[Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Gabe Alford
redhatrises at gmail.com
Wed Apr 30 02:04:36 UTC 2014
Updated patch to not run ntpdate if ntpd is running.
Gabe
On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatrises at gmail.com> wrote:
> Thanks Petr!
>
> Will rework patch to just skip ntpdate if ntpd is already running.
>
>
> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspacek at redhat.com> wrote:
>
>> Hello Gabe!
>>
>>
>> On 25.4.2014 16:28, Gabe Alford wrote:
>>
>>> Here is a patch for https://fedorahosted.org/
>>> freeipa/ticket/3735.
>>> It seemed better to try to stop ntpd before running ntpdate rather than
>>> not
>>> running ntpdate if ntpd was already running. I believe this patch only
>>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the
>>> master.
>>>
>>
>> IMHO we should never stop ntpd if it is running. Plain ntpdate opens
>> potential security hole because attacker can fake NTP answers and force the
>> machine to rewind it's clock to the past.
>>
>> This opens potential for replay attacks/re-suing old compromised keys etc.
>>
>> --
>> Petr^2 Spacek
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140429/adc462f4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rga-0017-2-ipa-client-install-skip-running-ntpdate-if-ntpd-is-r.patch
Type: text/x-patch
Size: 2663 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140429/adc462f4/attachment.bin>
More information about the Freeipa-devel
mailing list