Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Releases a Portable Version of OpenNTPD

Posted by timothy on from the enlightened-self-interest dept.

Noryungi (70322) writes Theo De Raadt roundly criticized NTP due to its recent security advisories, and pointed out that OpenBSD OpenNTPD was not vulnerable. However, it also had not been made portable to other OS in a long time. Brent Cook, also known for his work on the portable version of LibreSSL (OpenBSD cleanup and refactoring of OpenSSL) decided to take the matter in his own hands and released a new portable version of OpenNTPD. Everyone rejoice, compile and report issues!

79 comments

  1. Why can't anyone write secure software? by Anonymous Coward · · Score: 0

    I won't even say 'anymore' - no one probably ever was doing it. But we need to learn. Because if we don't, at some point, the bad guys will own the world.

    1. Re:Why can't anyone write secure software? by mrchaotica · · Score: 4, Funny

      Hey, speak for yourself! I wrote a secure "hello world" once....

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:Why can't anyone write secure software? by Anonymous Coward · · Score: 0

      I won't even say 'anymore' - no one probably ever was doing it. But we need to learn. Because if we don't, at some point, the bad guys will own the world.

      A security issue is just a sub-group of the different kind of bugs you can have so the question is really "Why can't anyone write bug-free software?"
      One answer is feature creep. The more stuff you add the harder it becomes to keep your software bug-free.

      Also, don't write half your post in the subject, it makes your post hard to read.

    3. Re:Why can't anyone write secure software? by aliquis · · Score: 1

      Hey, speak for yourself! I wrote a secure "hello world" once....

      Did you checked and managed the return value?

    4. Re:Why can't anyone write secure software? by QuietLagoon · · Score: 1
      imo, when you go for that last nanosecond of accuracy as the highest priority and lower the priority of writing secure software to the point where it is no longer a priority, then you have ntp.

      .
      On my internal network, I used ntp as the ntp server for my house. I put "listen interface" in the ntp.conf file, and instructed it to listen only on the 10.1.1.1 interface. yet netstat showed that ntp was still listening on *:123. It's sloppy design and sloppy coding.

      When I see things like that right in front of me, I am left to wonder about the quality of the code that I cannot see.

    5. Re:Why can't anyone write secure software? by Shakrai · · Score: 3, Funny

      I wrote a super secure interactive hello world once, so the user could see "hello world" in any language of their choice:

      int main (int argc, char **argv) {
      char hello[256];

      gets(hello);
      printf("%s\n", hello);
      return 0;
      }

      Works best when run with root permissions. :)

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    6. Re:Why can't anyone write secure software? by Anonymous Coward · · Score: 0

      Yes

    7. Re:Why can't anyone write secure software? by resfilter · · Score: 1

      On my internal network, I used ntp as the ntp server for my house. I put "listen interface" in the ntp.conf file, and instructed it to listen only on the 10.1.1.1 interface. yet netstat showed that ntp was still listening on *:123. It's sloppy design and sloppy coding.

      interface ignore wildcard

    8. Re:Why can't anyone write secure software? by Anonymous Coward · · Score: 1

      Did you write a secure compiler for it, too?

    9. Re:Why can't anyone write secure software? by Anonymous Coward · · Score: 0

      Troll Score: 7/10. Good form & creativity, although a bit lacking in subtlety. Keep up the good work and you'll be in tip top form for the Underhanded C Contest.

    10. Re:Why can't anyone write secure software? by Anonymous Coward · · Score: 0

      Why can't anyone? Theo can.

    11. Re:Why can't anyone write secure software? by kthreadd · · Score: 1

      Then I guess he's not working on OpenBSD.
      http://www.openbsd.org/errata5...

    12. Re:Why can't anyone write secure software? by gweihir · · Score: 1

      While this is funny, it is also very insightful. Writing secure software is possible. It requires significant talent, experience, skill, knowledge and time. Not many people can do it and those that can will usually not find an employer that pays for it.

      That said, there are principles and approaches on all levels (architecture, design and implementation) that help. There are testing approaches that help, from fuzzing to things like Fortify. There are things like design-by-contract. There are non-technical measures such as peer-review to help, but expect the review to be about as much effort and take about as much skill as the implementation work. In an industry that has an insane and self-destructive desire for ever cheaper programmers, secure software will not and cannot be created. People that can create secure software are at least on the level of senior engineers and need to be treated and compensated in that fashion and need to have a realistic technical career path. The current conditions are not like that at all, with rare exceptions. We have forgotten that the "chief engineer" is critical to make complex technology work and keep it working. Instead, many CTOs are not even proper engineers or never really worked as such, but are the of the same, clueless "bean-counter" pedigree that in the end ruins everything.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Mathematics by ledow · · Score: 4, Interesting

    I'm led to believe that the reason we're using ntpd and not any of the other is that, although they are fine for getting your home machine to approximately the right second, they are damn-near useless for anything that you want real time-keeping for.

