Description of problem:
RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets.
Instead it supports only MD5 authentication.
MD5 is not a FIPS-140 approved algorithm. SHA1 is.
SHA1 authentication is found in all the stable releases from ntp.org.
So, all that is required is to update RHEL ntpd to a current ntp.or release.
Version-Release number of selected component (if applicable):
Any and all to date.
Steps to Reproduce:
1. Create an ntp key file containing SHA1 shared secrets
2. tell ntpd to use it
3. Watch ntpd report unsupported key type
ntpd reports unsupported key type
ntpd handles SHA1 authentication secret without complaint.
Sample SHA1 key file contents are as follows:
11 SHA1 0ef60b47dbd02a720b733aecc9f02de9bec0b2d5 # SHA1 key
12 SHA1 138460338334f6c446de0bf3ea1ddb11800ef9aa # SHA1 key
13 SHA1 2bb07cccb097a6bc050fa8b6adc70e7adab22cb8 # SHA1 key
14 SHA1 5d621fc257ecb0e07e4310412ada749183915d3e # SHA1 key
15 SHA1 63c790dbb5b0075743ad421ba02255f44c5c2944 # SHA1 key
16 SHA1 62256590c22ca7e16aea0d7eb764484e9eda6ac6 # SHA1 key
17 SHA1 9a807a7912b0ac5c23220223425960995cd9a4bc # SHA1 key
18 SHA1 2eab5f09b830d5375239559b3ff62472f633551a # SHA1 key
19 SHA1 64a7a92b270b806f0971286ce280da68792885d2 # SHA1 key
20 SHA1 91c57e44791b08ee489d4e1191087939d111e696 # SHA1 key
I am a contributor to the ntp project in the area of secure ntp
(find my name in the various files for current releases) and will
be happy to answer any questions.
(Marked as high severity because this is a security issue.)
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.