Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Unix

OpenBSD Releases a Portable Version of OpenNTPD 79

Noryungi (70322) writes Theo De Raadt roundly criticized NTP due to its recent security advisories, and pointed out that OpenBSD OpenNTPD was not vulnerable. However, it also had not been made portable to other OS in a long time. Brent Cook, also known for his work on the portable version of LibreSSL (OpenBSD cleanup and refactoring of OpenSSL) decided to take the matter in his own hands and released a new portable version of OpenNTPD. Everyone rejoice, compile and report issues!
This discussion has been archived. No new comments can be posted.

OpenBSD Releases a Portable Version of OpenNTPD

Comments Filter:
  • Mathematics (Score:5, Interesting)

    by ledow ( 319597 ) on Friday January 09, 2015 @08:55AM (#48774179) Homepage

    I'm led to believe that the reason we're using ntpd and not any of the other is that, although they are fine for getting your home machine to approximately the right second, they are damn-near useless for anything that you want real time-keeping for.

    So if you want to interact with stratum-1's or be a stratum-2, then you'll be using ntpd. And, en-masse, NTP is not something as simple as just clock-skewing. That throws lots of things out of kilter. Granted, you may think you don't care, but these things can come back to bite you if you make a hasty decision now.

    When someone like the NTP pool project (that I run a couple of serverse on) come to me and tell me that ntpd isn't secure enough, and that OpenNTP is good enough , then maybe I'll go over to them. Fact is, I haven't heard anything along those lines.

    There's a lot of maths behind getting your clocks in sync quickly without going backwards in time, or slowing to a crawl, or messing up timestamps a lot. It's not as simple as "let's just drag the users clock closer to the reference one constantly". ntpd does a LOT that other NTP servers don't, and a lot of that is important for anything that you want to rely on a timeserver for.

    Sorry, but this is just blatant "Look at us, we run an NTP project that's secure" when actually it does less than 10% of what ntpd does. And to make it do what ntpd does, presumably will take years of work to secure.

    There are various "rewrite" projects at the moment, but all known holes with ntpd are closed. Until there's a compelling reason to move, don't. And by the time there is, you'll find properly-written, full-featured NTP projects being offered.

    Nobody's talking about sub-millisecond accuracy here either. We're just talking not cocking up the one thing you plug in an NTP server to get right - the time.

    • It's a matter of numbers.

      .
      I have ten servers for which the 100 millisecond accuracy of OpenNTPD is perfectly fine. I have one server where I may need more accuracy than that.

      So I'd rather run the risk of having only one server with the bloated mess of ntp, and having a valid alternative for my other ten servers.

      ...Sorry, but this is just blatant "Look at us, we run an NTP project that's secure" when actually it does less than 10% of what ntpd does.

      ... Sorry, but your comment is just a blatant, "Look at us, the ntp project provides more accuracy, so just ignore everything else that is wrong with it."

      To my eyes, it looks like the ntp pro

      • by grub ( 11606 )

        I have ten servers for which the 100 millisecond accuracy of OpenNTPD is perfectly fine.

        That's nearly a tenth of a second!
    • by amorsen ( 7485 )

      Chrony is a complete working implementation of the NTP protocol. NTPD gets its knickers in a twist at the slightest excuse and sometimes ends up stepping the time even though it has perfectly good Internet connectivity and a reasonably good internal clock. Chrony keeps steady time even if Internet access is intermittent. It never gets confused and picks a falseticker pretending to be stratum one instead of a stratum 3 with correct time, unlike NTPD.

      It even has interfaces to GPS clocks or other hardware cloc

      • by Anonymous Coward

        Yes it implements the protocol. So does OpenNTPD -- up to v3 or v4 for SNTP. Nobody is refuting that. There is more than just the protocol specs.

      • Chrony is a complete working implementation of the NTP protocol.

        You mean complete except for broadcast/multicast mode, or authentication based on public-key cryptography. Some basically it's a good client and a unauthenticated / inefficient (network) server.

        It also makes some pretty misleading claims; Chrony can usually synchronise the system clock faster and with better time accuracy [tuxfamily.org] except it never explains how it can possibly achieve better time accuracy than NTPd.

        Chrony does handle a number of client usage scenarios better than NTPD (namely non-permanent network co

        • So it's fair to say that Chrony isn't suitable for running on stratum 1 servers, of which there are a few hundred, maybe up to at most a few thousand publically available in the world[1]. For the millions of Linux servers, laptops and desktops that aren't and will never be stratum 1 NTP servers Chrony should be just fine, shouldn't it?

          [1] ntp.org currently lists 304 publcically available stratum 1 servers http://support.ntp.org/bin/vie... [ntp.org]

          • So it's fair to say that Chrony isn't suitable for running on stratum 1 servers, of which there are a few hundred, maybe up to at most a few thousand publically available in the world[1]. For the millions of Linux servers, laptops and desktops that aren't and will never be stratum 1 NTP servers Chrony should be just fine, shouldn't it?

            Yes, I think Chrony is fine for most typical unauthenticated leaf-node (client-only) usage, but I still don't recommend it for the thousands of public stratum 2 or higher (see pool.ntp.org, most are stratum 2 or 3) servers, or the thousands of corporate and organizational NTP servers. For usage as a server, with a full-time network connection, I don't know of any compelling reason to use Chrony over NTPD or OpenNTPD.