    So if you want to interact with stratum-1's or be a stratum-2, then you'll be using ntpd. And, en-masse, NTP is not something as simple as just clock-skewing. That throws lots of things out of kilter. Granted, you may think you don't care, but these things can come back to bite you if you make a hasty decision now.

    When someone like the NTP pool project (that I run a couple of serverse on) come to me and tell me that ntpd isn't secure enough, and that OpenNTP is good enough , then maybe I'll go over to them. Fact is, I haven't heard anything along those lines.

    There's a lot of maths behind getting your clocks in sync quickly without going backwards in time, or slowing to a crawl, or messing up timestamps a lot. It's not as simple as "let's just drag the users clock closer to the reference one constantly". ntpd does a LOT that other NTP servers don't, and a lot of that is important for anything that you want to rely on a timeserver for.

    Sorry, but this is just blatant "Look at us, we run an NTP project that's secure" when actually it does less than 10% of what ntpd does. And to make it do what ntpd does, presumably will take years of work to secure.

    There are various "rewrite" projects at the moment, but all known holes with ntpd are closed. Until there's a compelling reason to move, don't. And by the time there is, you'll find properly-written, full-featured NTP projects being offered.

    Nobody's talking about sub-millisecond accuracy here either. We're just talking not cocking up the one thing you plug in an NTP server to get right - the time.

    1. Re:Mathematics by QuietLagoon · · Score: 2
      It's a matter of numbers.

      .
      I have ten servers for which the 100 millisecond accuracy of OpenNTPD is perfectly fine. I have one server where I may need more accuracy than that.

      So I'd rather run the risk of having only one server with the bloated mess of ntp, and having a valid alternative for my other ten servers.

      ...Sorry, but this is just blatant "Look at us, we run an NTP project that's secure" when actually it does less than 10% of what ntpd does.

      ... Sorry, but your comment is just a blatant, "Look at us, the ntp project provides more accuracy, so just ignore everything else that is wrong with it."

      To my eyes, it looks like the ntp project is the arrogance of the openssl project all over again.

      ...Until there's a compelling reason to move, don't....

      There have been two compelling reasons to move recently.

    2. Re:Mathematics by amorsen · · Score: 1

      Chrony is a complete working implementation of the NTP protocol. NTPD gets its knickers in a twist at the slightest excuse and sometimes ends up stepping the time even though it has perfectly good Internet connectivity and a reasonably good internal clock. Chrony keeps steady time even if Internet access is intermittent. It never gets confused and picks a falseticker pretending to be stratum one instead of a stratum 3 with correct time, unlike NTPD.

      It even has interfaces to GPS clocks or other hardware clocks, so you can run your stratum 1 server on Chrony if you want.

      --
      Finally! A year of moderation! Ready for 2019?
    3. Re:Mathematics by Terje+Mathisen · · Score: 4, Informative

      [Full Disclosure: I have been a member of the NTP Hackers team for ~15 years, so you could claim that I'm partly to blame for the recent security problems even if I have not personally worked on the crypto or monitoring code.]

      NTPD is definitely more complicated that what you need for a leaf (client-only) machine, like all the server functions and the code that support locally attached reference clocks, this is the main reason PHK is working on a dedicated NTP client.

      We have known for many years that the monitoring functions, in particular the "mode 6" UDP packets were a potential DDoS amplification vector, which is why we replaced them.

      For the crypto stuff we did what pretty much every other project did, i.e. we imported the functions we needed from openssl, and like pretty much every other project we messed up a few buffer handling issues.

      The important point here is that anyone running a public server with a recommended configuration (no crypto, no remote monitoring) would not have had any security problems, even if they insisted on using 10+ year old versions!

      With any version from withing the last 3-5 years you would also have been secure against the DDoS vector even if you did allow remote status monitoring.

      How many system-level sw packages are you using where this would have bee true?

      Terje
      PS. OpenNTP should properly be called OpenSNTP, since it implements the Simple NTP subset instead of the full NTP protocol stack which includes system clock time/frequency tuning.

