diff options
author | delphij <delphij@FreeBSD.org> | 2016-06-04 05:46:52 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2016-06-04 05:46:52 +0000 |
commit | 8b05336d05340c5bf523a1781534f98449173e01 (patch) | |
tree | edbe2bc75547d8945326749550a867c4cbfbdb0c /contrib/ntp/ntpd/ntp.conf.mdoc.in | |
parent | 317e69eb8f1ef3aec35d7915f591340d07c97771 (diff) | |
download | FreeBSD-src-8b05336d05340c5bf523a1781534f98449173e01.zip FreeBSD-src-8b05336d05340c5bf523a1781534f98449173e01.tar.gz |
Fix multiple ntp vulnerabilities.
Security: FreeBSD-SA-16:24.ntp
Approved by: so
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.mdoc.in')
-rw-r--r-- | contrib/ntp/ntpd/ntp.conf.mdoc.in | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.mdoc.in b/contrib/ntp/ntpd/ntp.conf.mdoc.in index 82164a3..a9a3424 100644 --- a/contrib/ntp/ntpd/ntp.conf.mdoc.in +++ b/contrib/ntp/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd April 26 2016 +.Dd June 2 2016 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed April 26, 2016 at 08:28:36 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed June 2, 2016 at 07:36:16 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -2440,6 +2440,7 @@ The default value is 46, signifying Expedited Forwarding. .Cm calibrate | Cm kernel | .Cm mode7 | Cm monitor | .Cm ntp | Cm stats | +.Cm peer_clear_digest_early | .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc @@ -2449,6 +2450,7 @@ The default value is 46, signifying Expedited Forwarding. .Cm calibrate | Cm kernel | .Cm mode7 | Cm monitor | .Cm ntp | Cm stats | +.Cm peer_clear_digest_early | .Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc @@ -2516,6 +2518,26 @@ closes the feedback loop, which is useful for testing. The default for this flag is .Ic enable . +.It Cm peer_clear_digest_early +By default, if +.Xr ntpd @NTPD_MS@ +is using autokey and it +receives a crypto\-NAK packet that +passes the duplicate packet and origin timestamp checks +the peer variables are immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto\-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . .It Cm stats Enables the statistics facility. See the |