Alain, I don't know what you mean by spoofer, unless you assume it does not have the group2 server keys. In any case, upon restart it rolls a new private value and the client will retrieve the new cookie via the protocol. Since this is a signed exchange, the client could not complete the exchange unless the spoofer had the original private sign key. Note that, to insure cookie freshness, the server intenionally generates a new private value about once per day, forcing its clients to obtain a fresh signed cookie.
See the cryptotypes table in the authentication options page. Note that it is up to the client whether or not to require an identity exchange. If the client has the group parameters, it will attempt the identity exchange; otherwise, it is happy with TC. As it says on the page, there can be some goofy configureations where a client may have the paramters for one group and not for a second one, in which case authentication succeeds for both groups, one with IFF the other wirh TC. Dave Bartholome, Alain wrote: >Hi, > > > >Suppose the following configuration is running, with IFF for each host. > > > >Trusted_1 (group 1) > > | > >Server 1 > > | > >Server2 > > | > >Trusted_2 (group 2) > > | > >Server3 > > | > >Client1 > > > > > >Suppose server3 is replaced by a spoofer, server3_spoofer which has the >client group2 key and has not the server group2 key. > >Server3_spoofer restarts, iff is supported on its association with >trusted_2. > > > >Until client1 restarts or until the new server authentication occurs, >Server3_spoofer does not have the cookie so it will not synchronize client1. > > > >If client1 restarts, TC instead of IFF will be used, and client1 will be >synchronized by Server3_spoofer. > > > > > > > >The need here is to prevent any time synchronization if TC is used instead >of IFF. > >As IFF cannot be enforced with ntp configuration, the ntpq flags must be >checked at least after each restart? > > > > > > > >Regards, > >Alain. > > > >Alain BARTHOLOMÉ > >EADS Defence and Security > >MetaPole > >1 Boulevard Jean Moulin > >CS 40001 > >78996 ELANCOURT CEDEX > > > >_______________________________________________ >questions mailing list >[email protected] >https://lists.ntp.org/mailman/listinfo/questions > > _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
