EditWYSIWYGAttachPrintable

r7 - 2007-11-08 - 17:45:41 - HarlanStennYou are here: NTP >

Dev Web > DevelopmentIssues > GettingNtpdItsConfiguration

NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to use in a distributed denial-of-service (DDoS) attack. Please also take this opportunity to defeat denial-of-service attacks by implementing ingress and Egress filtering through BCP38.

The final two security bugs reported by Google's Security Team have been fixed as of ntp-4.2.8p1.

A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have restrict default … noquery in your ntp.conf file, the best and most complete way to avoid these vulnerabilities is to install and deploy ntp-4.2.8p1 which was released on 04 February 2015.

Please see the NTP Security Notice for vulnerability and mitigation details.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Getting `ntpd` its Configuration

Current Practice
Using the -C flag to specify additional configuration files
Extending -c to allow a URL specification
Using -e to act like a single line of a config file

Related Items: Bug #923

Current Practice

Traditionally, ntpd gets its configuration information from /etc/ntp.conf.

Using the `-C` flag to specify additional configuration files

If the simulator is no longer using the -C flag then we could use -C filename to mean "process filename as an additional configuration file".

The following URL extension could also be used in this case.

Rather than adding a -C to process an additional config file, why not simply allow -c to be specified multiple times?

BrianUtterback - 23 Oct 2007

I'm concerned that changing the behavior of multiple -c instances would be a break with backward compatibility.

-- HarlanStenn - 23 Oct 2007

Extending `-c` to allow a URL specification

The -c flag to ntpd can be used to specify the filename of an ntp.conf file.

If we allowed a URL as an argument we could support additional methods of getting this information to ntpd.

Including a local file

Syntax: ntpd -c file:///etc/ntp.conf

This is equivalent to ntpd -c /etc/ntp.conf.

Retrieving a file via HTTP

Syntax: ntpd -c http://server/ntp.conf

If the web server on server processed this URL, it could take the 'client' information from the HTTP request and customize a response.

Retrieving NTP configuration information via DHCP

Syntax: ntpd -c dhcpinfo://server

Communicate with a DHCP server to get any NTP configuration information it might have.

Related Topics: http://www.ietf.org/internet-drafts/draft-gayraud-dhcpv6-ntp-opt-00.txt

Using `-e` to act like a single line of a config file

I suggest adding a (possibly multiply given) -e flag that would have as its argument a string that would be processed as a single line config file.

BrianUtterback - 23 Oct 2007

I like this and am OK with multiple -e instances.

-- HarlanStenn - 23 Oct 2007

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r7 < r6 < r5 < r4 < r3 | More topic actions

Dev

Log In or Register

Dev Web
BitKeeper Notes

NTP Public Services Project

IPv6 Ready

Copyright &© 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback