Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
On 05/09/2014 04:09 AM, Gabe Alford wrote: Re-factored my second patch. :) Gabe On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford redhatri...@gmail.com wrote: Updated patch to not run ntpdate if ntpd is running. Gabe On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.comwrote: Thanks Petr! Will rework patch to just skip ntpdate if ntpd is already running. On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote: Hello Gabe! On 25.4.2014 16:28, Gabe Alford wrote: Here is a patch for https://fedorahosted.org/ freeipa/ticket/3735. It seemed better to try to stop ntpd before running ntpdate rather than not running ntpdate if ntpd was already running. I believe this patch only applies to the ipa-3-3 branch as ntpdate is not used anymore in the master. IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential security hole because attacker can fake NTP answers and force the machine to rewind it's clock to the past. This opens potential for replay attacks/re-suing old compromised keys etc. I just noticed that https://fedorahosted.org/freeipa/ticket/3735 has a pending patch from Gabe. David or Tomas, do we still want to go with this approach? IIRC, David is now working in related area in ipa-client-install, so the patch could be reviewed/reworked as part of his job. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Re-factored my second patch. :) Gabe On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford redhatri...@gmail.com wrote: Updated patch to not run ntpdate if ntpd is running. Gabe On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.comwrote: Thanks Petr! Will rework patch to just skip ntpdate if ntpd is already running. On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote: Hello Gabe! On 25.4.2014 16:28, Gabe Alford wrote: Here is a patch for https://fedorahosted.org/ freeipa/ticket/3735. It seemed better to try to stop ntpd before running ntpdate rather than not running ntpdate if ntpd was already running. I believe this patch only applies to the ipa-3-3 branch as ntpdate is not used anymore in the master. IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential security hole because attacker can fake NTP answers and force the machine to rewind it's clock to the past. This opens potential for replay attacks/re-suing old compromised keys etc. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 9327e377a085cbd0ea80a9e9f2630199e05fe756 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Thu, 8 May 2014 19:47:51 -0600 Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running https://fedorahosted.org/freeipa/ticket/3735 --- ipa-client/ipa-install/ipa-client-install | 27 --- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afed54e5ddbf5ed985b637f20ac61d8ab1632364..fa70998010be4b9da5254c2546785006d638cb18 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2093,19 +2093,24 @@ def install(options, env, fstore, statestore): # We assume that NTP servers are discoverable through SRV records in the DNS # If that fails, we try to sync directly with IPA server, assuming it runs NTP root_logger.info('Synchronizing time with KDC...') -ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) -synced_ntp = False -if ntp_servers: -for s in ntp_servers: -synced_ntp = ipaclient.ntpconf.synconce_ntp(s) -if synced_ntp: -break -if not synced_ntp: -synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) -if not synced_ntp: -root_logger.warning(Unable to sync time with IPA NTP + + ntpd_enabled = ipaservices.knownservices.ntpd.is_running() + +if not ntpd_enabled: +ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) +synced_ntp = False +if ntp_servers: +for s in ntp_servers: +synced_ntp = ipaclient.ntpconf.synconce_ntp(s) +if synced_ntp: +break +if not synced_ntp: +synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) +if not synced_ntp: +root_logger.warning(Unable to sync time with IPA NTP + server, assuming the time is in sync. Please check + that 123 UDP port is opened.) +else: +root_logger.info('The NTP service is already running. Skipping ntpdate sync...') (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf( -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Hello Gabe! On 25.4.2014 16:28, Gabe Alford wrote: Here is a patch for https://fedorahosted.org/freeipa/ticket/3735. It seemed better to try to stop ntpd before running ntpdate rather than not running ntpdate if ntpd was already running. I believe this patch only applies to the ipa-3-3 branch as ntpdate is not used anymore in the master. IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential security hole because attacker can fake NTP answers and force the machine to rewind it's clock to the past. This opens potential for replay attacks/re-suing old compromised keys etc. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate
Updated patch to not run ntpdate if ntpd is running. Gabe On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote: Thanks Petr! Will rework patch to just skip ntpdate if ntpd is already running. On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote: Hello Gabe! On 25.4.2014 16:28, Gabe Alford wrote: Here is a patch for https://fedorahosted.org/ freeipa/ticket/3735. It seemed better to try to stop ntpd before running ntpdate rather than not running ntpdate if ntpd was already running. I believe this patch only applies to the ipa-3-3 branch as ntpdate is not used anymore in the master. IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential security hole because attacker can fake NTP answers and force the machine to rewind it's clock to the past. This opens potential for replay attacks/re-suing old compromised keys etc. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From 735f86cfe09a92ed6b30d590b8fbe86dc748f9ce Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 29 Apr 2014 18:57:46 -0600 Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running - ntpconf.py: don't run ntpdate if ntpd is running - ipa-client-install: don't display ntp sync error if ntpd is running https://fedorahosted.org/freeipa/ticket/3735 --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ntpconf.py | 23 +-- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afed54e5ddbf5ed985b637f20ac61d8ab1632364..9d1cfad4262769cef3337625d20a1ec43f50f0c0 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2102,7 +2102,7 @@ def install(options, env, fstore, statestore): break if not synced_ntp: synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) -if not synced_ntp: +if not synced_ntp and not ipaservices.knownservices.ntpd.is_running(): root_logger.warning(Unable to sync time with IPA NTP + server, assuming the time is in sync. Please check + that 123 UDP port is opened.) diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 8c4c6533a15aef9977c5eb0ae29cdd72b5529d77..49c2ee5795a1a9e97bdefa4337d84b4b1533012a 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -143,16 +143,19 @@ def synconce_ntp(server_fqdn): Returns True if sync was successful ntpdate=/usr/sbin/ntpdate -if os.path.exists(ntpdate): -# retry several times -- logic follows /etc/init.d/ntpdate -# implementation -cmd = [ntpdate, -U, ntp, -s, -b, -v, server_fqdn] -for retry in range(0, 3): -try: -ipautil.run(cmd) -return True -except: -pass + +if not ipaservices.knownservices.ntpd.is_running(): +if os.path.exists(ntpdate): +# retry several times -- logic follows /etc/init.d/ntpdate +# implementation +cmd = [ntpdate, -U, ntp, -s, -b, -v, server_fqdn] +for retry in range(0, 3): +try: +ipautil.run(cmd) +return True +except: +pass + return False class NTPConfigurationError(Exception): -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel