On Thu, 2010-04-15 at 08:24 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2010-04-15 06:43, Hans Witvliet wrote:
perhaps a simple question, but it kept me awake all night and google didn't help either..
Most services have a ssl/tls equivalent, like http, imap, ldap. But how about an ssl/tls version of ntp?
How can i know for certain that a time server is who he claims to be?
Or am i looking for something impossible?? There are situations where a gps-receiver is not feasable.
There is provision for authentication. See man ntpd and search for "auth".
But in any case, if and ntp server is incorrect, it would be discovered when your client compares time against several other servers, and then disabled from your list of peers. No damage would be done.
Install the ntp-doc rpm, and read authopt.html:
+++ Authentication Support
Authentication support allows the NTP client to verify that the server is in fact known and trusted and not an intruder intending accidentally or on purpose to masquerade as that server. The NTPv3 specification RFC-1305 defines a scheme which provides cryptographic authentication of received NTP packets. Originally, this was done using the Data Encryption Standard (DES) algorithm operating in Cipher Block Chaining (CBC) mode, commonly called DES-CBC. Subsequently, this was replaced by the RSA Message Digest 5 (MD5) algorithm using a private key, commonly called keyed-MD5. Either algorithm computes a message digest, or one-way hash, which can be used to verify the server has the correct private key and key identifier.
NTPv4 retains the NTPv3 scheme, properly described as symmetric key cryptography, and, in addition, provides a new Autokey scheme based on public key cryptography. Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on a private value which is generated by each host and never revealed. With the exception of the group key described later, all key distribution and management functions involve only public values, which considerably simplifies key distribution and storage. Public key management is based on X.509 certificates, which can be provided by commercial services or produced by utility programs in the OpenSSL software library or the NTPv4 distribution. ++-
Tnx all for the info I'll get working on it. To explain the sitiation a bit better: I'm drawing up a list of steps to take for installing a CA. One of the aspects is that i want to be sure that my time is correct. This is, because the certificate defines explicitly an begin/ending date of the validity. Further more, i can _NOT_ use an gps-time source, and can not rely of the date/time from the bios. Within my organisation, we have our own time-source, but i want to make sure that these are not spoofed. But i think i can solved that with above informations... tnx agn. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org