      --
      "almost all programming can be viewed as an exercise in caching"
    4. Re:Mathematics by Shakrai · · Score: 2

      Thank you for your work on behalf of NTP and the ntpd team. :)

      I have a long standing interest (obsession) in time, going back to my childhood days where I would synchronize all of the clocks in the house. ntpd is easily one of my favorite pieces of software and I've kept at least one server in the NTP Pool since 2006. I sold the first server to my boss as a means to monitor the stability of our connection while giving something back to the internet community, then got a static IP on my home connection so I could run one there, then deployed a few servers to other locations as time and money allowed. Right now I'm down to one, my personal server, but it's on a 50mbit/s connection and serves around 500-600k requests per hour.

      Out of all of the software that I run that's internet facing ntpd is the daemon that I worry about the least. It has a solid security track record and anyone who bothered to read the Wikipedia article about it (never mind research the history of the software the old fashioned way) would know this....

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:Mathematics by Anonymous Coward · · Score: 1

      I bet if you spent more time educating your customers and pricing your services according to how up-to-date they kept their software instead of acting like a moronic Neanderthal on Slashdot you'd be a lot happier.

    6. Re:Mathematics by Anonymous Coward · · Score: 1

      Yes it implements the protocol. So does OpenNTPD -- up to v3 or v4 for SNTP. Nobody is refuting that. There is more than just the protocol specs.

    7. Re:Mathematics by plcurechax · · Score: 2

      Chrony is a complete working implementation of the NTP protocol.

      You mean complete except for broadcast/multicast mode, or authentication based on public-key cryptography. Some basically it's a good client and a unauthenticated / inefficient (network) server.

      It also makes some pretty misleading claims; Chrony can usually synchronise the system clock faster and with better time accuracy except it never explains how it can possibly achieve better time accuracy than NTPd.

      Chrony does handle a number of client usage scenarios better than NTPD (namely non-permanent network connection, and laptop-like environments) as far as I know, but it does not achieve better accuracy for the usage scenarios NTPD was primarily designed for (e.g. network connected servers).

      NTPD gets its knickers in a twist at the slightest excuse and sometimes ends up stepping the time even though it has perfectly good Internet connectivity and a reasonably good internal clock.

      Yet chrony can't detect rouge or fix broken time servers. Beyond possibly having better handling for clients of dynamic clock frequencies (i.e. SpeedStep, and various other power saving features that modify one or more of the several frequency oscillators in a computer.). I say possibly because I am not certain of the state of affairs in the current NTPD code base, I know it was lacking when dynamic clock frequencies originally appeared in systems, but I am not sure that it still is naive about that.

      Chrony keeps steady time even if Internet access is intermittent. It never gets confused and picks a falseticker pretending to be stratum one instead of a stratum 3 with correct time, unlike NTPD.

      While it does appear Chrony has improved greatly from a simple SNTP client for intermittent network connectivity it was when I first heard about it, that is still its forté, and likely the best client for many end-users' cases. Still it is not a robust general purpose replacement of NTPD.

      It even has interfaces to GPS clocks or other hardware clocks, so you can run your stratum 1 server on Chrony if you want.

      And YouTube is full of people doing stupid, reckless, and/or unwise things too. That's perhaps too harsh, but that's those "features" are quite incomplete.

      Having PPS (Pulse Per Second) optional support is a good start, it is not a comprehensive solution to running a quality stratum 1 server. I expect a stratum 1 server to have improved or at least quantified oscillator ("clock") parameters, such as ideally TCXO (Temperature-Compensated crystal Oscillators) or OCXO (Oven-Controlled crystal Oscillator) for the stratum 1 system's time-keeping. For commercial systems I would suggest looking at a professional NTP server network appliance, there are several vendors including Spectracom, Symmetricom, Meinberg, and others.

    8. Re:Mathematics by Anonymous Coward · · Score: 1

      This is moronic.

      Yes, yes indeed. Not in the way you think, though.

      NTP exists to provide accurate time. If all you need is only somewhat sane clock values, then NTP is overkill and SNTP (or timed, or ICMP TIMESTAMP) might serve you just as well. But now you go and claim that because "most people" don't need that super-duper NTP thing, it's fine to break basic functionality for those (few? you'd be surprised) people for whom it actually matters quite a lot.

      That is akin to, say, centralising IT support, then defining three kinds of windows computer for the entire campus and refuse to support anything else, leaving various departments out in the cold with their non-windows high-tech workstations and electron microscopes and whatnots. Justified by the sheer logic that nobody needs those weird fringe things anyway. Yes, I've seen an "university of technology", no less, proceed and do exactly that. It wasn't pretty.

      Or if that doesn't speak to you, what you're saying is akin to declaring that 640kB ought to be enough for everyone. We all know how that worked out.

      So yes indeed, someone is spouting moronic nonsense. It isn't the GP, however.

