Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 2170 - Default /etc/ntp.conf permits easy remote control of XNTPD
Summary: Default /etc/ntp.conf permits easy remote control of XNTPD
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: xntp3
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-04-13 21:11 UTC by Chris Siebenmann
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-04-15 00:21:54 UTC

Attachments (Terms of Use)

Description Chris Siebenmann 1999-04-13 21:11:11 UTC
The default /etc/ntp.conf specifies a key file and key
IDs for all three sorts of keys; the default key file
contains default/sample keys. The net effect is that a
NTP server started without commenting out this section
of the ntp.conf file will allow anyone on the Internet
who knows the default /etc/ntp/keys contents -- ie most
everyone who can read an RPM file somehow -- to perform
remote control of the NTP daemon. This allows anyone on
the Internet to control the local clock (delete all the
configured peers, add a set of peers under your control
that feeds the target system bogus time), among other

 I strongly urge RedHat not to ship an /etc/ntp.conf
with keys enabled. With the requestkey, controlkey,
and trustedkey statements commented out, the daemon
will not allow this remote control. (I would suggest
commenting out the line that specifies a key file too.)
I'd also suggest a strong comment in both files that one
should NOT use the default values, so people aren't
tempted to just uncomment things and run that way.

Comment 1 Cristian Gafton 1999-04-15 00:21:59 UTC

Note You need to log in before you can comment on or make changes to this bug.