On Tue, Dec 22, 2009 at 09:53:00PM +0300, Matthieu Patou wrote: > On 22/12/2009 20:53, Kurt Roeckx wrote: > >On Tue, Dec 22, 2009 at 02:33:54PM +0300, Matthieu Patou wrote: > >>Subject: ntp server didn't support mssntp > >>Package: ntp > >>Version: 4.2.4p4+dfsg-8lenny3 > >>Severity: wishlist > >>Tags: patch > > > >You tagged it patch, but you don't provide any patch? > No good excuse, but I was missing a category saying that the patch > is already in the upstream source. > > > >>Current version of ntp in debian do not support MS SNTP extension. > >[...] > >>Version 4.2.6 of ntp (released on 12/12/09) now include patches for > >>allowing this extension but must be complied specifically with the > >>option --enable-ntp-signd to effectively build this extension. > > > >So this is a wishlist bug asking for a new upstream version > >with tht configure option? Any idea why this isn't on by default? > See the talk in this bug > https://support.ntp.org/bugs/show_bug.cgi?id=1405. Basically I'll > say that Ph. D. Mills is a bit overcautious as he don't want ntp to > be blamed for an admin that activated this option and get flooded. > It's in fact the same problem as refclock that has to be explicitly > activated during configure if you want to have it (as debian does). > > > I am not of course willing to make debian user run a risk when using > the new version of ntp with this extension. So it must be noted that > even if the extension is built in the ntp server it must be opted in > to start to work. This piece of code protects the emission to the > signed socket: > > if (flags & RES_MSSNTP) { > send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt); > return; > } > > If no restrict is defined or if didn't match the user ip address > then the send_via_ntp_signd is not called. > It's obvious that any publicly available server shoudn't have this > activated.
As I understand David L. Mills, it always opens a TCP socket independent of the configuration file, and that that can be used to DoS the server. If that's not the case I see no problem with enabling this by default. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
