git.ipfire.org Git - thirdparty/chrony.git/commit

author	Miroslav Lichvar <mlichvar@redhat.com>
	Fri, 8 Jan 2016 14:03:09 +0000 (15:03 +0100)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Mon, 18 Jan 2016 16:28:47 +0000 (17:28 +0100)
commit	a78bf9725a7b481ebff0e0c321294ba767f2c1d8
tree	92312b4cb5e4b2c09df2fa3a89c149503ca6590b	tree
parent	a030ed4f396215a239d7c67c8e1a998abd221bbe	commit \| diff

ntp: restrict authentication of server/peer to specified key

When a server/peer was specified with a key number to enable
authentication with a symmetric key, packets received from the
server/peer were accepted if they were authenticated with any of
the keys contained in the key file and not just the specified key.

This allowed an attacker who knew one key of a client/peer to modify
packets from its servers/peers that were authenticated with other
keys in a man-in-the-middle (MITM) attack. For example, in a network
where each NTP association had a separate key and all hosts had only
keys they needed, a client of a server could not attack other clients
of the server, but it could attack the server and also attack its own
clients (i.e. modify packets from other servers).

To not allow the server/peer to be authenticated with other keys
extend the authentication test to check if the key ID in the received
packet is equal to the configured key number. As a consequence, it's
no longer possible to authenticate two peers to each other with two
different keys, both peers have to be configured to use the same key.

This issue was discovered by Matt Street of Cisco ASIG.

chrony.texi.in		diff \| blob \| blame \| history
ntp_core.c		diff \| blob \| blame \| history