subject:"Re\: \[Freeipa\-devel\] \[PATCH\] Stop ntpd before running ntpdate"

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

2014-12-02 Thread Martin Kosek

On 05/09/2014 04:09 AM, Gabe Alford wrote:
 Re-factored my second patch. :)
 
 Gabe
 
 
 On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford redhatri...@gmail.com wrote:
 
 Updated patch to not run ntpdate if ntpd is running.

 Gabe



 On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.comwrote:

 Thanks Petr!

 Will rework patch to just skip ntpdate if ntpd is already running.


 On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote:

 Hello Gabe!


 On 25.4.2014 16:28, Gabe Alford wrote:

  Here is a patch for https://fedorahosted.org/
 freeipa/ticket/3735.
 It seemed better to try to stop ntpd before running ntpdate rather than
 not
 running ntpdate if ntpd was already running. I believe this patch only
 applies to the ipa-3-3 branch as ntpdate is not used anymore in the
 master.


 IMHO we should never stop ntpd if it is running. Plain ntpdate opens
 potential security hole because attacker can fake NTP answers and force the
 machine to rewind it's clock to the past.

 This opens potential for replay attacks/re-suing old compromised keys
 etc.

I just noticed that
https://fedorahosted.org/freeipa/ticket/3735
has a pending patch from Gabe. David or Tomas, do we still want to go with this
approach?

IIRC, David is now working in related area in ipa-client-install, so the patch
could be reviewed/reworked as part of his job.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

2014-05-08 Thread Gabe Alford

Re-factored my second patch. :)

Gabe


On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford redhatri...@gmail.com wrote:

 Updated patch to not run ntpdate if ntpd is running.

 Gabe



 On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.comwrote:

 Thanks Petr!

 Will rework patch to just skip ntpdate if ntpd is already running.


 On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote:

 Hello Gabe!


 On 25.4.2014 16:28, Gabe Alford wrote:

  Here is a patch for https://fedorahosted.org/
 freeipa/ticket/3735.
 It seemed better to try to stop ntpd before running ntpdate rather than
 not
 running ntpdate if ntpd was already running. I believe this patch only
 applies to the ipa-3-3 branch as ntpdate is not used anymore in the
 master.


 IMHO we should never stop ntpd if it is running. Plain ntpdate opens
 potential security hole because attacker can fake NTP answers and force the
 machine to rewind it's clock to the past.

 This opens potential for replay attacks/re-suing old compromised keys
 etc.

 --
 Petr^2 Spacek

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




From 9327e377a085cbd0ea80a9e9f2630199e05fe756 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 8 May 2014 19:47:51 -0600
Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running

https://fedorahosted.org/freeipa/ticket/3735
---
 ipa-client/ipa-install/ipa-client-install | 27 ---
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..fa70998010be4b9da5254c2546785006d638cb18 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2093,19 +2093,24 @@ def install(options, env, fstore, statestore):
 # We assume that NTP servers are discoverable through SRV records in the DNS
 # If that fails, we try to sync directly with IPA server, assuming it runs NTP
 root_logger.info('Synchronizing time with KDC...')
-ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False)
-synced_ntp = False
-if ntp_servers:
-for s in ntp_servers:
-synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
-if synced_ntp:
-break
-if not synced_ntp:
-synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
-if not synced_ntp:
-root_logger.warning(Unable to sync time with IPA NTP  +
+	ntpd_enabled = ipaservices.knownservices.ntpd.is_running()
+
+if not ntpd_enabled:
+ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False)
+synced_ntp = False
+if ntp_servers:
+for s in ntp_servers:
+synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+if synced_ntp:
+break
+if not synced_ntp:
+synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
+if not synced_ntp:
+root_logger.warning(Unable to sync time with IPA NTP  +
 server, assuming the time is in sync. Please check  +
 that 123 UDP port is opened.)
+else:
+root_logger.info('The NTP service is already running. Skipping ntpdate sync...')
 (krb_fd, krb_name) = tempfile.mkstemp()
 os.close(krb_fd)
 if configure_krb5_conf(
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

2014-04-29 Thread Petr Spacek


Hello Gabe!

