntp-*.

The default ntp.conf denies the queries and doesn't block serving time.

Note You need to log in before you can comment on or make changes to this bug.