      So you happen to only need SNTP. Fine. So you get a daemon that serves SNTP yet bills itself NTP. Not so fine, in fact a bloody poor show, especially of said software its developers. Now that somehow is the reference NTP implementation its fault? Pray do relieve us from the burden of your company, good sir.

    9. Re:Mathematics by lowen · · Score: 1

      I run three local (private) GPS-synced stratum 1 NTPD instances here. Stratum 1 is hard to get right, as hard as getting security right.

    10. Re:Mathematics by ledow · · Score: 1

      90% of Windows domains needs little more than a net time command in a login script to stay within suitable tolerances for most things. I know, I've done it when external NTP wasn't an option and internal NTP was overkill.

      That's not the problem. People are suggesting we throw away ntpd and use alternate ntpd that, for those who need NTP, aren't viable alternates.

      And they're suggesting it for a couple of security problems that were found, fixed and patched before they could ever be exploited. And, worst case, you could run things (theoretically) as the ntp daemon user if you have any concept of security whatsoever.

      But yet we're still pissing about with OpenSSL in all our libraries and apparently that's fine...

      If you need NTP, use it. And then you'll find only ntpd deals with those needs and that it's a huge binary for a reason.

      If you don't need NTP, WHY THE HELL ARE YOU INSTALLING OPENNTP? Just, as pointed out, use a simple time sync command on login or in a cron job every hour. Hell, ntpdate in a cron job will more than satisfy your needs.

      What you're saying is that you're worried about security but you NEED to run a network-accessible daemon on all your network machines that ultimately connects to the Internet (or a server connecting the ntpd to the Internet) in order to get your clocks within the same minute. It's a nonsense argument.

      You're either concerned about security, and so stop using NTP. Or you're concerned about accuracy, clock skew, and your systems having accurate (and correctly calibrated) time, so use ntpd. If you want both, you have little choice but ntpd (which isn't insecure any more as far as we yet know), properly locked down, running as a limited user, in a secure environment, etc. and maybe wait for one of the rewrite projects to hit the same level of functionality and maturity (a year at least, maybe?).

    11. Re:Mathematics by lowen · · Score: 2

      Define 'accurate.'

      I need submillisecond time here (where here is a radio astronomy observatory), with no discontinuities like an SNTP client will insert (stepping time is not 'accurate'). That's why I have three stratum 1 local NTP servers that use Agilent Z3816A GPS-disciplined clocks.

      SNTP != NTP and is totally unsuited for any use that cares about real continuous, accurate, time. Read the 'time-nuts' mailing list at febo to see what real accuracy is.

    12. Re:Mathematics by Anonymous Coward · · Score: 0

      when actually it does less than 10% of what ntpd does. And to make it do what ntpd does, presumably will take years of work to secure.

      But why would I want the 90 % when the 10 % is more than enough?

      I'm really tired of having daemons include everything but the kitchen sink when I only need the core functionality. I'll take the daemon with the fewest features as long as it does everything I need it to. [1][2] And I've been using openntpd for years, and I must say it works very well.

      The 'real' NTPD just kept losing its connection to the servers and let the clock skew for minutes, if not hours. Seen that on two installations. Didn't even write a line to the syslog about it. OpenNTPD? Just works.

      [1]: A pluggable architecture is fine though -- as long as very few plug-ins are loaded by default.

      [2]: And the same can be said for silly things such as www forums software. Every feature they put in is a potential security issue in my eye. I'm very very wary of using bloaty software in such a perilous environment as the internet is.

    13. Re:Mathematics by Anonymous Coward · · Score: 0

      What people need is a simple trusted accurate client to run on millions of systems.
      OpenNTPD is good enough for that.

      If you just want to set your clock, use tlsdate or ntpdate.

      If you want to run a refclock, use NTPD, or PHK's work.

    14. Re:Mathematics by grub · · Score: 1


      I have ten servers for which the 100 millisecond accuracy of OpenNTPD is perfectly fine.

      That's nearly a tenth of a second!

      --
      Trolling is a art,
    15. Re:Mathematics by Anonymous Coward · · Score: 0

      NTP != continuous, accurate time, if you're a time-nut. You would have known this if you actually read the time-nuts mailing list.

    16. Re:Mathematics by timbo234 · · Score: 1

      So it's fair to say that Chrony isn't suitable for running on stratum 1 servers, of which there are a few hundred, maybe up to at most a few thousand publically available in the world[1]. For the millions of Linux servers, laptops and desktops that aren't and will never be stratum 1 NTP servers Chrony should be just fine, shouldn't it?

