On 4/9/20 11:06 AM, Miroslav Lichvar wrote:
On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote:
On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
What is the issue with using untrusted DNS servers here? An NTS client
is supposed to verify the certificates. Local MITM attackers shouldn't
be able to force the client to synchronize to a different NTP server.
(Of course, they can always disable the synchronization.)


I'm not saying there is necessarily an issue, just a logical inconsistency.
If the DNS servers provided by DHCP are trusted, why would any plain NTP
servers also provided by DHCP not be trusted? I can do nefarious things with
either.

I think it depends on the network. Is it yours or is it a random hotspot?

In general neither should be trusted, but most applications don't rely
on DNS being secure, so using random untrusted DNS servers from DHCP
is usually not a major issue. I'm ignoring privacy issues.


I disagree with saying applications don't rely on DNS being secure, but I also concede it has very little to do with this discussion. See my off-topic rant in my reply to Björn Persson. I apologize for conflating the issue in the first place.

[snip]

The PEERNTP option will still work. It may just have a different
default and/or have a new setting.


Circling back to my concerns about this proposal from an admin standpoint. I have never needed to touch PEERNTP before for DHCP provided NTP to work. I'm also not sure from a security standpoint I want `PEERNTP=yes` to work if NTS is otherwise enabled? Seems potentially confusing. I don't like chrony behavior being dictated by non-chrony config.

Additionally, the 'nts' option for 'server' and 'pool' directives, to me, does not make it immediately clear that NTS will be required for _all_ NTP servers. To me, that option implies that NTS will be enforced for that particular pool or server. Especially since I can have additional directives without that option set (which admittedly makes little sense).

Finally, the suggestion of bootstrapping NTP without using NTS when TLS checks fail concerns me. It needs to be clear when such a thing is allowed or not.

I would be much happier with some kind of `requireents` option in `/etc/chrony.conf`. When set, NTS is an absolute hard requirement, no plain NTP servers will be used (from DHCP or otherwise), NTP bootstrapping mentioned above would also be forbidden. When not set, NTS is still verified for cases where the option is set, but other NTP servers still work (bootstrapping allowed?).

Logging would help make clear what's going on, if the `nts` option is set on a pool or server with `REQUIREENTS` off, we could log warnings when non-NTS servers are used. And with `REQUIREENTS` on, we could log warnings about servers that were ignored due to not supporting NTS (including the DHCP provided one).

The PEERNTP option would function as usual, not passing DHCP provided NTP servers to chrony if disabled. It would have no additional influence over chrony behavior, chrony behavior would remain entirely controlled by it's own configuration file.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to