On 4/9/20 11:06 AM, Miroslav Lichvar wrote:
On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote:
On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
What is the issue with using untrusted DNS servers here? An NTS client
is supposed to verify the certificates. Local MITM attackers shouldn't
be able to force the client to synchronize to a different NTP server.
(Of course, they can always disable the synchronization.)
I'm not saying there is necessarily an issue, just a logical inconsistency.
If the DNS servers provided by DHCP are trusted, why would any plain NTP
servers also provided by DHCP not be trusted? I can do nefarious things with
either.
I think it depends on the network. Is it yours or is it a random hotspot?
In general neither should be trusted, but most applications don't rely
on DNS being secure, so using random untrusted DNS servers from DHCP
is usually not a major issue. I'm ignoring privacy issues.
I disagree with saying applications don't rely on DNS being secure, but
I also concede it has very little to do with this discussion. See my
off-topic rant in my reply to Björn Persson. I apologize for conflating
the issue in the first place.
[snip]
The PEERNTP option will still work. It may just have a different
default and/or have a new setting.
Circling back to my concerns about this proposal from an admin
standpoint. I have never needed to touch PEERNTP before for DHCP
provided NTP to work. I'm also not sure from a security standpoint I
want `PEERNTP=yes` to work if NTS is otherwise enabled? Seems
potentially confusing. I don't like chrony behavior being dictated by
non-chrony config.
Additionally, the 'nts' option for 'server' and 'pool' directives, to
me, does not make it immediately clear that NTS will be required for
_all_ NTP servers. To me, that option implies that NTS will be enforced
for that particular pool or server. Especially since I can have
additional directives without that option set (which admittedly makes
little sense).
Finally, the suggestion of bootstrapping NTP without using NTS when TLS
checks fail concerns me. It needs to be clear when such a thing is
allowed or not.
I would be much happier with some kind of `requireents` option in
`/etc/chrony.conf`. When set, NTS is an absolute hard requirement, no
plain NTP servers will be used (from DHCP or otherwise), NTP
bootstrapping mentioned above would also be forbidden. When not set, NTS
is still verified for cases where the option is set, but other NTP
servers still work (bootstrapping allowed?).
Logging would help make clear what's going on, if the `nts` option is
set on a pool or server with `REQUIREENTS` off, we could log warnings
when non-NTS servers are used. And with `REQUIREENTS` on, we could log
warnings about servers that were ignored due to not supporting NTS
(including the DHCP provided one).
The PEERNTP option would function as usual, not passing DHCP provided
NTP servers to chrony if disabled. It would have no additional influence
over chrony behavior, chrony behavior would remain entirely controlled
by it's own configuration file.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx