On Wednesday, May 11, 2022, 03:31:52 AM PDT, Hal Murray via devel <devel@ntpsec.org> wrote:
> Thanks. > > I like you suggestion of ntpd using "-g" to get the system time close, >before > > checking any certificates. > It was Richard's suggestion, not mine. The idea was to only skip the date checks and do the rest of the certificate checking. > I don't like it for 2 reasons. > The main reason is that it's a hole in securty. I don't want to clutter up security discussions and documentation with that very unlikely case. > The second reason is that OpenSSL isn't setup to skip only the date check. >We could easily implement your version of no-check, but that would make the tiny security hole a big hole. > ------ > I think the alternative is to get the clock reasonably close before running ntpd. > PCs with RTC/CMOS/TOY clocks are simple. We will have to document potential troubles wtih dead batteries. > The problem is with Raspberry Pis and similar low-end systems that don't have a hardware clock. > As far as I can tell, each distro does it differently. So we will have to document what to do on each distro. > > The problem I see a lot is that a lot of Pi's are started with no network > > connection, and a bad time, so swclock is commonly used before starting >ntpd. > What is swclock? What distros does it run on? > I think the Linux kernel sets the clock to the build time or something >similar. > Debian/Ubuntu have fake-hwclock. It updates the time in a file on halt and every hour so you have decent restart time on boot after a crash. It's "just" a shell script so it should be easy to copy to other distros. > I haven't found anything for Fedora. > I haven't looked for FreeBSD or NetBSD. swclock is a C program (source is at https://github.com/OpenRC/openrc under src/swclock) and it doesn't quite run the same way. swclock claims to use the mtime of a file while fake-hwclock seems to use the contents of a different file. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel