Tangle - cookie keys file

[James Browning]

On 3/6/19, Hal Murray via devel <devel at ntpsec.org> wrote:
>
> Where should we put the file used to store the key used to make cookies?  It
>
> gets read at startup and updated daily.
>
> Fedora and Debian put things like that in /var/lib/ntp/
> NetBSD and FreeBSD put them in /var/db/ntp/
>
> There used to be a man/web page with a list of the default file names.  I
> can't find it now.

$grep /var/ ntpd/*
ntpd/ntp_util.c:# define NTP_VAR "/var/NTP/"            /* NOTE the
trailing '/' */

> Can we and/or should we make the default file names OS dependent?

I'd say stick an override in a config file, but that would only make
it more complicated.

> This gets tangled up with initialization and the config file.
>
> What should the system do if it can't read the file?  Crash?  Blunder on in
>
> no-NTS mode?  Make one?  ...
>
> If it crashes, where do we get the first one?

Possibly if there is not a file try to create/populate one and on
success continue as if it were always there. If it can not be created
switch off Network Time Security and log an error.

If there is a file but it can be opened read-only the throw an error
in the log and continue with NTS until the master key expires.

If there is a file but it can not be opened then throw an error in the
log file and switch off NTS.

> Do we ant to be able to run in no-NTS mode?  What does that mean?  We have
> nts
> enable/disable in the config file.  It enables the NTS-KE server which also
>
> needs cookies.
>
> Does it make sense to have a ntp server than supports NTS without having a
> NTS-KE server to get the initial cookies?  Eventually, you should be able to
>
> get the cookies from something like NST-KE server for a pool.  But is there
>
> any reason for a system not to run its own NTS-KE server that will only send
>
> you to itself?
>
> Anybody have any good ideas on this area?

No, but that did not stop me