| Re: [chrony-dev] Traffic amplification with chrony commands |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Traffic amplification with chrony commands
- From: worley@xxxxxxxxxxxx (Dale R. Worley)
- Date: Tue, 21 Jan 2014 17:29:49 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1390343391; bh=7/nDunN4pDJQpfRYhSGr5yv/0CfA7sN88jhsytfxvT8=; h=Received:Received:Received:Received:Date:Message-Id:From:To: Subject; b=aPQCFU+jXK45kuQLH3UDPQjEfoaiBTbg9FpEvZQW5F5CKzS1a3S3Z+zRwgeRpBCRH 2Dn1gEfF++H//F2dKKfsQUAoggUeqvFHakkRnFr5TZ2TkE87iXa2U5HmODagS3ERUi N9C00q0ANlRrgkc72YsEf6oyAgmR0FND9IKDRs0tomlZZlFVz7wS8ouw2oNS45BTrx gtbcm4XtrFuE0lk+oeLTOSp8o6MFBtfOjkionv4GoKbaI09Q4WISVpCxrwnf6WoKOH qiNIOPXdLkwvjJUWJbpA12NWhTKDIQqBC84UvDVeZfQ5Vegysxam3KnoGSwpWCIw1d t352KqT0v8dVA==
> From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
> chronyc doesn't know in advance if the command is restricted or not,
> so it would have to try it first and when "not authorized" is received
> from chronyd, it would try it again with password. I guess that could
> work.
That method is used all the time in SIP (Session Initiation Protocol,
the IETF VoIP protocol), and doesn't cause any problems.
> Should that be only with the -a option, or drop -a and do it always?
The mode of operation that you need to be careful to support is when
chronyd is being executed in a script, and the script has access to
the proper authentication key, but doesn't know in advance whether
this particular command will need to be authenticated or not.
Dale
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.