[pkg-ntp-maintainers] Bug#687166: Bug#687166: ntp: NTP security vulnerability because not using authentication by default
Nico Golde
nion at debian.org
Tue Sep 11 10:49:09 UTC 2012
Hi,
* Ask Bjørn Hansen <ask at ntppool.org> [2012-09-11 01:01]:
> On Sep 10, 2012, at 15:07, Kurt Roeckx <kurt at roeckx.be> wrote:
> [...]
> > So my understanding of things is that even if we also had
> > a way to distribute all the public keys, you still can't
> > get it to work as you need to provide each client with
> > a secret key.
> >
> > I think what first needs to be done is have an autokey
> > implementation that either doesn't need a private key for
> > each client but is secure or doesn't need state on the
> > server side for each client.
>
> Indeed; I thought ntpd had a public key encryption scheme where we just need
> the secret key on the server[1] and the public key can be general for all
> Debian users. (I think that's the 'autokey' scheme -- the
> "trustedkey/requestkey" stuff is where you share a secret between client and
> server).
That was my understanding as well. At least the documentation states:
"key pairs are used where establishing shared secrets is difficult. The
autokey mechanism uses key pairs.".
Cheers
Nico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20120911/d93d6bf5/attachment-0001.pgp>
More information about the pkg-ntp-maintainers
mailing list