Re: NTP security hole CVE-2013-5211? (Gary Palmer)
<<On Wed, 26 Mar 2014 07:08:57 +0200, Kimmo Paasiala <kpaasial@icloud.com> said:
> I believe Gary was talking about changing the control/status port
> and not the actual service port (UDP 123). That should be doable
> without breaking compatibility with existing NTP tools.
NTP does not have a separate "control/status port"; all NTP operations
that could be called "control" and "status" use the NTP protocol and
the NTP port. If you configure your NTP server correctly (or start
from a good default configuration), these operations will be
restricted using NTP's built-in authentication and access-control
mechanisms. In NTP-speak, the relevant packets are known as "mode 6"
and "mode 7" messages. ntpq and ntpdc, since they run as non-root,
will obviously use an ephemeral source port.
Historically (not sure if it's still true), ntpd would generate a
random key on startup and then fork a process to read the
configuration file and handle DNS resolution; the child process would
then use mode 7 messages to add associations in the main server
process as each host name was resolved.
-GAWollman
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 3 篇):