Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


> From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>

> chronyc doesn't know in advance if the command is restricted or not,
> so it would have to try it first and when "not authorized" is received
> from chronyd, it would try it again with password. I guess that could
> work.

That method is used all the time in SIP (Session Initiation Protocol,
the IETF VoIP protocol), and doesn't cause any problems.

> Should that be only with the -a option, or drop -a and do it always?

The mode of operation that you need to be careful to support is when
chronyd is being executed in a script, and the script has access to
the proper authentication key, but doesn't know in advance whether
this particular command will need to be authenticated or not.

Dale

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/