kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]
Roland Mainz
roland.mainz at nrubsig.org
Sun Jul 8 22:47:50 PDT 2007
"Shawn M. Emery" wrote:
> James Carlson wrote:
> > Wyllys Ingersoll writes:
> >
> >> -t: configure a simple broadcast/multicast NTP client
> >>
> >
> > Why is this part of kclient? Though having a tool to administer NTP
> > clients would probably be helpful (and having it tied into something
> > like DHCP and thus automatic would be much more helpful still), it
> > seems out of place here.
>
> As Roland, et. al., have mentioned, the Kerberos client could fail to
> authenticate given clock skew with KDCs. So there is a dependency and
> the administrator may not have control over the network's DHCP servers.
Erm, slightly offtopic: Killing or taking over is one of the "classical"
DOS attacks against networks which use Kerberos5 or NIS+ for
authentification. The Kerberos5 (or NIS+) servers/replicas are usually
heavily protected (firewall, seperate room, armed guard, komodo dragons
etc.) but the machines which run the NTP server are usually not that
well protected. Take down the NTP server and fill the network with your
own NTP packets and the whole network becomes unuseable (because no
machine/user/service can get auth tickets anymore).
Or short: The NTP service is _important_ for authentification services
like Kerberos5 or NIS+ and using "untrusted" services like DHCP to
distribute the information for these servers is DANGEROUS. IMO no tool
(including "kclient"/"kserver") should include options which configure a
"trusted" service (like Kerberos5) with an "untrusted" service like DHCP
as basis.
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
More information about the opensolaris-arc
mailing list