      [1] ntp.org currently lists 304 publcically available stratum 1 servers http://support.ntp.org/bin/vie...

      --
      Pre-canned Evolution Links for all those Slashdot holy wars.
  3. protocol broken by Anonymous Coward · · Score: 0

    Please read this article regarding security of NTP:
    http://linux-audit.com/tlsdate...

    1. Re:protocol broken by Anonymous Coward · · Score: 0

      Except that the link you point to talks about TLSdate and doesn't talk at all about security of NTP.

    2. Re:protocol broken by Anonymous Coward · · Score: 1

      If you're seriously proposing tlsdate as an ntp replacement you haven't understood what ntp does (and most probably you haven't understood time keeping in a machine either).

    3. Re:protocol broken by chriscappuccio · · Score: 1

      Please enlighten us.

  4. There are other alternatives already by loonycyborg · · Score: 4, Interesting

    Like chrony.

    I wouldn't recommend openntpd because it isn't an implementation of ntp

    1. Re:There are other alternatives already by Anonymous Coward · · Score: 1

      Nothing to see here...

      System D already has a built in NTP client, so we Linux people can use that.

    2. Re:There are other alternatives already by amorsen · · Score: 2

      SystemD does not have an NTP client. It has an SNTP client. Just like OpenNTPD.

      --
      Finally! A year of moderation! Ready for 2019?
    3. Re:There are other alternatives already by Anonymous Coward · · Score: 1

      WOW, here I was, running a good old System D troll ("Who in the flying fuck would implement NTP in an init system! ha ha ha") and I guess I wasn't trolling hard enough--you're right! Those guys actually did it:

      https://wiki.archlinux.org/index.php/systemd-timesyncd

      Things really *are* bad, aren't they?

      I'd make a joke about System D including a NoSQL database, but they probably already have one of those already...

    4. Re:There are other alternatives already by Anonymous Coward · · Score: 0

      No, not as bad as you make it out to be. systemd-timesyncd is a separate daemon, not part of the init system.

    5. Re:There are other alternatives already by Anonymous Coward · · Score: 0

      God forbid that Oracle and Red Hat ever merge. Oracle DB will become part of SystemD.

    6. Re:There are other alternatives already by Anonymous Coward · · Score: 0

      And that must matter because... reasons!

      Can't comment much on systemd except it seems to have a big NIH problem.

    7. Re:There are other alternatives already by Anonymous Coward · · Score: 0

      I wouldn't recommend chrony because it's part of systemd.

    8. Re:There are other alternatives already by amorsen · · Score: 1

      Things really *are* bad, aren't they?

      Yes. They are that bad. Read the threads about Gnome vs. systemd-timesyncd vs. Chrony and weep.

      http://www.spinics.net/lists/f...

      And Poettering in his usual ignorant condescending style:

      http://www.spinics.net/lists/f...

      --
      Finally! A year of moderation! Ready for 2019?
    9. Re:There are other alternatives already by Anonymous Coward · · Score: 0

      No, it's bad when they implement emacs in systemd (and I actually love emacs).

    10. Re:There are other alternatives already by MikeBabcock · · Score: 1

      I assumed it was a troll myself, and giggled 'haha, systemd with an ntp client, lolz" and then boom, mind blown, there really is one? jeez.

      --
      - Michael T. Babcock (Yes, I blog)
    11. Re:There are other alternatives already by chihowa · · Score: 1

      Wow, that thread is really depressing. So the decision path for what ships with Fedora has been simplified to: what package isn't broken by systemd? Suitability for a task and technical merits aren't even a consideration any more...

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    12. Re:There are other alternatives already by chihowa · · Score: 1

      Here's a gem from Poettering, where he dismisses basic security (why would you not implicitly trust unauthenticated packets from some random internet server?), as well as displays his total lack of awareness of the capabilities of the existing software he's bent on replacing (super-NIH syndrome... writing a simplistic replacement to ntpd and chronyd without even knowing what they currently do).

      Yikes.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  5. OpenNTPD: 4 Out Of 5 Stars by Anonymous Coward · · Score: 0, Insightful

    *****: Builds clean! No warnings!

    *****: Service starts and stops perfectly. No hangs so far.

    *****: More timezone support than NTP. Includes Mars clock.

    *: Does not actually set server time. :(

    1. Re:OpenNTPD: 4 Out Of 5 Stars by r.freeman · · Score: 1

      Lol >_>

    2. Re:OpenNTPD: 4 Out Of 5 Stars by chriscappuccio · · Score: 1

      It sets your local server time immediately if you use -s. Otherwise, it slowly drifts your local clock to the real time, which could take days if it is far off. I always use ntpd -s on boot for systems with no RTC. Or ntpd -s when my clock is way off. The drift feature is designed to keep software from freaking out due to sudden time changes.

