[Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

Petr Spacek pspacek at redhat.com
Tue Apr 29 06:59:57 UTC 2014

Hello Gabe!

On 25.4.2014 16:28, Gabe Alford wrote:
>          Here is a patch for https://fedorahosted.org/freeipa/ticket/3735.
> It seemed better to try to stop ntpd before running ntpdate rather than not
> running ntpdate if ntpd was already running. I believe this patch only
> applies to the ipa-3-3 branch as ntpdate is not used anymore in the master.

IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential 
security hole because attacker can fake NTP answers and force the machine to 
rewind it's clock to the past.

This opens potential for replay attacks/re-suing old compromised keys etc.

Petr^2 Spacek

More information about the Freeipa-devel mailing list