timedatex replacing systemd-timedated for NTP packages
Florian Weimer
fweimer at redhat.com
Wed Nov 26 13:39:56 UTC 2014
On 11/26/2014 10:09 AM, Miroslav Lichvar wrote:
> We still do. Unless the number of bad servers added from DHCP is large
> enough to disrupt the NTP source selection algorithm or the pool
> servers are not reachable (NTP traffic blocked), it shouldn't be a big
> problem. Of course, without authentication this can't reliably protect
> against MITM attacks.
Do we even use the DHCP NTP server assignment?
I was more worried about 123/UDP interception (which makes kind of sense
to improve NTP accuracy, but can of course turn out to be quite wrong).
> I think Florian meant getting time over HTTPS from a Fedora server.
Yes, there are various places where the server time is included under
cryptographic protection. We'd have to hard-code the certificate,
though, because we cannot do PKIX validation without system time
information.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list