doc: warn about MD5 keys not protecting extension fields

Add a warning to the chrony.conf man page that MD5 keys cannot protect
NTP extension fields due to the length extension attack.

diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index 4b7e28d3846e827883ded89398ffa6c14dd05a18..7ccdd20c98789de88e9bb1203ae6aaed1b5cb500 100644 (file)
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -2821,7 +2821,11 @@ source is specified in the configuration file with a key shorter than 80 bits.
 +
 The recommended key types are AES ciphers and SHA3 hash functions. MD5 should
 be avoided unless no other type is supported on the server and client, or
-peers.
+peers. A major weakness of MD5 for the NTP MAC is a length extension attack,
+where a man-in-the-middle attacker can add arbitrary extension fields to the
+NTP message and update the MAC to pass the verification of the extended
+message. The *extfield* option (enabling processing of the specified extension
+field) should not be used for NTP sources authenticated with an MD5 key.
 +
 The <<chronyc.adoc#keygen,*keygen*>> command of *chronyc* can be used to
 generate random keys for the key file. By default, it generates 160-bit MD5 or