Re: [chrony-dev] Diagnosing pre-shared key authentication failure

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ] 

On Thu, Oct 13, 2022 at 12:52:37PM +0300, Avamander wrote:
> Fair point about logging, but why not reject it as a falseticker?

Falseticker is a source that doesn't agree with a majority of other
sources. If authentication is failing due to misconfiguration, it will
be displayed as unreachable.

> Especially in the case of having no successful measurements at all, it
> would pose no (additional) risk, yet would indicate communication (and it
> being invalid).

If the real server was unreachable, the attacker could be sending
incorrectly authenticated packets to make you think it's reachable,
but misconfigured.

On Thu, Oct 13, 2022 at 12:54:48PM +0300, Avamander wrote:
> P.S. About logging, some (rate-limited) warnings against such failures
> would actually be very interesting to security teams. Right now there's
> very little visibility in this aspect, which might be worth changing
> really.

You can check the counters in ntpdata report. If you see "Total RX"
much larger than "Total valid RX", something is going on.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/