kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]
Roland Mainz
roland.mainz at nrubsig.org
Mon Jul 9 00:30:00 PDT 2007
Michael Hunter wrote:
> On Mon, 09 Jul 2007 01:11:59 +0200
> Roland Mainz <roland.mainz at nrubsig.org> wrote:
> > James Carlson wrote:
> > > Wyllys Ingersoll writes:
> > > > -t: configure a simple broadcast/multicast NTP client
> > >
> > > Why is this part of kclient? Though having a tool to administer NTP
> > > clients would probably be helpful (and having it tied into something
> > > like DHCP and thus automatic would be much more helpful still), it
> > > seems out of place here.
> >
> > Ugh... since when it is recommended to mix untrusted services like DHCP
> > with Kerberos5 ?
> [...]
>
> This says to configure a client which uses broadcast/multicast for
> NTP.
Urgh...
> How is the attack vector of breaching DHCP different from
> breaching broadcast/multicast NTP?
It isn't much different except that people may spend more time in
securing the DHCP server (assuming they use DHCP... for example we avoid
it for the core servers and most of the other stuff unless it's really
not important if the students or someone else take the affected
computers down with their "games"...) then spending time in securing the
NTP server (e.g. they don't expect a DOS attack using this path).
However broadcast/multicast is IMO the wrong method unless you both
"own" the network (e.g. you have 100% control who adds machines (usually
"open" environments like universities don't have full control)) and
deploy NTP authentification (we used a different solution - we use fixed
IP addresses for the core server machines which provide
Kerberos5/NIS+/LDAP/NTP/SMTP/etc. services, configured all manageable
switches to make sure the IP address matches the EthernetID of the
server and use NTP auth. for those clients who support it. It's not
perfect but surived the last years in our environment...).
> How would you expect different NTP administrative mechanisms to
> arbitrate control of the NTP configuration?
Erm... what do you mean ?
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
More information about the opensolaris-arc
mailing list