    3. Re:OpenNTPD: 4 Out Of 5 Stars by Anonymous Coward · · Score: 0

      Well sure, and TornadoGuard will warn you about tornadoes if you can hear the civil defense sirens. ;)

    4. Re:OpenNTPD: 4 Out Of 5 Stars by Anonymous Coward · · Score: 0

      Obligatory: http://xkcd.com/937/

    5. Re:OpenNTPD: 4 Out Of 5 Stars by MikeBabcock · · Score: 1

      I use NTPD's ntpdate on boot to sync my clock and then leave it running while the system is up to manage drift.

      On the LANs I administer, I usually configure at least one box as an NTP server for the network so I don't have everyone and their dog sending unnecessary UDP packets out to the Interwebs.

      --
      - Michael T. Babcock (Yes, I blog)
  6. Very very different... by Junta · · Score: 3, Informative

    ntp is surprisingly complex to deal with a surprisingly complex thing. If tlsdate was a decent enough utility, then we'd still be using the time protocol of rdate as the go-to time sync strategy. Precision and quality is much lower.

    There's also a couple of tricky things. One is that it could be dropped in TLS 1.3. Another is that it doesn't play with the concept of TLS certificate expiry.

    Basically, this is a potentially handy utility to take the place of rdate, not something that begins to touch ntp.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  7. Wonderful software by Anonymous Coward · · Score: 0

    So totally secure, because of theo's openbsd special sauce. Now if only it could keep the time.

    1. Re:Wonderful software by chriscappuccio · · Score: 0

      I assume you've used it? because it keeps time on my servers and serves that time to well over 10k devices on my network!

    2. Re:Wonderful software by Anonymous Coward · · Score: 1

      That's cool. But you're getting served SNTP, not NTP as you might be forgiven to infer from the name OpenNTP.

      There is a difference, yes. It may well be that to your 10k devices the difference is moot. But to some it does matter quite a lot, and if they let themselves be misled by the name they'll get bitten. So, your success story does not universally scale. In picking the name like they did, the openbsd people did the world a disservice.

  8. Learn Something About NTPD Before You Rant..... by Shakrai · · Score: 3, Informative

    imo, when you go for that last nanosecond of accuracy as the highest priority

    That's kind of the whole point of a timeserver. If you're just running a typical client that doesn't need precision there are a multitude of SNTP implementations that you can use, including the one built into Windows. If you're running something that demands precision or wish to share your time with others (random plug: NTP Pool) you're going to need a little bit more accuracy than that.

    and lower the priority of writing secure software to the point where it is no longer a priority, then you have ntp.

    ntpd has been around since the 80s. Contrast it against other system daemons that have been around that long (sendmail) and you'll see that it has a solid security record. The recent "exploits" only impacted a small subset of servers that were using the cryptographic functionality of ntpd, which is primarily used for remote management and peering relationships and was a non-issue for the lion's share of configurations. Configurations to work around the issues were released immediately and a patch to solve them entirely was available within days. What more do you want? This was all discussed on the NTP Pool mailing lists and the consensus was "meh." I'm not aware of any NTP server that has been compromised because of these exploits.

    The biggest issue that's hit ntpd in the last year was the ease with which you could use the 'monlist' command for amplification attacks. This too was easily solved with a configuration change and in any event did not compromise the integrity of the servers running ntpd. It's symbolic of a larger problem that has hit other protocols (DNS) and which will never go entirely away until network operators get off their lazy asses and implement the recommendations of BCP38.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
    1. Re:Learn Something About NTPD Before You Rant..... by chriscappuccio · · Score: 0

      Admit it. It's a large, fat piece of shit that nobody should be running. OpenNTPD in fact works perfectly as an accurate NTP (not SNTP) server AND client for more than 10,000 devices on my network.

    2. Re:Learn Something About NTPD Before You Rant..... by chriscappuccio · · Score: 1

      It would be nice if the whole world got the BCP38 memo. But they haven't. I'm a network operator. I got off my lazy ass and firewalled all of the ntp.org servers on my network, that customers didn't enable and had no idea were even running, courtesy of Cisco and various Linux distributions. Reality is a bitch.

    3. Re:Learn Something About NTPD Before You Rant..... by Shakrai · · Score: 4, Interesting

      Good for you. My ntpd server served over 100,000 unique clients in the last hour and has been running without any issues whatsoever fully exposed to the internet since 2006. And that's a "young" server by the standards of the ntp community.

