[pkg-ntp-maintainers] Bug#562065: Bug#562065: ntp server didn't support mssntp

Tue Dec 22 20:29:24 UTC 2009

On 22/12/2009 22:25, Kurt Roeckx wrote:
> On Tue, Dec 22, 2009 at 09:53:00PM +0300, Matthieu Patou wrote:
>> On 22/12/2009 20:53, Kurt Roeckx wrote:
>>> On Tue, Dec 22, 2009 at 02:33:54PM +0300, Matthieu Patou wrote:
>>>> Subject: ntp server didn't support mssntp
>>>> Package: ntp
>>>> Version: 4.2.4p4+dfsg-8lenny3
>>>> Severity: wishlist
>>>> Tags: patch
>>>
>>> You tagged it patch, but you don't provide any patch?
>> No good excuse, but I was missing a category saying that the patch
>> is already in the upstream source.
>>>
>>>> Current version of ntp  in debian do not support MS SNTP extension.
>>> [...]
>>>> Version 4.2.6 of ntp (released on 12/12/09)  now include patches for
>>>> allowing this extension but must be complied specifically with the
>>>> option --enable-ntp-signd to effectively  build this extension.
>>>
>>> So this is a wishlist bug asking for a new upstream version
>>> with tht configure option?  Any idea why this isn't on by default?
>> See the talk in this bug
>> https://support.ntp.org/bugs/show_bug.cgi?id=1405. Basically I'll
>> say that Ph. D. Mills is a bit overcautious as he don't want ntp to
>> be blamed for an admin that activated this option and get flooded.
>> It's in fact the same problem as refclock that has to be explicitly
>> activated during configure if you want to have it (as debian does).
>>
>>
>> I am not of course willing to make debian user run a risk when using
>> the new version of ntp with this extension. So it must be noted that
>> even if the extension is built in the ntp server it must be opted in
>> to start to work. This piece of code protects the emission to the
>> signed socket:
>>
>>    if (flags&  RES_MSSNTP) {
>>      send_via_ntp_signd(rbufp, xmode, xkeyid, flags,&xpkt);
>>      return;
>>    }
>>
>> If no restrict is defined or if didn't match the user ip address
>> then the send_via_ntp_signd is not called.
>> It's obvious that any publicly available server shoudn't have this
>> activated.
>
> As I understand David L. Mills, it always opens a TCP socket
> independent of the configuration file, and that that can be
> used to DoS the server.  If that's not the case I see no
> problem with enabling this by default.
>
I'm sorry to put it through David L. Mills was wrong on this.
The patch never used a TCP socket but a unix socket. And since the 
initial patch the code has been reworked to be wrapped in a test that 
avoid trying to open the unix socket unless the requester has been 
allowed to do so in the configuration.

It's this piece of code that check and if allowed open the signd socket.
     if (flags&  RES_MSSNTP) {
       send_via_ntp_signd(rbufp, xmode, xkeyid, flags,&xpkt);
       return;
     }

Matthieu.