[Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Martin Kosek
mkosek at redhat.com
Tue Dec 2 11:47:59 UTC 2014
On 05/09/2014 04:09 AM, Gabe Alford wrote:
> Re-factored my second patch. :)
>
> Gabe
>
>
> On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford <redhatrises at gmail.com> wrote:
>
>> Updated patch to not run ntpdate if ntpd is running.
>>
>> Gabe
>>
>>
>>
>> On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatrises at gmail.com>wrote:
>>
>>> Thanks Petr!
>>>
>>> Will rework patch to just skip ntpdate if ntpd is already running.
>>>
>>>
>>> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>>> Hello Gabe!
>>>>
>>>>
>>>> On 25.4.2014 16:28, Gabe Alford wrote:
>>>>
>>>>> Here is a patch for https://fedorahosted.org/
>>>>> freeipa/ticket/3735.
>>>>> It seemed better to try to stop ntpd before running ntpdate rather than
>>>>> not
>>>>> running ntpdate if ntpd was already running. I believe this patch only
>>>>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the
>>>>> master.
>>>>>
>>>>
>>>> IMHO we should never stop ntpd if it is running. Plain ntpdate opens
>>>> potential security hole because attacker can fake NTP answers and force the
>>>> machine to rewind it's clock to the past.
>>>>
>>>> This opens potential for replay attacks/re-suing old compromised keys
>>>> etc.
I just noticed that
https://fedorahosted.org/freeipa/ticket/3735
has a pending patch from Gabe. David or Tomas, do we still want to go with this
approach?
IIRC, David is now working in related area in ipa-client-install, so the patch
could be reviewed/reworked as part of his job.
Martin
More information about the Freeipa-devel
mailing list