> I'm not an expert in this sort of things, but I would suggest you at least
> change that to an HMAC.
Good suggestion. Thanks.
Mostly, this code has to be backwards compatible. It's setup to do digests:
EVP_DigestInit_ex(...); // setup for digest type
EVP_DigestInit_ex(...);
EVP_D
On Fri, Jan 05, 2018 at 02:41:39PM -0800, Hal Murray wrote:
>
> > I have no idea how it's used in NTP. But I understand it's some kind of
> > shared password? You should clearly look in how it's being used and if that
> > actually makes sense. Maybe it needs more than just replacing the hash
> > a
I'm okay with what's in master now.
On 01/05/2018 09:28 AM, Ian Bruene via devel wrote:
> Embedding the paths directly into the python programs works great, in
> all situations. Right up until it doesn't. One problem is that the
> Gentoo installation workflow is based around moving things around
>
> I have no idea how it's used in NTP. But I understand it's some kind of
> shared password? You should clearly look in how it's being used and if that
> actually makes sense. Maybe it needs more than just replacing the hash
> algorithm.
It appends a digest to the packet. This digest covers the
Kurt Roeckx :
> So I want to clarify this a little. As far as I know MD5 is actually
> broken for preimage resistance, but it's only slightly faster than
> bruce force. For SHA-1 it's only a reduced version that's broken. In
> the long run you should not trust them, but I don't think there is a
> r
On Fri, Jan 05, 2018 at 04:24:01PM -0500, Eric S. Raymond wrote:
> Kurt Roeckx :
> > On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > > > MD5 is no longer considered safe.
> > > > Is SHA1 considered safe? What other types should we test and/or
> > > > suggest
> > >
Hal Murray :
>
> Eric said:
> > What could we say, other than: "Both MD5 and SHA-1 have been compromised.
> > Don't trust either of the alternatives we actually support." :-)
>
> We support anything OpenSSL supports. It's just that ntpkeygen and all the
> documentation hides it.
>
> >From man
Kurt Roeckx :
> On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > > MD5 is no longer considered safe.
> > > Is SHA1 considered safe? What other types should we test and/or suggest
> > > people use?
> >
> > No, SHA1 is no longer considered safe. The first collision w
On 01/05/2018 01:25 PM, Achim Gratz via devel wrote:
> I think waf cannot currently cope with a different prefix for
> Python and the rest of the installation, but it should maybe have a way
> to split that on request of the user
waf has options for that, and they work:
./waf configure --prefix=fo
Hal Murray via devel writes:
> Eric said:
>> What could we say, other than: "Both MD5 and SHA-1 have been compromised.
>> Don't trust either of the alternatives we actually support." :-)
>
> We support anything OpenSSL supports. It's just that ntpkeygen and all the
> documentation hides it.
>
>
Ian Bruene via devel writes:
> TL;DR: we have gone back to the old way. If someone wants a better
> solution feel free to propose it, *after* showing that it will not
> break FHS, break if the user's assumptions are slightly different from
> ours, or break because a feature is only available on a h
Eric said:
> What could we say, other than: "Both MD5 and SHA-1 have been compromised.
> Don't trust either of the alternatives we actually support." :-)
We support anything OpenSSL supports. It's just that ntpkeygen and all the
documentation hides it.
>From man dgst on Fedora:
openssl
On Fri, Jan 05, 2018 at 10:04:44AM -0500, Eric S. Raymond via devel wrote:
> > MD5 is no longer considered safe.
> > Is SHA1 considered safe? What other types should we test and/or suggest
> > people use?
>
> No, SHA1 is no longer considered safe. The first collision was generated
> early last
Hal Murray :
> That's not the question I was trying to ask.
Ah.
> I was inquiring about reading keys from the keys file. You are talking about
> bits on the wire.
>
> It's actually more complicated than length==5 for MD5. The type (MD5) is
> also in the keys file. I don't know what the code
Hal Murray :
> > No, SHA1 is no longer considered safe. The first collision was generated
> > early last year. The git team is considering a move to SHA-2 (I think - I
> > might be out of date on this.)
>
> Should we fix the documentation for the upcoming release?
What could we say, other than:
Hal Murray via devel :
> Are you running as root? (It shouldn't be able to read the keys file if not
> root.)
Er, and I think I added the ability to read a local keys file when I moved
ntpq to Python. Unless I'm having a brain fart, Classic should never do
this at all.
--
http:
Matthew Selsky said:
> When I use ntpq from Classic, I'm never prompted for a password. I'm not
> sure if it's reading the key from /etc/ntp.keys on my behalf or not.
Thanks.
Are you modifying things, or just looking?
For example, ntpq -p doesn't require a password.
Are you running as root? (
On Fri, Jan 05, 2018 at 01:32:24AM -0800, Hal Murray via devel wrote:
>
> Does anybody use shared keys between NTP servers?
I do. I use md5 keys on a private network, but I don't require clients to use
them.
> What other types should we test and/or suggest people use?
The docs claim to suppor
> No, SHA1 is no longer considered safe. The first collision was generated
> early last year. The git team is considering a move to SHA-2 (I think - I
> might be out of date on this.)
Should we fix the documentation for the upcoming release?
And update ntpkeygen.
There are comments in the doc
devel@ntpsec.org said:
>> Should we fix the code that reads keys to allow text for other
>> types than MD5?
> I've had this on my mind for a while, but it seems like the kind of thing
> where we might want to float a draft RFC before implementing.
> We need to be careful here because the existin
On Fri, Jan 05, 2018 at 08:17:18AM -0600, Ian Bruene via devel wrote:
>
> How can I get a detailed report on the new python test coverage check? And how
> robust is it: does it only count the percentage of functions tested, or can it
> tell what parts of a function are being exercised?
>
> 91% is
This is a summary of the last few months of intermittent arguing over
the build system. I am glossing over most details as the specifics are
not important to the summary, and I'm too lazy to track down every post
on the matter.
Just before the 1.0 release Fred Wright submitted a patch to sol
Hal Murray via devel :
> Does anybody use shared keys between NTP servers?
That's the kind of thing I expect *you* to know. I sure don't.
> MD5 is no longer considered safe.
> Is SHA1 considered safe? What other types should we test and/or suggest
> people use?
No, SHA1 is no longer considere
How can I get a detailed report on the new python test coverage check?
And how robust is it: does it only count the percentage of functions
tested, or can it tell what parts of a function are being exercised?
91% is higher than I expected.
--
/"In the end; what separates a Man, from a Sl
On 01/04/2018 10:48 PM, Richard Laager via devel wrote:
Can you submit an actual merge request for review?
Currently waiting for the pipeline to finish on !641.
This changes the build back to how it used to work, it builds and
installs on my system, it has passed the build phase of the pipe
Does anybody use shared keys between NTP servers?
The keys file format is text for MD5 and hex for all others.
ntpkeygen makes 10 MD5 and 10 SHA1 keys.
MD5 is no longer considered safe.
Is SHA1 considered safe? What other types should we test and/or suggest
people use?
ntpq needs a password
26 matches
Mail list logo
