RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 641800 - RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
Summary: RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ntp
Version: 6.1
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 947781
TreeView+ depends on / blocked
 
Reported: 2010-10-11 06:20 UTC by Nelson Bolyard
Modified: 2013-11-22 19:09 UTC (History)
6 users (show)

Fixed In Version: ntp-4.2.6p5-1.el6
Doc Type: Enhancement
Doc Text:
Feature: Support for authentication with symmetric keys using SHA1 instead of MD5. Reason: MD5 is not considered secure anymore. Result (if any): SHA1 keys can be generated by ntp-keygen and can be configured in /etc/ntp/keys
Clone Of:
Environment:
Last Closed: 2013-11-21 09:48:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1593 0 normal SHIPPED_LIVE ntp bug fix and enhancement update 2013-11-20 21:39:27 UTC

Description Nelson Bolyard 2010-10-11 06:20:57 UTC 
Description of problem:  
RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets.
Instead it supports only MD5 authentication.
MD5 is not a FIPS-140 approved algorithm.  SHA1 is.
SHA1 authentication is found in all the stable releases from ntp.org.
So, all that is required is to update RHEL ntpd to a current ntp.or release.

Version-Release number of selected component (if applicable):
Any and all to date.

How reproducible:
100%

Steps to Reproduce:
1.  Create an ntp key file containing SHA1 shared secrets
2.  tell ntpd to use it
3.  Watch ntpd report unsupported key type
  
Actual results:
ntpd reports unsupported key type

Expected results:
ntpd handles SHA1 authentication secret without complaint.

Additional info:

Sample SHA1 key file contents are as follows:

11 SHA1 0ef60b47dbd02a720b733aecc9f02de9bec0b2d5  # SHA1 key
12 SHA1 138460338334f6c446de0bf3ea1ddb11800ef9aa  # SHA1 key
13 SHA1 2bb07cccb097a6bc050fa8b6adc70e7adab22cb8  # SHA1 key
14 SHA1 5d621fc257ecb0e07e4310412ada749183915d3e  # SHA1 key
15 SHA1 63c790dbb5b0075743ad421ba02255f44c5c2944  # SHA1 key
16 SHA1 62256590c22ca7e16aea0d7eb764484e9eda6ac6  # SHA1 key
17 SHA1 9a807a7912b0ac5c23220223425960995cd9a4bc  # SHA1 key
18 SHA1 2eab5f09b830d5375239559b3ff62472f633551a  # SHA1 key
19 SHA1 64a7a92b270b806f0971286ce280da68792885d2  # SHA1 key
20 SHA1 91c57e44791b08ee489d4e1191087939d111e696  # SHA1 key

I am a contributor to the ntp project in the area of secure ntp 
(find my name in the various files for current releases) and will 
be happy to answer any questions.
Comment 1 Nelson Bolyard 2010-10-11 06:26:11 UTC 
(Marked as high severity because this is a security issue.)
Comment 3 RHEL Program Management 2011-01-07 15:46:03 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 4 RHEL Program Management 2011-07-06 00:21:37 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 6 Suzanne Logcher 2012-02-14 23:04:04 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 11 errata-xmlrpc 2013-11-21 09:48:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1593.html
Note You need to log in before you can comment on or make changes to this bug.