I have enhanced the configuration parser to process NTS client-side
configuration options. The configuration state is available to the
nts.c hooks as members of a structure passed to them, along with the
dynamic NTS state (stored cookies) and the parsed content of the
current packet.
What is implemented differs from what was in nts.adoc in one way...
Having a separate nts config statement would have required admins to
enter the name of a server to which secure connection is intended
twice, once in the server declaration and once in the nts declaration.
This was suboptimal design, inviting subtle configuration bugs due to
typos.
Accordingly, the nts configuration stuff is implemented in a way that
conforms to good DRY (Don't Repeat Yourself) architectural practice.
That is, as options to the "server" declaration.
I have updated the documentation pages to describe the NTS options as
implemented (under Association Options). There is also a new
placeholder section on the Authentication page for NTS; more
documentation can go there.
I have generally reorganized that page to make it clearer that there
are multiple authenticattion modes; the MAC-based one is now called
"MAC Authentication" to contrast it with NTS and MS-SNTP. I have added
a note about MD-5 and SHA-1 being rather broken at this point, and a
warning that MAC authentication may be removed in a future release.
Of course that cannot happen until NTS is fully deployed, but I want
to accustom users to the idea that mechanisms past their sell-by
date will be ripped out.
--
>>esr>>
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