            Personally I can't see any reason to believe Chrony is more secure than either NTPD or OpenN

    • Re:Mathematics (Score:5, Informative)

      by Terje Mathisen ( 128806 ) on Friday January 09, 2015 @10:04AM (#48774659)

      [Full Disclosure: I have been a member of the NTP Hackers team for ~15 years, so you could claim that I'm partly to blame for the recent security problems even if I have not personally worked on the crypto or monitoring code.]

      NTPD is definitely more complicated that what you need for a leaf (client-only) machine, like all the server functions and the code that support locally attached reference clocks, this is the main reason PHK is working on a dedicated NTP client.

      We have known for many years that the monitoring functions, in particular the "mode 6" UDP packets were a potential DDoS amplification vector, which is why we replaced them.

      For the crypto stuff we did what pretty much every other project did, i.e. we imported the functions we needed from openssl, and like pretty much every other project we messed up a few buffer handling issues.

      The important point here is that anyone running a public server with a recommended configuration (no crypto, no remote monitoring) would not have had any security problems, even if they insisted on using 10+ year old versions!

      With any version from withing the last 3-5 years you would also have been secure against the DDoS vector even if you did allow remote status monitoring.

      How many system-level sw packages are you using where this would have bee true?

      Terje
      PS. OpenNTP should properly be called OpenSNTP, since it implements the Simple NTP subset instead of the full NTP protocol stack which includes system clock time/frequency tuning.

      • Comment removed based on user account deletion
    • by lowen ( 10529 )

      I run three local (private) GPS-synced stratum 1 NTPD instances here. Stratum 1 is hard to get right, as hard as getting security right.

  • by loonycyborg ( 1262242 ) on Friday January 09, 2015 @09:00AM (#48774207)

    Like chrony.

    I wouldn't recommend openntpd because it isn't an implementation of ntp

    • by Anonymous Coward

      Nothing to see here...

      System D already has a built in NTP client, so we Linux people can use that.

      • by amorsen ( 7485 )

        SystemD does not have an NTP client. It has an SNTP client. Just like OpenNTPD.

        • by Anonymous Coward

          WOW, here I was, running a good old System D troll ("Who in the flying fuck would implement NTP in an init system! ha ha ha") and I guess I wasn't trolling hard enough--you're right! Those guys actually did it:

          https://wiki.archlinux.org/index.php/systemd-timesyncd

          Things really *are* bad, aren't they?

          I'd make a joke about System D including a NoSQL database, but they probably already have one of those already...

          • by amorsen ( 7485 )

            Things really *are* bad, aren't they?

            Yes. They are that bad. Read the threads about Gnome vs. systemd-timesyncd vs. Chrony and weep.

            http://www.spinics.net/lists/f... [spinics.net]

            And Poettering in his usual ignorant condescending style:

            http://www.spinics.net/lists/f... [spinics.net]

            • by chihowa ( 366380 )

              Wow, that thread is really depressing. So the decision path for what ships with Fedora has been simplified to: what package isn't broken by systemd? Suitability for a task and technical merits aren't even a consideration any more...

            • by chihowa ( 366380 )

              Here's a gem from Poettering [spinics.net], where he dismisses basic security (why would you not implicitly trust unauthenticated packets from some random internet server?), as well as displays his total lack of awareness of the capabilities of the existing software he's bent on replacing (super-NIH syndrome... writing a simplistic replacement to ntpd and chronyd without even knowing what they currently do).

              Yikes.

          • I assumed it was a troll myself, and giggled 'haha, systemd with an ntp client, lolz" and then boom, mind blown, there really is one? jeez.

  • by Anonymous Coward

    Took a look. Found a bug in 2 seconds. Theo is really quite full of himself.

    For the bug take a look at the "host" function in parse.y. Who can spot what the function returns and what it's being tested against.

    • It's not a bug.

      The commit log states this:


      when a dns lookup fails at parse time, do not abort but try again
      to resolve the hostname every 60 seconds
      fixes ntpd invocations before e. g. a dialup link is established and such.
      as we want ntpd to be a "fire and forget" background daemon it should
      cope with such situations.
      tested by many

      Relevant diff: http://cvsweb.openbsd.org/cgi-... [openbsd.org]

      (I'm assuming that the "bug" you found is that it's comparing the return value to -1 when the host() function can only return 0 or 1)

  • ntpdate on a cron is a nice alternative to running the full ntp server, if you just want accurate time.. I've had to set this up on a network wherein each server running ntp server created too much drift between them (all servers needed to be within 100 ms of eachother). Easiest solution is all servers run ntpdate every minute against a single host within the network. Drifting averaged about 20ms with that simple solution.
  • DragonFly has had its own ntp-only client for years, dntpd. Not sure why this is suddenly becoming a topic now.

    In terms of portability, every operating system has different sysctls or system calls for manipulating the clock. There is no single standard for setting the frequency drift correction, step, or slide operations to correct the time. And part of the problem is that most of these APIs are deficient in one way or another and make it difficult for the ntp client to run the corrections without genera

  • Just a look at their ntpd.conf man page makes me want to switch to OpenNTPD yesterday.

    Old ntpd man pages suck so hard that it's unbelievable.

    As usual, OpenBSD documentation is a dream come true. Thank you, guys.

Keep up the good work! But please don't ask me to help.

Working...