OpenBSD Journal

HEADS UP: ntpd changing

Contributed by rueda on from the what-time-have-*you*-got? dept.

Theo de Raadt (deraadt@) posted to tech@:

The ntpd options -s and -S are going to be removed soon and at startup
with print:

    -s option no longer works and will be removed soon.
    Please reconfigure to use constraints or trusted servers.

Probably after 6.7 we'll delete the warning.  Maybe for 6.8 we'll remove
-s and -S from getopt, and starting with those options will fail.

Effective immediately, the -s option stops doing what you expect.  It now
does nothing.

Big improvements have happened in ntpd recently.  At startup, ntpd
aggressively tries to learn from NTP packets validated by constraints,
and set the time.

That means a smarter variation of -s is the default, but the information
is now *VALIDATED* by constraints.

2 additional constraints have been added.  If you have upgraded, please
review /etc/examples/ntpd.conf for modern use

Those who cannot use https constraints, can instead tag server lines
with the keyword "trusted", which means you believe MITM attacks are not
possible on the network to those specific NTP servers.  Do this only on
servers directly connected over trusted network.  If someone does
"servers pool.ntp.org trusted", we're going to have a great laugh.

We're creating something a bit complex, but our goal is for every
machine to have a close approximation of correct time.  If we get
there, some good things will happen.  Some serious cargo-culting
for using -s has gotten in the way (-s performs no MITM checks).

Related commits include:

  1. By Theo de Raadt (deraadt@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	deraadt@cvs.openbsd.org	2019/11/06 12:04:12
    
    Modified files:
    	etc            : ntpd.conf 
    
    Log message:
    Perform contraint validation against 9.9.9.9 and 2620:fe::fe also (which
    avoids DNS lookups entirely, but yes this https is correctly validated)
    long discussions with otto, florian, and the quad9 crew.
  2. By Otto Moerbeek (otto@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	otto@cvs.openbsd.org	2019/11/10 12:24:47
    
    Modified files:
    	usr.sbin/ntpd  : client.c ntp.c ntpd.c ntpd.h parse.y 
    
    Log message:
    Introduce a "trusted" modifier, for peers that should be on a local net
    used in situations where https constraints cannot be used and we still want
    auto settime. Result of discussion with and ok deraadt@
  3. By Theo de Raadt (deraadt@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	deraadt@cvs.openbsd.org	2019/11/10 12:28:34
    
    Modified files:
    	usr.sbin/ntpd  : ntpd.conf.5 
    
    Log message:
    document server/servers "trusted" sub-option.  Indicates a particular
    server is wired up such that non MITM attacks are possible, and NTP
    packets can be trusted.  Therefore constraint validity is not required,
    and during boot ntpd can spin-up correct time faster.
    with otto, ok jmc schwarze
  4. By Theo de Raadt (deraadt@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	deraadt@cvs.openbsd.org	2019/11/10 17:01:20
    
    Modified files:
    	etc/examples   : ntpd.conf 
    
    Log message:
    update ntpd example configuration
  5. By Theo de Raadt (deraadt@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	deraadt@cvs.openbsd.org	2019/11/10 18:04:55
    
    Modified files:
    	usr.sbin/ntpd  : ntpd.c 
    
    Log message:
    Disable -s and -S functionality.  -s would force time using NTP packets without
    any MITM protection checks.  We've had constraint checks for MITM protection
    for some time. Recent work changed the default mode to rapidly check NTP packets \
    against constraint validation, as the default mode. In environments where https \
    traffic doesn't work, ethernet-near servers can be labelled as "trusted".  trusted \
    sensor support is also coming. We have reasons to immediately move people away from \
    the -s mode. ok otto
    Note the ominous last sentence in the log message above.
  6. By Theo de Raadt (deraadt@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	deraadt@cvs.openbsd.org	2019/11/10 18:05:30
    
    Modified files:
    	usr.sbin/ntpd  : ntpd.8 
    
    Log message:
    remove -s and -S documentation, and explain the boot-time startup mode
    more clearly
    ok ingo schwarze
  7. By Otto Moerbeek (otto@)
    CVSROOT:	/cvs
    Module name:	src
    Changes by:	otto@cvs.openbsd.org	2019/11/10 23:32:52
    
    Modified files:
    	usr.sbin/ntpd  : ntp.c ntpd.c ntpd.h parse.y sensors.c 
    
    Log message:
    Also implement "trusted" for sensors; do not do constraint validation
    for these. ok deraadt@
    

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]