[svlug] Serious NTP security holes

[Rick Moen]

Forgot to add:

4.  Really old versions of ISC ntpd released before about four years ago 
defaulted to a weak random number generator for public-key keypairs that 
you can optionally use to permit only NTP clients with the right crypto key
to talk to your NTP server.  This is the case only if you never bothered to
set an authentication key for your server, such that ntpd uses a weak seed
value by default.  If you are so paranoid that you require crypto
authentication for incoming time queries to your NTP server, but also so 
negligent that you never configured an authentication key and have been
going out of your way to ignore package updates for more than four years,
then - hey! - it's time.

5.  The other problems got fixed in software updates that went out on Dec.
19th.  If your server distro didn't have package updates out by... oh...
today at the latest, then consider a different server distro.

6.  Unless you're offering up NTP time-sync _services_ to public networks -
i.e., being a public NTP server, not just a client, none of this affects you
at all.