Bug 62238 - default configuration is insecure
Summary: default configuration is insecure
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp
Version: 7.3
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 61901
TreeView+ depends on / blocked
 
Reported: 2002-03-28 19:01 UTC by Brent Fox
Modified: 2007-03-27 03:52 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-04-02 08:47:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Brent Fox 2002-03-28 19:01:04 UTC
The default configuration file for ntp.conf has:

authenticate  no

This allows regular users to change the remote timeserver.  We should change the
default to:

authenticate  yes

Comment 1 Benjamin Shrom 2002-03-28 19:12:42 UTC
please, don't forget ia64 :-)

Comment 2 Harald Hoyer 2002-04-02 08:47:04 UTC
Or that one:

# Prohibit general access to this service.
restrict default ignore

# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict time.stuttgart.redhat.com noquery nomodify notrap

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1



Comment 3 Harald Hoyer 2002-04-02 15:46:35 UTC
ntp-4.1.0b-6

Comment 4 Benjamin Shrom 2002-06-28 21:37:41 UTC
there is a new NTP package in RH7.3

what about 7.2 ?

It's still a security bug.


Note You need to log in before you can comment on or make changes to this bug.