Re: [chrony-dev] chronyd set time and exit

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Thu, Jun 09, 2016 at 02:57:33AM -0400, Earlence Fernandes wrote:
> My embedded device is intermittently powered, and it doesn't require a very
> high time accuracy. So whenever it boots up again, which I expect to be
> once a week, i will simply run an ntp sync, and then quit.
> 
> For secure ssh, it needs to verify certs, and for that it needs proper wall
> clock time (more or less).

Hm, I thought SSH doesn't rely on correct time. HTTPS certainly does.

NTP with symmetric keys will work, but how do you plan to distribute
the keys to clients? Will they all have their own keys?

> RE: ntpclient, is this part of chronyd, or is this the one from ntpsec? or
> classic ntp?

http://doolittle.icarus.com/ntpclient/

> Also, I'd rather not use MD5. I'll be using my own NTP server,
> so i'll configure it to use SHA.

chronyd includes only MD5. For SHA1 and stronger it depends on other
libraries (libfreebl3 from nss, or libtomcrypt).

As for security of MD5, from what I understand about collision
attacks, it doesn't look like a problem for NTP using symmetric keys.
Length extension attacks (which are possible with other hashes too,
not just MD5), don't seem to be a problem until chrony supports some
extension fields. When it does, we'll hopefully have support for
authentication using HMAC.

I think the main problem is with short passwords, which can be quickly
found in GPU-assisted brute force attacks. chronyc now has a keygen
command to generate strong random passwords from /dev/urandom, so
users will hopefully use that instead of typing their own passwords.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/