[Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
pspacek at redhat.com
Tue Apr 29 06:59:57 UTC 2014
On 25.4.2014 16:28, Gabe Alford wrote:
> Here is a patch for https://fedorahosted.org/freeipa/ticket/3735.
> It seemed better to try to stop ntpd before running ntpdate rather than not
> running ntpdate if ntpd was already running. I believe this patch only
> applies to the ipa-3-3 branch as ntpdate is not used anymore in the master.
IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential
security hole because attacker can fake NTP answers and force the machine to
rewind it's clock to the past.
This opens potential for replay attacks/re-suing old compromised keys etc.
More information about the Freeipa-devel