NTS update

Gary E. Miller gem at rellim.com
Mon Mar 25 19:40:00 UTC 2019 

Yo Hal!

On Sun, 24 Mar 2019 21:38:53 -0700
Hal Murray <hmurray at megapathdsl.net> wrote:

> > My slower RasPi have random startup crashes.  Goes away when I do
> > not make them NTS clients.  Feels like another mysyslog() thing?  
> 
> I'd expect garbage in the log files rather than crashes.

Then we have a mystery...

> There is a known bug:  nts doesn't work with IP Addresses.  Gets a
> segfault. That case might make sense for testing with noval but
> anything with noval is insecure.  Better to use old shared key
> authentication.

If you use noval and pinning it is no longer insecure.  Potentially
more secure than just validaating the certs against the CSs.

> > The waf install, or runtime, or both, need to make /var/lib/ntp if
> > missing. Not quite sure...  
> 
> What OS/distro?  NetBSD uses /var/db/ rather than /var/lib/
> You can fix it in your ntp.conf
>   nts cookie <filename>

I'm on Gentoo.  Stable and Unstable.

I'm not missing /var/lib, I'm missing /var/lib/ntp, I would not expect
any distro to add that.

I think Daniel Frank proposed that /var/lib/ntp was the best place.

> > When I set a server cert, is that used as the client cert too?  
> 
> There is no code for client certs.

Yes, and just reusing the server cert should make that easier to do.
> 
> > As the hackathon showed, we'll need cert pinning sooner rather than
> > later.   
> 
> Please say more?  (start a new thread)

The people from Univ. Ostfalia insisted on using their private CA.  I
refuse to add random root certs to my cert store.  That was partly
solved by my using noval, which as you say is insecure.  Until I can
pin their server cert.

Nothing new here, just another real world example.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190325/e3dedd30/attachment.bin>

More information about the devel mailing list