On 25.4.2014 16:28, Gabe Alford wrote:
Here is a patch for https://fedorahosted.org/freeipa/ticket/3735.
It seemed better to try to stop ntpd before running ntpdate rather than not
running ntpdate if ntpd was already running. I believe this patch only
applies to the ipa-3-3 branch as ntpdate is not used anymore in the master.
IMHO we should never stop ntpd if it is running. Plain ntpdate opens potential
security hole because attacker can fake NTP answers and force the machine to
rewind it's clock to the past.
This opens potential for replay attacks/re-suing old compromised keys etc.
Freeipa-devel mailing list