| [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.2-89-gb80df51 |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
This is an automated email from git. It was enerated because a ref
change was pushed to the repository "chrony/chrony.git".
The branch, master has been updated
via b80df5152ac9642174d338ec454392a1360e60f4 (commit)
via beb275a769968217733a449988d189e503f0bfbc (commit)
via 86c21a3a857655167f57fc597fd51968824aa4ad (commit)
via 05236a4f2339bed473ed9a70b5b869470c791fcc (commit)
via a78bf9725a7b481ebff0e0c321294ba767f2c1d8 (commit)
from 82fbb5c2f560b94cf6e2f49cb05ea358d40ee54b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b80df5152ac9642174d338ec454392a1360e60f4
Merge: 82fbb5c beb275a
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Wed Jan 20 12:18:42 2016 +0100
Merge branch '2.2-security'
commit beb275a769968217733a449988d189e503f0bfbc
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Mon Jan 11 15:42:36 2016 +0100
doc: update NEWS
commit 86c21a3a857655167f57fc597fd51968824aa4ad
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Mon Jan 11 16:40:29 2016 +0100
test: extend 105-ntpauth to test symmetric mode
commit 05236a4f2339bed473ed9a70b5b869470c791fcc
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Mon Jan 11 16:23:07 2016 +0100
test: allow setting options for each peer side separately
commit a78bf9725a7b481ebff0e0c321294ba767f2c1d8
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Fri Jan 8 15:03:09 2016 +0100
ntp: restrict authentication of server/peer to specified key
When a server/peer was specified with a key number to enable
authentication with a symmetric key, packets received from the
server/peer were accepted if they were authenticated with any of
the keys contained in the key file and not just the specified key.
This allowed an attacker who knew one key of a client/peer to modify
packets from its servers/peers that were authenticated with other
keys in a man-in-the-middle (MITM) attack. For example, in a network
where each NTP association had a separate key and all hosts had only
keys they needed, a client of a server could not attack other clients
of the server, but it could attack the server and also attack its own
clients (i.e. modify packets from other servers).
To not allow the server/peer to be authenticated with other keys
extend the authentication test to check if the key ID in the received
packet is equal to the configured key number. As a consequence, it's
no longer possible to authenticate two peers to each other with two
different keys, both peers have to be configured to use the same key.
This issue was discovered by Matt Street of Cisco ASIG.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 7 +++++++
chrony.texi.in | 3 +++
ntp_core.c | 14 ++++++++------
test/simulation/105-ntpauth | 20 ++++++++++++++++++++
test/simulation/test.common | 10 ++++++++--
5 files changed, 46 insertions(+), 8 deletions(-)
hooks/post-receive
--
chrony/chrony.git
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.