darkness

First, let me say, for Andy: this & that. (Why am I saying that again?)

Anyway, on to the point. I decided I would try and set up authentication with NTP on my LAN. I find they have the traditional keys setup, which is documented reasonably well, particularly in the NTP FAQ. Then I read about “autokey”: public key cryptography for NTP authentication. Sounds neat, sound recent, decide to try it.

If you want to take time coding a feature, and you want other people to use it, you might want to document it better than autokey. The main point of autokey, authentication, didn’t seem to be addressed to me, at least not in examples. I feel that I actually read a decent amount of documentation, but all I found were explanations of how the protocol works, scant examples, and people on Usenet basically repeating what I’m saying here. I have no idea, for example, if I’m supposed to copy public keys from my server to my client so they can authenticate. (Some random post to a mailing list may help in showing a configuration example for autokey.) For that matter, I’m not even sure which file that ntp-keygen makes contains the public key (the certificate file?).

Then I realized that I’m not authenticating with the public time servers my local NTP server synchronizes with in the first place. What’s more likely: an attack from the Internet, or an attack from my LAN? For that matter, other than screwing up log files and making cron jobs run, what good is changing my time? You can annoy me, but an attack based on this might be non-trivial. Your best bet might be attacking Kerberos, I guess. To screw me from the Internet you’re going to have to imitate the four NTP servers I synchronize off of anyway. So thppt on authentication.

I realize that ntpd is free software, and maybe I shouldn’t be bitching. I really don’t want this to sound like a bitch, more like: if you want people to use the useful functionality you’ve taken the time to code in, you might want to take some time and give better documentation on it as well. Otherwise all your work may be in vain. I suspect the creators of ntpd and other NTP gurus understand all this, though, so they don’t much care. They did it for themselves and that’s fine and great. Maybe if I had more time — and cared more – I’d write the documentation myself. I’m not pissed at the ntpd creators, though; just kind of temporarily frustrated.

Anyway, syslog doesn’t seem to have any capability for doing things like remote logging over SSL, in either Linux or OpenBSD. Third party packages needed I suppose. Maybe I can stunnel it. Maybe I won’t bother for now.