On 2014/03/19 15:26, Roy Marples wrote: > >- there are various security issues relating to time setting, IMHO the > >default config when installed as a package should not automatically > >rewrite ntpd.conf > > It appends and removes the DHCP configuration from the tail of ntpd.conf, > it's never actually re-written entirely. > Can you explain why DHCP amending ntpd.conf is a security issue but not for > resolv.conf?
Trusting the DNS resolvers can be a problem too, but it isn't really avoidable if you want to use the network you've connected to, and I think it's something that OpenBSD users would generally expect from a dhcp client (unless they have gone out of their way to disable it). Updating NTP servers is something not really expected from dhcp on OpenBSD - as such I think it's something people would expect to be left alone unless they have changed config to do that. I probably wouldn't have noticed, except that for testing I started with /etc/rc.d/dhcpcd -d start and spotted ntpd being restarted (though this doesn't always happen for me, even if I adjust the config files and/or ntp servers handed out by my dhcpd). > Either way, it's better to either add `nohook ntp.conf` or `noption > ntp_servers` because a DHCP server could force the NTP option information > down without the client requesting it. That sounds better, "nohook ntp.conf" sounds better (probably with a comment to explain that it covers ntpd.conf as well as ntp.conf?) > Let me know if you want any more changes or not and I'll make another .tgz, > or you can. Nothing else comes to my mind at the moment, does anyone else have comments?