      Your welcome to use whatever software you wish but there's no reason whatever to put down the efforts of another FOSS team of volunteers other than to be a smug superior asshole.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:Learn Something About NTPD Before You Rant..... by Bengie · · Score: 1

      NTP Pool is horrible. I tried using it, but my NTP client was reporting jitter in the tens of milliseconds(10ms-40ms). Instead, I hand picked a bunch of regional public NTP servers from places like Universities and government. I'm now getting reported jitter below 0.1ms. I don't care about latency, but jitter I can't stand. Some of my current servers are nearly 100ms of latency, but have sub 1ms jitter, while my ISP has sub-3ms latency but over 1ms of jitter.

      When I trace routed several of the servers returned from the pool, they were getting latency and jitter spikes in their networks. Not even at the edge between the Internet backbone and their upstream provider, but between them and their provider.

    5. Re:Learn Something About NTPD Before You Rant..... by WaffleMonster · · Score: 1

      The biggest issue that's hit ntpd in the last year was the ease with which you could use the 'monlist' command for amplification attacks. This too was easily solved with a configuration change and in any event did not compromise the integrity of the servers running ntpd. It's symbolic of a larger problem that has hit other protocols (DNS) and which will never go entirely away until network operators get off their lazy asses and implement the recommendations of BCP38

      IMO failure to implement BCP38 is no excuse for protocols to not sufficiently deal with the Internet as it exists today. Solution for DNS is the same solution previously applied to TCP to mitigate SYN exhaustion attacks.

      https://tools.ietf.org/html/dr...

      All remaining deployed protocols susceptible to cheesy amplification attacks can and should be fixed regardless of status of BCP38. None of it is rocket science.

    6. Re:Learn Something About NTPD Before You Rant..... by Shakrai · · Score: 1

      *shrug*, YMMV. I have a leaf server in the pool that's pulling time from six pool servers and one local peer (which is itself in the pool); it shows jitter ranging from 0.043 to 1.728. Ironically enough the peer on the LAN is not the one with the lowest jitter, it clocks in at 0.657. The average of all seven servers is 0.728. Incidentally, the server I have in the pool pulls from seven public stratum one servers, which I hand selected to be close (network-wise, i.e., latency and number of hops) to me. Jitter numbers with those peers range from 0.274 to 1.496, which an average of 0.528. I guess it's 0.2 milliseconds better than the pool, for what that's worth.... :)

      When I trace routed several of the servers returned from the pool, they were getting latency and jitter spikes in their networks. Not even at the edge between the Internet backbone and their upstream provider, but between them and their provider.

      Sounds like they're running on connections that max out from time to time and start queuing packets. Not much you can do about that and it's entirely possible that the same thing can happen with public servers. One can always manually select servers from the pool if they're so inclined; doing so would allow you to pick ones that are closer to you network wise than the random DNS round-robin is going to give you.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    7. Re:Learn Something About NTPD Before You Rant..... by Bengie · · Score: 1

      Your results are much better. It was a while ago when I tested. I wonder if there was a transient issue going on, like maybe I so happened to try out the pool during the time NTPD amplification was just starting to get popular. NTPD pool would be a great target for "evil doers" to take advantage.

      So.. Yeah... I may have to give the pool another shot.

      Thanks for your experience :-)

    8. Re:Learn Something About NTPD Before You Rant..... by Shakrai · · Score: 1

      That's a possibility. The amplification attacks seemingly cropped up out of nowhere (even though the vulnerability was well known and discussed for years prior) in late 2013/early 2014. It was quite the topic of discussion on the NTP Pool mailing lists. Most people had sensible configurations that put 'noquery' in the default line but there were obviously enough servers out there answering monlist queries to make it profitable for attackers to target all of us. My server ends up rate-limiting anywhere from 15% to 40% of her hourly queries. but I'm guessing most of those are poorly configured clients, not DDoS attempts. It's also possible that some of them are machines behind NAT sharing the same IP, which all appear as one client from ntpd's perspective.

      There's nothing wrong with using public time servers. You can certainly pick out better ones (in terms of latency and hop count) doing it yourself than you'll ever get out of the NTP Pool DNS round robin. Or you can do the same by picking servers manually out of the round robin. The pool mainly exists as a load balancing system that's easy to include in default configurations. I've only got my other server using it because I believe in eating my own dog food. :) That server would itself be serving time in the pool if it wasn't on the same network as the box I've already got in the pool.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  9. openntpd is buggy by Anonymous Coward · · Score: 1

    Took a look. Found a bug in 2 seconds. Theo is really quite full of himself.

