From: Miroslav Lichvar Date: Tue, 8 Oct 2024 12:13:13 +0000 (+0200) Subject: doc: warn about MD5 keys not protecting extension fields X-Git-Tag: 4.6.1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd65e32cf065f9f68dc730fbfb73f87a552348fb;p=thirdparty%2Fchrony.git doc: warn about MD5 keys not protecting extension fields Add a warning to the chrony.conf man page that MD5 keys cannot protect NTP extension fields due to the length extension attack. --- diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index 4b7e28d3..7ccdd20c 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -2821,7 +2821,11 @@ source is specified in the configuration file with a key shorter than 80 bits. + The recommended key types are AES ciphers and SHA3 hash functions. MD5 should be avoided unless no other type is supported on the server and client, or -peers. +peers. A major weakness of MD5 for the NTP MAC is a length extension attack, +where a man-in-the-middle attacker can add arbitrary extension fields to the +NTP message and update the MAC to pass the verification of the extended +message. The *extfield* option (enabling processing of the specified extension +field) should not be used for NTP sources authenticated with an MD5 key. + The <> command of *chronyc* can be used to generate random keys for the key file. By default, it generates 160-bit MD5 or