Bug 62238 - default configuration is insecure
default configuration is insecure
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
7.3
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
: Security
Depends On:
Blocks: 61901
  Show dependency treegraph
 
Reported: 2002-03-28 14:01 EST by Brent Fox
Modified: 2007-03-26 23:52 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-02 03:47:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brent Fox 2002-03-28 14:01:04 EST
The default configuration file for ntp.conf has:

authenticate  no

This allows regular users to change the remote timeserver.  We should change the
default to:

authenticate  yes
Comment 1 Benjamin Shrom 2002-03-28 14:12:42 EST
please, don't forget ia64 :-)
Comment 2 Harald Hoyer 2002-04-02 03:47:04 EST
Or that one:

# Prohibit general access to this service.
restrict default ignore

# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict time.stuttgart.redhat.com noquery nomodify notrap

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1

Comment 3 Harald Hoyer 2002-04-02 10:46:35 EST
ntp-4.1.0b-6
Comment 4 Benjamin Shrom 2002-06-28 17:37:41 EDT
there is a new NTP package in RH7.3

what about 7.2 ?

It's still a security bug.

Note You need to log in before you can comment on or make changes to this bug.