    For the bug take a look at the "host" function in parse.y. Who can spot what the function returns and what it's being tested against.

    1. Re:openntpd is buggy by Anonymous Coward · · Score: 0

      There's no 'host' function in parse.y

    2. Re:openntpd is buggy by gustygolf · · Score: 1

      It's not a bug.

      The commit log states this:


      when a dns lookup fails at parse time, do not abort but try again
      to resolve the hostname every 60 seconds
      fixes ntpd invocations before e. g. a dialup link is established and such.
      as we want ntpd to be a "fire and forget" background daemon it should
      cope with such situations.
      tested by many

      Relevant diff: http://cvsweb.openbsd.org/cgi-...

      (I'm assuming that the "bug" you found is that it's comparing the return value to -1 when the host() function can only return 0 or 1)

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
    3. Re: openntpd is buggy by Anonymous Coward · · Score: 0

      I knew the level of technical expertise on slashdot was low but that was ridiculous. The first person who responded gets an F. the second person who responded gets an F+. It looks like the OpenBsd team agrees with the OP: http://marc.info/?l=openbsd-cvs&m=142084731119190&w=2

  10. ntpdate by barbariccow · · Score: 1

    ntpdate on a cron is a nice alternative to running the full ntp server, if you just want accurate time.. I've had to set this up on a network wherein each server running ntp server created too much drift between them (all servers needed to be within 100 ms of eachother). Easiest solution is all servers run ntpdate every minute against a single host within the network. Drifting averaged about 20ms with that simple solution.

  11. where's the Windows port? by Anonymous Coward · · Score: 0

    If OpenNTPD is so portable, where's the Windows port?

    I'm tired of Delaware NTPD stepping the clock, and I want an NTP service for my Windows servers that slews the clock instead. Can OpenNTPD do that for me? Apparently not.

    Wait, hold on, Delaware NTPD can.

    C:\Program Files\NTP\bin\ntpd.exe -x

    Never mind. Thanks for nothing.

  12. Mmmmm by m.dillon · · Score: 1

    DragonFly has had its own ntp-only client for years, dntpd. Not sure why this is suddenly becoming a topic now.

    In terms of portability, every operating system has different sysctls or system calls for manipulating the clock. There is no single standard for setting the frequency drift correction, step, or slide operations to correct the time. And part of the problem is that most of these APIs are deficient in one way or another and make it difficult for the ntp client to run the corrections without generating feedback which messes up further corrections.

    Beyond that, the code is fairly straight-forward.

    -Matt

  13. ntpdate by Anonymous Coward · · Score: 0

    The likely cause of this problem is you've probably peered too many of your local machines with each other and they created a mutual appreciation society where they trust each other more than the external time source, or you've set up each server with an insufficient number of external sources. You do need 4 independent sources per server if you are using the ntp pool if you have critical synchronization needs. If you need to run ntpdate every minute to keep them within 20ms you really do need a full ntp installation. A properly running ntp server one it adjusts for clock drift only has to poll the server every 1024 seconds.

  14. I thought his name was Theo Da Rant. by Anonymous Coward · · Score: 0

    Then I recalled the last few bits he went on about. And yes, that should be his name.

    More drivel from his tower under the sea. Theo we hardly knew you. Of course, we don't want to either.

  15. Best documentation ever by SigmundFloyd · · Score: 1

    Just a look at their ntpd.conf man page makes me want to switch to OpenNTPD yesterday.

    Old ntpd man pages suck so hard that it's unbelievable.

    As usual, OpenBSD documentation is a dream come true. Thank you, guys.

    --
    Knowledge is power; knowledge shared is power lost.
  16. Re:Chrony by plcurechax · · Score: 1

    So it's fair to say that Chrony isn't suitable for running on stratum 1 servers, of which there are a few hundred, maybe up to at most a few thousand publically available in the world[1]. For the millions of Linux servers, laptops and desktops that aren't and will never be stratum 1 NTP servers Chrony should be just fine, shouldn't it?

    Yes, I think Chrony is fine for most typical unauthenticated leaf-node (client-only) usage, but I still don't recommend it for the thousands of public stratum 2 or higher (see pool.ntp.org, most are stratum 2 or 3) servers, or the thousands of corporate and organizational NTP servers. For usage as a server, with a full-time network connection, I don't know of any compelling reason to use Chrony over NTPD or OpenNTPD.

    Personally I can't see any reason to believe Chrony is more secure than either NTPD or OpenNTPD. Being new, or even saying that Chrony is secure, and programming really, really carefully, doesn't make it so.