Bug 641800 - RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
Summary: RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ntp
Version: 6.1
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 947781
TreeView+ depends on / blocked
 
Reported: 2010-10-11 06:20 UTC by Nelson Bolyard
Modified: 2013-11-22 19:09 UTC (History)
6 users (show)

(edit)
Feature: 
Support for authentication with symmetric keys using SHA1 instead of MD5.
Reason: 
MD5 is not considered secure anymore.
Result (if any): 
SHA1 keys can be generated by ntp-keygen and can be configured in /etc/ntp/keys
Clone Of:
(edit)
Last Closed: 2013-11-21 09:48:16 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1593 normal SHIPPED_LIVE ntp bug fix and enhancement update 2013-11-20 21:39:27 UTC

Description Nelson Bolyard 2010-10-11 06:20:57 UTC
Description of problem:  
RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets.
Instead it supports only MD5 authentication.
MD5 is not a FIPS-140 approved algorithm.  SHA1 is.
SHA1 authentication is found in all the stable releases from ntp.org.
So, all that is required is to update RHEL ntpd to a current ntp.or release.

Version-Release number of selected component (if applicable):
Any and all to date.

How reproducible:
100%

Steps to Reproduce:
1.  Create an ntp key file containing SHA1 shared secrets
2.  tell ntpd to use it
3.  Watch ntpd report unsupported key type
  
Actual results:
ntpd reports unsupported key type

Expected results:
ntpd handles SHA1 authentication secret without complaint.

Additional info:

Sample SHA1 key file contents are as follows:

11 SHA1 0ef60b47dbd02a720b733aecc9f02de9bec0b2d5  # SHA1 key
12 SHA1 138460338334f6c446de0bf3ea1ddb11800ef9aa  # SHA1 key
13 SHA1 2bb07cccb097a6bc050fa8b6adc70e7adab22cb8  # SHA1 key
14 SHA1 5d621fc257ecb0e07e4310412ada749183915d3e  # SHA1 key
15 SHA1 63c790dbb5b0075743ad421ba02255f44c5c2944  # SHA1 key
16 SHA1 62256590c22ca7e16aea0d7eb764484e9eda6ac6  # SHA1 key
17 SHA1 9a807a7912b0ac5c23220223425960995cd9a4bc  # SHA1 key
18 SHA1 2eab5f09b830d5375239559b3ff62472f633551a  # SHA1 key
19 SHA1 64a7a92b270b806f0971286ce280da68792885d2  # SHA1 key
20 SHA1 91c57e44791b08ee489d4e1191087939d111e696  # SHA1 key

I am a contributor to the ntp project in the area of secure ntp 
(find my name in the various files for current releases) and will 
be happy to answer any questions.

Comment 1 Nelson Bolyard 2010-10-11 06:26:11 UTC
(Marked as high severity because this is a security issue.)

Comment 3 RHEL Product and Program Management 2011-01-07 15:46:03 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 4 RHEL Product and Program Management 2011-07-06 00:21:37 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 6 Suzanne Yeghiayan 2012-02-14 23:04:04 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 11 errata-xmlrpc 2013-11-21 09:48:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1593.html


Note You need to log in before you can comment on or make changes to this bug.