Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
Lennart, I suppose that what you wrote concerns UDP port on the server providing system that systemd-timesyncd uses to synchronize time? This is not a problem, from the point of view of the system where systemd-timesyncd is running privileged remote port is not a problem, I have problems if source UDP port (so one created by systemd-timesyncd) is problematic, but I understand that systemd-timesyncd always uses unprivileged source port? Thanks for an answer, JD On Tue, Mar 31, 2020 at 4:57 PM Lennart Poettering wrote: > > On Mi, 11.03.20 17:34, Jędrzej Dudkiewicz (jedrzej.dudkiew...@gmail.com) > wrote: > > > Hi, > > > > I have quite a few devices running Linux in client's network - so I > > have no control over it. It seems that all privileged UDP ports are > > blocked I have to use unprivileged port. I'd like to use > > systemd-timesyncd to synchronize time, thought I can't find a way to > > force it to use unprivileged port. Is there any way to do it? > > There's not, currently, the port nr is hardcoded. It might be OK to > make the port nr configurable though, via an env var. You could then > set the env var via a drop-in for systemd-timesyncd.service that uses > Environment=. Patch should be simple, look for resolve_getaddrinfo() > in timesyncd-manager.c. Consider prepping a patch and posting as > github PR, we'll the review/merge it. > > Lennart > > -- > Lennart Poettering, Berlin -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
I don't understand your answer/information at all. I wanted to know how to use unprivileged port with systemd-timesyncd - and I got information that it has sane defaults. So how should I read your answer? Is there something in systemd that still makes it insecure? Should I add some other parameter so that source port is randomized? Isn't it random already? JD On Mon, Mar 23, 2020 at 2:50 AM Cristian Rodríguez wrote: > > On Wed, Mar 11, 2020 at 4:17 PM Jędrzej Dudkiewicz > wrote: > > > Sorry, of course source port - > > No, you really want UDP source port randomization using whatever > algorithm the kernel chooses to, due to security reasons. > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Thu, Mar 12, 2020 at 8:29 AM Michael Chapman wrote: > > On Thu, 12 Mar 2020, Jędrzej Dudkiewicz wrote: > [...] > > And one more question: what is systemd-timedated? It seems that is > > exactly same thing, but I don't think this is true? > > It's the DBus service that most bits of timedatectl talk to. [...] > > systemd-timedated doesn't actually have any relationship with > systemd-timesyncd, despite the similar name. Ah, I understand now. Thank you very much. -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-timesyncd - use unprivileged ports
On Wed, Mar 11, 2020 at 5:52 PM Mantas Mikulėnas wrote: > > Well, are you asking about the *source* port or about the *destination* port? > There are two on every UDP packet. Sorry, of course source port - I spent so much time trying to synchronize time using systemd-timesyncd and ntpdate that I couldn't think about any other port - well, context is everything. > The source port is *not* from the privileged range -- systemd-timesyncd > always just lets the OS choose a random port from the ephemeral range. (I > have seen some other NTP clients such as Windows insist on using 123 as both > source and destination, but that's not the case with systemd-timesyncd nor > with most other SNTP clients.) Ok, this seems to be an obvious solution - yet ntpd and ntpdate by default bind to local 123 port - I see that systemd does the sensible thing. > The destination port has to be from the privileged range (specifically 123) > because that's what NTP servers *listen on* -- the client cannot decide on a > different port entirely on its own; you'd need to run your own NTP server > configured to use a different port. Yes. > Although if you already have an NTP server listening on a different port, > then unfortunately no, systemd-timesyncd does not currently have a config > option for that. It seems port 123 is hardcoded in manager_connect(), most > likely because that's what every public NTP server uses. No, this is Windows server and I after running `ntpdate -u ` I can synchronize time just fine. Now one more question - I read that to run properly, systemd-timesyncd needs systemd-networkd successfuly started. This is true in my case - systemd-networkd reports success. I have server IP set in `/etc/systemd/timesyncd.conf` file like this: [Time] NTP= Note that these devices run Debian 9.4, so not only old version, but also distribution that isn't known for being on cutting edge. And one more question: what is systemd-timedated? It seems that is exactly same thing, but I don't think this is true? Thanks in advance, JD > (Really I can't really think of any good purpose for such a block -- if > anything, I'd expect to see the opposite, i.e. services on low ports allowed, > the rest blocked. Does your network block DNS on port 53, too?) > On Wed, Mar 11, 2020 at 6:34 PM Jędrzej Dudkiewicz > wrote: >> >> Hi, >> >> I have quite a few devices running Linux in client's network - so I >> have no control over it. It seems that all privileged UDP ports are >> blocked I have to use unprivileged port. I'd like to use >> systemd-timesyncd to synchronize time, thought I can't find a way to >> force it to use unprivileged port. Is there any way to do it? >> >> Thanks in advance, >> -- >> Jędrzej Dudkiewicz >> >> I really hate this damn machine, I wish that they would sell it. >> It never does just what I want, but only what I tell it. >> ___ >> systemd-devel mailing list >> systemd-devel@lists.freedesktop.org >> https://lists.freedesktop.org/mailman/listinfo/systemd-devel > > > > -- > Mantas Mikulėnas -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd-timesyncd - use unprivileged ports
Hi, I have quite a few devices running Linux in client's network - so I have no control over it. It seems that all privileged UDP ports are blocked I have to use unprivileged port. I'd like to use systemd-timesyncd to synchronize time, thought I can't find a way to force it to use unprivileged port. Is there any way to do it? Thanks in advance, -- Jędrzej Dudkiewicz I really hate this damn machine, I wish that they would sell it. It never does just what I want, but only what I tell it. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel