NTPsec

The NTP is an unencrypted UDP based protocol and has been abused for attacks in the past. There have been several attempts to provide replacements, however the difficult nature of the protocol and its usage make this quite challenging. While the NTP provides capabilities for encryption, they have been proven to be unreliable. With NTPsec a 'secure' replacement is possible.

Related articles

Installation

You can install NTPsec via the ntpsecAUR package.

It is necessary to import a new GPG key to your keyring with:

$ gpg --recv-keys 5A22E330161C3978
gpg: key 5A22E330161C3978: 6 signatures not checked due to missing keys
gpg: key 5A22E330161C3978: public key "NTPsec Contact <contact@ntpsec.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   8  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 8u
gpg: next trustdb check due at 2019-12-03
gpg: Total number processed: 1
gpg:               imported: 1

Starting the service

Normally start/enable the ntpd.service.

Note: Currently, ntpsecAUR will only uninstall ntp during its installation. If you were using another NTP implementation, make sure to stop/disable the service

Enable NTS

NTS is a method for using TLS/SSL to authenticate NTP traffic on the net

Note: The NTP Pool and the Arch NT Pool does not currently support NTS.

Append the keyword nts to the end of your server lines. Do this only for servers that speak NTS. If the server uses a port other than 4460 for NTS key exchange, you also need to specify the port number.

For example:

/etc/ntp.d/use-pool
server time.cloudflare.com         nts iburst
server virginia.time.system76.com  nts iburst
server nts.netnod.se:4460          nts iburst

Here is an unofficial list of NTP servers supporting NTS.

gollark: I'm running an instance of nimforum for reasons, is there a way to embed external images?
gollark: And OSes have rather a lot of sources of unpredictable data which is aggregated into "random" values.
gollark: CPUs have onboard random number generators using thermal noise or something now.
gollark: Does anyone know how to give SQL queries array parameters in `tiny_sqlite`? SQLite has a CARRAY thing but it's not builtin and `tiny_sqlite` doesn't mention any support for it. Are there other libraries which can do this? I think I can use the JSON extension for this but ew.
gollark: Doing it yourself would probably be vulnerable to horrible side channel attacks.

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.