| Re: [chrony-dev] Traffic amplification with chrony commands |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Fri, 17 Jan 2014, John Hasler wrote:
Miroslav Lichvar writes:
Hm, that's an interesting idea, to require password for all commands
if it's not from localhost and keep it as it is for localhost. It
wouldn't break compatibility and most of the users probably wouldn't
even notice it.
That's the best idea yet. I always ssh to my other machines to run
chronyc anyway.
Another possiblility if this is implimented is to allow root passwordless
access from the local machine. Mind you I am not sure how one could reliably
decide that some request really was from root locally rather than from someone
else. I guess if root runs chronyc it could automatically get the password
from chrony.keys and send it.
Not that it is a terrible imposition that root also has to enter the password,
so if it at all hard or even slightly insecure to do this, it would not be
worth it.
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.