On 25.4.2014 16:28, Gabe Alford wrote:

 Here is a patch for https://fedorahosted.org/freeipa/ticket/3735.
It seemed better to try to stop ntpd before running ntpdate rather than not
running ntpdate if ntpd was already running. I believe this patch only
applies to the ipa-3-3 branch as ntpdate is not used anymore in the master.


IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential 
security hole because attacker can fake NTP answers and force the machine to 
rewind it's clock to the past.


This opens potential for replay attacks/re-suing old compromised keys etc.

--
Petr^2 Spacek

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

2014-04-29 Thread Gabe Alford

Updated patch to not run ntpdate if ntpd is running.

Gabe


On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote:

 Thanks Petr!

 Will rework patch to just skip ntpdate if ntpd is already running.


 On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek pspa...@redhat.com wrote:

 Hello Gabe!


 On 25.4.2014 16:28, Gabe Alford wrote:

  Here is a patch for https://fedorahosted.org/
 freeipa/ticket/3735.
 It seemed better to try to stop ntpd before running ntpdate rather than
 not
 running ntpdate if ntpd was already running. I believe this patch only
 applies to the ipa-3-3 branch as ntpdate is not used anymore in the
 master.


 IMHO we should never stop ntpd if it is running. Plain ntpdate opens
 potential security hole because attacker can fake NTP answers and force the
 machine to rewind it's clock to the past.

 This opens potential for replay attacks/re-suing old compromised keys etc.

 --
 Petr^2 Spacek

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel



From 735f86cfe09a92ed6b30d590b8fbe86dc748f9ce Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Tue, 29 Apr 2014 18:57:46 -0600
Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running

- ntpconf.py: don't run ntpdate if ntpd is running
- ipa-client-install: don't display ntp sync error if ntpd is running

https://fedorahosted.org/freeipa/ticket/3735
---
 ipa-client/ipa-install/ipa-client-install |  2 +-
 ipa-client/ipaclient/ntpconf.py   | 23 +--
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index afed54e5ddbf5ed985b637f20ac61d8ab1632364..9d1cfad4262769cef3337625d20a1ec43f50f0c0 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2102,7 +2102,7 @@ def install(options, env, fstore, statestore):
 break
 if not synced_ntp:
 synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
-if not synced_ntp:
+if not synced_ntp and not ipaservices.knownservices.ntpd.is_running():
 root_logger.warning(Unable to sync time with IPA NTP  +
 server, assuming the time is in sync. Please check  +
 that 123 UDP port is opened.)
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8c4c6533a15aef9977c5eb0ae29cdd72b5529d77..49c2ee5795a1a9e97bdefa4337d84b4b1533012a 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -143,16 +143,19 @@ def synconce_ntp(server_fqdn):
 Returns True if sync was successful
 
 ntpdate=/usr/sbin/ntpdate
-if os.path.exists(ntpdate):
-# retry several times -- logic follows /etc/init.d/ntpdate
-# implementation
-cmd = [ntpdate, -U, ntp, -s, -b, -v, server_fqdn]
-for retry in range(0, 3):
-try:
-ipautil.run(cmd)
-return True
-except:
-pass
+
+if not ipaservices.knownservices.ntpd.is_running():
+if os.path.exists(ntpdate):
+# retry several times -- logic follows /etc/init.d/ntpdate
+# implementation
+cmd = [ntpdate, -U, ntp, -s, -b, -v, server_fqdn]
+for retry in range(0, 3):
+try:
+ipautil.run(cmd)
+return True
+except:
+pass
+	
 return False
 
 class NTPConfigurationError(Exception):
-- 
1.9.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

Re: [Freeipa-devel] [PATCH] Stop ntpd before running ntpdate

4 matches

Site Navigation

Mail list logo

Footer information