On 2015-07-26 10:06:05 -0500, John Hasler wrote: > I wrote: > > http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm > > > > See section 6.6.2, Authentication > > Vincent Lefevre writes: > > I don't see how this can work with public NTP servers!
Actually there's another authentication system: Autokey, which is a public-key authentication: https://www.eecis.udel.edu/~mills/ntp/html/autokey.html but... it is broken! https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687166#55 > If you need authentication you need to use trusted servers. > > http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm First problem: one needs registration. Major problem: "Each registered user will be assigned a unique encryption key, which will be linked to the IP address of the user’s system." This assumes a fixed IP address! > http://www.nist.gov/pml/div688/grp40/upload/-Instructions-for-using-the-NIST-authenticated-Network-Time-Protocol-NTP-server.pdf > http://support.ntp.org/bin/view/Servers/WebHome > > Look through the list for servers that say that they support > authentication and follow instructions. It seems that the authentication system is Autokey, but see above. > > Even without it, though, sucessfully spoofing all four of the servers > > you use would be challenging. > > > I don't see why this would be difficult for someone who controls the > > local network (e.g. the wifi hotspot). > > If your laptop needs precise time and you are a target for such attacks > take the time daemon offline when use such unreliable connections. In general, I don't know when the connection is unreliable. Actually I can assume that most of the time it may be unreliable. So, this is not a solution. I also have a desktop machine that is permanently on an unreliable network (at least with SLAAC attacks several times per year). > The attacker would not be able to change your clock very fast, though. > Unless your laptop needs millisecond accuracy for some reason it's hard > to see what such an attack would accomplish. I want to be able to set the time if for some reason the clock is completely incorrect (this occurred from time to time in the past). So, I probably need to wait for LibreSSL or a new OpenNTPd version... -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150726201051.gd11...@zira.vinc17.org