Bug 70557 - no server entry in /etc/ntpd.conf
no server entry in /etc/ntpd.conf
Status: CLOSED RAWHIDE
Product: Red Hat Public Beta
Classification: Retired
Component: redhat-config-date (Show other bugs)
limbo
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Brent Fox
:
: 67916 74462 78542 (view as bug list)
Depends On:
Blocks: 67218 79579
  Show dependency treegraph
 
Reported: 2002-08-02 10:20 EDT by Harald Hoyer
Modified: 2008-05-01 11:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-20 20:46:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Hoyer 2002-08-02 10:20:53 EDT
$ cat /etc/ntp.conf
restrict default noquery notrust nomodify

then call redhat-config-time and add a server...
still:
$ cat /etc/ntp.conf
restrict default noquery notrust nomodify

should be:
restrict default noquery notrust nomodify
restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
server mytrustedtimeserverip

and two servers should be required
Comment 1 Brent Fox 2002-08-27 15:25:39 EDT
I've got a few questions here.

1) The user is selecting from a list of hostnames, not IP's.  The "server" line
appears to accept hostnames instead of IP's.  However, the "restrict" line
expects an IP in dotted-quad form (according to the docs at
file:///usr/share/doc/ntp-4.1.1a/accopt.htm)  Do I need to do a lookup on the
hostname to get an IP address in order to do the restrict entry?

2) Why should more than one server be required?  Things seem to work ok with
only one server specified.  I know that technically it's correct to have more
than one, but is it really necessary?  MacOS X and Windows XP seem to get by
with having only one server specified.  I think it would be really confusing to
a new user to have to select a primary and then a secondary time server.
Comment 2 Brent Fox 2002-08-27 22:54:23 EDT
I've changed the code so that a "server" line is added if one does not currently
exist, but I'm still uncertain about the "restrict" line.
Comment 3 Brent Fox 2002-08-29 14:33:30 EDT
ping?
Comment 4 Harald Hoyer 2002-09-19 03:39:08 EDT
pong... back from holidays
well, if you do not "restrict" the access, then everyone can modify your server...
Comment 5 Brent Fox 2002-10-25 11:34:38 EDT
Ok, it should be implemented in redhat-config-date-1.5.4-1 in dist-8.0.1.  It
could use some testing.
Comment 6 Brent Fox 2002-10-25 11:58:03 EDT
*** Bug 67916 has been marked as a duplicate of this bug. ***
Comment 7 Brent Fox 2002-10-25 14:25:07 EDT
*** Bug 74462 has been marked as a duplicate of this bug. ***
Comment 8 Gene Czarcinski 2002-11-25 09:37:06 EST
I have installed redhat-config-date-1.5.5-1 from rawhide.  Close but not a winner.

You now have a restrict statement but it does not work.  You plug in the
server's name such as time.nist.gov rather than its ip address such as
192.43.244.18.  The ntp code cannot current handle the name (I have submitted a
RFE to bugs@ntp.org).

Error message is written to /var/log/messages:

ntpd[15033]: getnetnum: "time.nist.gov" invalid host number, line ignored
Comment 9 Gene Czarcinski 2002-11-25 09:42:31 EST
*** Bug 78542 has been marked as a duplicate of this bug. ***
Comment 10 Gene Czarcinski 2002-11-25 10:06:50 EST
I am coming around to see that perhaps /etc/ntp.conf should ONLY use ip
addresses and have suggest so.  Perhaps /etc/init.d/ntpd should be changed to
dynamically lookup the named servers and modify the /etc/ntp.conf file when ntpd
is started.
Comment 11 Gene Czarcinski 2002-11-25 10:16:22 EST
I think I like the answer I gave in a recent email better:

> hostnames are not trustable so they are not usable for security purposes

This is an excellent point.  Perhaps redhat-config-date should bullet proof 
things better and only plug in ip addresses into /etc/ntp.conf.  The 
redhat-config-date program should lookup and display the ipaddress for the 
server specified and have the user confirm it.  Then plug in ip addresses.

Another alternative is to dynamically lookup and plug in ip addresses when 
ntpd is started.  While this is more robust in that it can respond to a 
server changing its ip address, it suffers from the risk of being spoofed.

Robustness could be handled by redhat-config-date handling more than one 
server.
Comment 12 Brent Fox 2003-01-14 00:23:16 EST
I have changed redhat-config-date to write the IP to the 'restrict' line and the
domain name to the 'server' line.  See if redhat-config-date-1.5.7-3 doesn't fix
the problem.  Please reopen if the problem persists.  

QA, please verify.
Comment 13 Jay Turner 2003-01-15 09:25:41 EST
With redhat-config-date-1.5.7-4, I'm getting the following written to
/etc/ntp.conf when setting up against clock.corp.redhat.com:

restrict 172.16.52.228 mask 255.255.255.255 nomodify notrap noquery
server clock.corp.redhat.com

So, this appears to be correct . . . least it's working!
Comment 14 Harald Hoyer 2003-01-15 09:47:55 EST
better would be:
server 172.16.52.228
Comment 15 Brent Fox 2003-01-15 16:48:40 EST
I'd rather leave it the way it is because I want the domain name to appear in
the box when the user runs the tool again.  Harald, would it be bad to leave it
the wa y it is?
Comment 16 Matthew Miller 2003-01-15 16:55:30 EST
How about putting in the hostname in a comment? And maybe a comment explaining
why the ip address must be used.
Comment 17 Chris Ricker 2003-01-15 16:59:02 EST
Brent, why not put

server 172.16.52.228

in the config file, and in r-c-date, have it reverse-resolve the IP address and
display the hostname in the dialog or better, display

hostname (ip.add.re.ss)

(though I realize space might preclude that)

?

Using IP rather than hostname in the config file is preferable from a security
stance...
Comment 18 Brent Fox 2003-01-15 17:22:33 EST
Ok, I convert it into the IP now before writing to the file, then I call
socket.gethostbyaddr(IP)[0] to get the host name.  This has the drawback of not
necessarily resolving back to the same name that you typed in if the machine
uses a hostname alias for the ntp service.  For example, if you type
'clock.corp.redhat.com', it will resolve back to kerberos.corp.redhat.com, but I
guess that's a small price to pay for security.

Please test with redhat-config-date-1.5.7-5.
Comment 19 Gene Czarcinski 2003-01-15 17:28:21 EST
And where have you put the updated package for testing by us mere mortals?
Comment 20 Brent Fox 2003-01-15 17:32:16 EST
New packages should get pushed to Rawhide every morning at 8:00 EST or something
like that.
Comment 21 Jay Turner 2003-01-20 20:46:35 EST
Fix confirmed with redhat-config-date-1.5.7-6.

Note You need to log in before you can comment on or make changes to this bug.