Re: Fedora 33 Self-Contained Change proposal: Network Time Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, May 04, 2020 at 04:44:00PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> Aside: the PEERNTP option seems to be very weakly documented. After
> some searching I found [1, 2] and [3]. Some up-to-date documentation would
> be necessary if users are expected to configure this.

Ok. I filed bug #1831542 to improve the documentation.

> It sounds like PEERNTP should be a per-interface setting. If I'm
> connecting to a trusted network or VPN, I might want to use and trust
> the provided NTP servers. If connecting to a public network, don't trust
> and use NTS to verify servers.

You could do that. PEERNTP can be set for each interface in the
corresponding /etc/sysconfig/network-scripts/ifcfg-* file.

However, as was suggested earlier in the thread, there will likely be
a new upstream option in chrony to globally control mixing of
unauthenticated and authenticated NTP sources, so PEERNTP doesn't have
to be disabled when all NTP servers from DHCP are not to be trusted,
e.g. because they are not expected to authenticate their upstream
servers.

> Also, what software supports /etc/sysconfig/network? I think we currently
> have initscripts-network, NetworkManager, systemd-networkd in Fedora.

It works with the initscripts and NetworkManager. For systemd-networkd
there is no dispatcher mechanism in Fedora, so NTP servers provided by
DHCP are ignored when using systemd-networkd with chrony or ntp. In
Debian and Ubuntu there is a networkd-dispatcher service for that.

> > An option could be added to disable the time checks before the
> > first update of the clock. This would have an impact on security.
> 
> ... how would that look? It'd need support in chrony itself, right?
> Would upstream accept such code?

Yes. It's already supported upstream and in our latest rawhide
package. The time checks can be disabled with the NoCertTimeCheck
directive in chrony.conf. The idea is that anaconda will set it when
no RTC is found or it has no battery backup (if can we detect that).

-- 
Miroslav Lichvar
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux