Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Tue, 21 Jan 2014, Miroslav Lichvar wrote:

On Mon, Jan 20, 2014 at 09:51:45AM -0800, Bill Unruh wrote:
On Mon, 20 Jan 2014, Miroslav Lichvar wrote:
Most users seem to use chronyc only locally. If they have an update of
the distribution package or compile chrony from source code, they will
have chronyd and chronyc updated at the same time and should have any
problems with it.

But for those users for which this would not be a problem, they would know the
password, since they set it up. For users who, for example use a public NTP
server (do you mean a public chrony ntp server since the commands AFAIK from
chronyc do not work for a ntpd server anyway) they will quite probably have a
chronyc that is incompatible with that public chrony server. Ie, precisely the
ones you are concerned with are the ones that the incompatibility would
affect.

The users of a public chronyd server can update their chronyc or keep
multiple versions if needed. If all commands suddenly required
password, they would no longer be able to get a useful response from
the server even if their chronyc is compatible, because they don't
know the password.

So, you feel that it is important that others be able to query the sources no
matter where they are. Then having passwords would be an impediment.

Then your solution seems the only one, but a) it should be compatible with
current chronyds, and new chronyd should demand that the command actually have
the longer length. But that would mean we break compatibility with all older
versions. Do we issue a security fix for older versions?





--
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/