Re: timedatex replacing systemd-timedated for NTP packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 25, 2014 at 02:35:12PM -0700, Chris Murphy wrote:
> On Tue, Nov 25, 2014 at 10:51 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
> > Some networks have bad NTP service in the sense that they hand out incorrect
> > time (not just off by a few seconds, but days or months, enough to skew
> > certificate validity).
> 
> I'm not sure what we're supposed to do about such sabotage on the
> network, that seems distinctly a local issue. We should do the best we
> can right now, while providing a manual switch for the user to alter
> the default.
> 
> It used to be the case that we used these servers:
> 0.fedora.pool.ntp.org
> 1.fedora.pool.ntp.org
> 2.fedora.pool.ntp.org
> 3.fedora.pool.ntp.org

We still do. Unless the number of bad servers added from DHCP is large
enough to disrupt the NTP source selection algorithm or the pool
servers are not reachable (NTP traffic blocked), it shouldn't be a big
problem. Of course, without authentication this can't reliably protect
against MITM attacks.

> > Now if Fedora offered a high-availability cryptographic time service (we
> > actually do, sort of), things might be different—but not much, because then
> > we'd be having a discussion about phoning home instead.
> 
> The pool still exists. Are we not supposed to use them?

I think Florian meant getting time over HTTPS from a Fedora server.
The tlsdate program could be used for that. I'm not sure what
resources would be needed to allow this to be enabled by default. The
NTP Autokey protocol would be probably more efficient (and accurate),
unfortunately it doesn't work behind NAT.

-- 
Miroslav Lichvar
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux