Re: [chrony-dev] Diagnosing pre-shared key authentication failure

> Falseticker is a source that doesn't agree with a majority of other

sources. If authentication is failing due to misconfiguration, it will
be displayed as unreachable.

So when someone tries to MITM all NTS and (authenticated) NTP connections,

they'd be marked unreachable just like the ones that are actually unreachable.

Would it not benefit from a separate synchronization/selection status?

> If the real server was unreachable, the attacker could be sending

incorrectly authenticated packets to make you think it's reachable,
but misconfigured.

That is fairly easy to determine once suspected, though.

On Thu, Oct 13, 2022 at 1:17 PM Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

On Thu, Oct 13, 2022 at 12:52:37PM +0300, Avamander wrote:
> Fair point about logging, but why not reject it as a falseticker?

Falseticker is a source that doesn't agree with a majority of other
sources. If authentication is failing due to misconfiguration, it will
be displayed as unreachable.

> Especially in the case of having no successful measurements at all, it
> would pose no (additional) risk, yet would indicate communication (and it
> being invalid).

If the real server was unreachable, the attacker could be sending
incorrectly authenticated packets to make you think it's reachable,
but misconfigured.

On Thu, Oct 13, 2022 at 12:54:48PM +0300, Avamander wrote:
> P.S. About logging, some (rate-limited) warnings against such failures
> would actually be very interesting to security teams. Right now there's
> very little visibility in this aspect, which might be worth changing
> really.

You can check the counters in ntpdata report. If you see "Total RX"
much larger than "Total valid RX", something is going on.

--
Miroslav Lichvar

--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.