Eric S. Raymond
esr at thyrsus.com
Sun Sep 15 08:04:15 UTC 2019
Hal Murray <hmurray at megapathdsl.net>:
> -* We intend to fully support Network Time Security and to be first or
> - second interop on that standard once it is finalized. At that
> - point, older insecure authentication methods (MAC and MS-SNTP) may
> - be removed.
> +* Now that we have full Network Time Security, a neasr-future
> + direction is to remove older insecure authentication methods (MAC
> + and MS-SNTP).
> The old MAC mode in not insecure. It's inconvenient to setup on a large scale
> since it requires manual intervention on the server for each new client. It's
> a kludge since it doesn't use an extension. But it's not insecure.
> NIST supports it.
> >From a code standpoint, it's not that ugly. I think it should stay.
> The MS-SNTP stuff is needed as a bridge to MS Active Directory. I know next
> to nothing about MS.
> It is a kludge in the sense that it calls out using TCP with associated waits
> that breaks the fundamental never-wait assumption of ntpd. That's OK on a
> lightly loaded system.
> I won't complain (much) if you remove it, but you will be cutting yourself off
> from some (potential?) MS users. It's tangled up with Samba which I don't use.
I guess yhat 'graph can be removed, then.
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel