[pkg-ntp-maintainers] Bug#687166: Bug#687166: ntp: NTP security vulnerability because not using authentication by default

[Ask Bjørn Hansen]

On Sep 10, 2012, at 15:07, Kurt Roeckx <kurt at roeckx.be> wrote:

> I'm not sure Debian wants to run ntp.debian.org.  We would need to
> ask people to donate resources for that, and the pool project
> already exists for that.

Indeed!  Sorry I wasn't clear.  The NTP Pool system can work on other domains than pool.ntp.org, so with a few NS pointers *.ntp.debian.org could be the NTP Pool but only including hosts configured and monitored "to the debian specifications" (including autokey etc as appropriate).

Then the pool system can still do the monitoring, automatically update DNS, point clients to "nearby" servers, etc.

[...]
> So my understanding of things is that even if we also had
> a way to distribute all the public keys, you still can't
> get it to work as you need to provide each client with
> a secret key.
> 
> I think what first needs to be done is have an autokey
> implementation that either doesn't need a private key for
> each client but is secure or doesn't need state on the
> server side for each client.

Indeed; I thought ntpd had a public key encryption scheme where we just need the secret key on the server[1] and the public key can be general for all Debian users.  (I think that's the 'autokey' scheme -- the "trustedkey/requestkey" stuff is where you share a secret between client and server).


Ask

[1] But those servers obviously have to be run by especially trusted people as they need to know the secret and be okay with the increased resource requirements etc.  I figure in the Debian community you could find/pick a few dozen servers suitable for that which likely would be enough.