| Re: [chrony-dev] Drop cmdmon authentication? |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
On Mon, 13 Apr 2015, Miroslav Lichvar wrote:
While I was dealing with the latest security bugs I wondered how
useful these days it really is to have support for remote
administration via authenticated cmdmon and if it's not just
increasing the chronyd attack surface unnecessarily.
Does anyone here use chronyc remotely with a password for
administration and how important this feature is for you? I personally
don't use it and don't know anyone who does. For me, it's easier to go
through ssh, su to root and run "chronyc -a" locally.
I agree that I have not used this. I suppose in some dedicated system, whose
only connection with the outside world is vi ntp packets, and has not other
route in (ssh) because of security/space issues, it could be useful. (No idea
what a system like that would be).
It could also be used to "fix" a weirdness of chrony, namely that even root on
the system has to log in via the chrony mechanism, because as Curnoe said,
chrony has no idea where it is being administered from, so root on the local
system is no different from Joe Blow half way across the world as far as
chrony is concerned.
Of course, there is also the issue of unpriviledged people being given
permission to control and administer chrony. While sudo is a possibility, it
potentially does open up a local attack vector in which chronyc could be used
for priviledge escallation. (of course the current process in which the key is
stored locally in the clear is even more open to that).
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.