[Bug 217691] net/chrony: add nss option + other cleanups

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217691

--- Comment #3 from John Hein <z7dr6ut7gs at snkmail.com> ---
Regarding MD5, I haven't looked into its usage in chrony to see how safe or
unsafe it is to use.  In some cases like the MD5 flavor of HMAC, MD5 is coupled
with an additional private key which makes the MD5 weaknesses much less
important.  Similarly MD5 + salt (as in /etc/passwd) with lots of iterations
isn't as weak as a single md5 pass.  But I haven't looked at chrony to see
exactly how it uses md5.  But, yes, even with other crypto sprinkled in, md5 is
weaker, partially because it's less collision resistant and partially because
it's a fast algorithm (which makes it somewhat easier to use brute force
techniques), although a key generated with good entropy will mitigate that.

Anyway, I don't have a problem leaving a user with only MD5.  If that's what
fits their use case, that's fine.

I'd feel better leaving NSS on by default, but I haven't done enough analysis
to feel strongly.  If someone digs into the chrony code a bit to see how it
uses md5, that would help inform the decision better.

Either way, the user should understand the implications of the different
options.  As port maintainer, you can just make the call.  Lots of people use
unauthenticated ntp, so the crypto users will likely be in the minority and are
more likely to be the ones who will investigate their options.  Having it be an
option is the most important first step.  Tweaking the default setting can be
done later.

-- 
You are receiving this mail because:
You are the assignee for the bug.