ntpd vulnerabilities

[Brett Glass]

At 11:52 AM 12/22/2014, Chris Nehren wrote:

>Heartbleed, more than any other vulnerability in recent memory,
>showed us users on the outside of the Project just how much
>effort is involved in patching the base system (thank you, again,
>DES, for being patient and explaining all the details!). Because
>of this, I am reticent to support more software going into the
>base system.

I understand your concern! Frankly, both ntpd and OpenNTPD have more
functionality than ought to be in the base system. The daemon in the
base system probably should only query trusted servers for the time,
as securely as possible, rather than also being a server itself.

Within my own network, I have used cron and ntpdate (even though it's
officially deprecated) on most of the clients, querying a couple of
trusted local time servers. I've then armored those servers -- which
do query the outside world -- as much as possible against abuse, with
very restrictive security settings and stateful firewall rules for
good measure. This is a super-lightweight approach from the clients'
point of view; it takes up as little CPU and memory as possible
on them. But it obviously has some drawbacks; in particular, it doesn't
continuously correct the clocks but makes them jump at particular
times of day.

Ultimately, I'd love to see the whole world go to PKI-based digital
signatures on responses to time queries. With the crypto accelerators
that are now being built into many CPUs, this will probably become
practical... IF one can trust the hardware not to have security
holes or backdoors. Which is, of course, a big "if."

--Brett Glass