kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]

Mon Jul 9 00:35:41 PDT 2007

"Shawn M. Emery" wrote:
> Michael Hunter wrote:
> > On Mon, 09 Jul 2007 01:11:59 +0200
> > Roland Mainz <roland.mainz at nrubsig.org> wrote:
> >
> >> James Carlson wrote:
> >>
> >>> Wyllys Ingersoll writes:
> >>>
> >>>> -t: configure a simple broadcast/multicast NTP client
> >>>>
> >>> Why is this part of kclient?  Though having a tool to administer NTP
> >>> clients would probably be helpful (and having it tied into something
> >>> like DHCP and thus automatic would be much more helpful still), it
> >>> seems out of place here.
> >>>
> >> Ugh... since when it is recommended to mix untrusted services like DHCP
> >> with Kerberos5 ?
> >>
> > [...]
> >
> > This says to configure a client which uses broadcast/multicast for
> > NTP.  How is the attack vector of breaching DHCP different from
> > breaching broadcast/multicast NTP?
> >
> > How would you expect different NTP administrative mechanisms to
> > arbitrate control of the NTP configuration?  time-admin(1) is one such
> > thing which currently exists.  NWAM will want to also be able to do
> > this in the future.
> 
> Perhaps -t could have an argument that contains a list of NTP servers.
> If a list is not provided then it reverts to configuring the client for
> broadcast/multicast.

... or "kclient" could check whether the "ntp" client service is running
(and working) on the current machine and refuse to work if there is no
ntp service active (unless a specific option (like --no-ntp-needed) is
provided (this may be required for systems (like Solaris running as a
VMware or XEN guest OS) where other mechanisms do the time
syncronisation work)) ... that may be much easier and keep both items
(NTP vs. Kerberos5) seperate...

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)