On 05/09/2014 04:09 AM, Gabe Alford wrote: > Re-factored my second patch. :) > > Gabe > > > On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford <redhatri...@gmail.com> wrote: > >> Updated patch to not run ntpdate if ntpd is running. >> >> Gabe >> >> >> >> On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatri...@gmail.com>wrote: >> >>> Thanks Petr! >>> >>> Will rework patch to just skip ntpdate if ntpd is already running. >>> >>> >>> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspa...@redhat.com> wrote: >>> >>>> Hello Gabe! >>>> >>>> >>>> On 25.4.2014 16:28, Gabe Alford wrote: >>>> >>>>> Here is a patch for https://fedorahosted.org/ >>>>> freeipa/ticket/3735. >>>>> It seemed better to try to stop ntpd before running ntpdate rather than >>>>> not >>>>> running ntpdate if ntpd was already running. I believe this patch only >>>>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the >>>>> master. >>>>> >>>> >>>> IMHO we should never stop ntpd if it is running. Plain ntpdate opens >>>> potential security hole because attacker can fake NTP answers and force the >>>> machine to rewind it's clock to the past. >>>> >>>> This opens potential for replay attacks/re-suing old compromised keys >>>> etc.
I just noticed that https://fedorahosted.org/freeipa/ticket/3735 has a pending patch from Gabe. David or Tomas, do we still want to go with this approach? IIRC, David is now working in related area in ipa-client-install, so the patch could be reviewed/reworked as part of his job. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
