Wednesday, 24 December 2014

Re: ntp by default on servers in Vivid

Robie Basak said:
> I'm seeking just to make default what people already use. My goal is to
> make the time correct on Ubuntu server systems by default. Currently I'm
> of the opinion that the daemon used doesn't really matter; all options
> are by far good enough in standard use cases, and users of obscure use
> cases have the option of switching to another.
> I'm prepared to have my opinion swayed by evidence, but in the absense
> of any evidence to the contrary, I'm not prepared to put effort into
> picking some other solution and making it the default for no good
> reason.

ntp has a lot of institutional momentum and it's great at keeping the
clocks right, but in terms of security it has serious problems. I for
one have to break the habit of just apt-get install ntp, edit ntp.conf
and I' done...
ntp in the default configuration usually means no encryption or
authentication and is vulnerable to man in the middle attacks.

And if one does setup encryption and/or authentication, it isn't very secure.
Summery: "using a TLS IP tunnel is recommended as a transitional

A couple of other possible solutions I haven't seen mentioned in this thread:

tlsdate is packaged in Debian and developed by Jacob Appelbaum of the
Tor project.

htpdate used by Tails.
Note it is a rewrite/fork of the unmaintained htpdate package that is
currently in Debian.


ubuntu-devel mailing list
Modify settings or unsubscribe at: