From owner-freebsd-security@freebsd.org Tue Jun 30 08:52:32 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71A839901A1 for ; Tue, 30 Jun 2015 08:52:32 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail-ig0-f169.google.com (mail-ig0-f169.google.com [209.85.213.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 481AF14C1 for ; Tue, 30 Jun 2015 08:52:31 +0000 (UTC) (envelope-from kalin@el.net) Received: by igblr2 with SMTP id lr2so7778943igb.0 for ; Tue, 30 Jun 2015 01:52:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=J9c1jVVrE6Le/8lEEE46Xw0KC/PabC+IYdC4MHcfWl4=; b=ftLh6v5b7963vtYYhveLWXj3kCNC0dxzId7S9zKGN90Egmhe9+g5ct5gPpoT78b+2V QnUg9+OhX5lmGk61uuc9Hc09YaOTmT454smghQH/jsmZe1b/UOdIsaVj/XEBDMPLId8L J5S6hDWKaxR7ALK8VrBKLCIMm0RWV14PFleLqk43x1HCPSnhZ321tofO6V5ItIhtsAzh t9Ah58DnfyWNGa0F5GbStTrJlGd+bh0YRcOjLHCc6B82qv2Mu78/9BCTkG/H3KezvID+ uCHzdSSTAXC/v8oGkxAiCrbQc+trA7N0gbuarHouO7zxqVCvypc+UVzi0EN2SwGMb5jE NoCw== X-Gm-Message-State: ALoCoQkSRNoBhFdFdhcUSR9otJOZF9EzLvdn97f0N5386o2DfGwcnTbkFl/oNHxurZixpiRwfnzX MIME-Version: 1.0 X-Received: by 10.50.102.68 with SMTP id fm4mr22446207igb.25.1435654003310; Tue, 30 Jun 2015 01:46:43 -0700 (PDT) Received: by 10.36.44.203 with HTTP; Tue, 30 Jun 2015 01:46:43 -0700 (PDT) Date: Tue, 30 Jun 2015 04:46:43 -0400 Message-ID: Subject: pf From: el kalin To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jun 2015 08:52:32 -0000 what exactly needs to happened in pf.conf so a range of ips gets blocked?! in this case he range in is not blocked. i tried putting the block right after the table declaration also=E2=80=A6 nothing spectacular happened.. any help would be appreciated=E2=80=A6 thanks=E2=80=A6 here is my ruleset: table { 46.19.139.0/24 } tcp_in =3D "{ domain, www, https }" udp =3D "{ domain, ntp, snmp }" ping =3D "echoreq" set skip on lo scrub in antispoof for bge0 inet block in all pass out all keep state ### for tracroutes pass out inet proto udp from any to any port 33433 >< 33626 keep state pass proto udp to any port $udp ##icmp pass inet proto icmp all icmp-type $ping keep state ## passing in ##pass in inet proto tcp to any port $tcp_in keep state pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state pass proto tcp to any port ssh block in on bge0 from { } to any From owner-freebsd-security@freebsd.org Wed Jul 1 04:04:02 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F7C79911C5 for ; Wed, 1 Jul 2015 04:04:02 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 06D852CED for ; Wed, 1 Jul 2015 04:04:01 +0000 (UTC) (envelope-from kalin@el.net) Received: by igrv9 with SMTP id v9so65809106igr.1 for ; Tue, 30 Jun 2015 21:03:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=EvwD+HgmRWu8eoC5WDq6VQFOaeQykqLlymmcJDW2vDk=; b=UMFNUdJgNxlNe81mBoiz6P0L/fr4BTHgCbVk0wULPVREjnUaHaTLQdgqJFYCWY74J1 AtfoP9LR3hqoBBXgZyNiU6G/WIBkA8fiRxZCSijxeJbGNcX4UDQg/NCvbuibsoS/nooq 04sFYBGTLJN51SvCryrgNGgEoB4QjLYSv85ByfRse6yaEGW4dHG4EU0YovCk9je0fNLa TmR4YRoGjZfDitU9dSSptE/ZDrjNcHhaEA6U75F2ZoK0/TOfpf2FbefTjzxZd6oM2Lho kMU7rRXtPMKwnbWc9tbhMiuP05hKA4Il8jIJga2Gq85eRdvGXUCt9a7L1btlmX8VlrLu s5XA== X-Gm-Message-State: ALoCoQmnNYVhLS7nhLT9vt9QWtwrspb3bOuDRwi8dTk2tWq4sdO7mOhmjwqeEvQVqy1/nevFvBG6 MIME-Version: 1.0 X-Received: by 10.50.50.229 with SMTP id f5mr3451986igo.35.1435723434887; Tue, 30 Jun 2015 21:03:54 -0700 (PDT) Received: by 10.36.44.203 with HTTP; Tue, 30 Jun 2015 21:03:54 -0700 (PDT) Date: Wed, 1 Jul 2015 00:03:54 -0400 Message-ID: Subject: ssh in netstat From: el kalin To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 04:04:02 -0000 hi all=E2=80=A6 looking at output from netstat i see this: tcp4 0 0 server.name..ssh 218.17.160.22.9225 ESTABLISHED tcp4 0 0 server.name..http baiduspider-220-.18248 FIN_WAIT_2 tcp4 0 0 server.name..ssh cpe-74-73-236-43.51418 ESTABLISHED tcp4 0 0 server.name..ssh cpe-74-73-236-43.51326 ESTABLISHED tcp4 0 48 server.name..ssh cpe-74-73-236-43.51160 ESTABLISHED cpe-74-73-236-43 is me. 218.17.160.22 is some number in that appears to be in china. this is from who: myuser p0 cpe-74-73-236-43 5:34PM - traceroute 218.17.160.22 myuser p1 cpe-74-73-236-43 5:50PM - w myuser p2 cpe-74-73-236-43 5:57PM 3:36 -sh (sh) how is it that 218.17.160.22 has an established ssh connection and i can't see it with who? how can i figure out what user is that? there is not supposed be anybody logging ssh form china to this machine... thanks=E2=80=A6 From owner-freebsd-security@freebsd.org Wed Jul 1 04:10:31 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9543E9912C1 for ; Wed, 1 Jul 2015 04:10:31 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail-ie0-f173.google.com (mail-ie0-f173.google.com [209.85.223.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A48E2EFB for ; Wed, 1 Jul 2015 04:10:30 +0000 (UTC) (envelope-from kalin@el.net) Received: by iecuq6 with SMTP id uq6so26576770iec.2 for ; Tue, 30 Jun 2015 21:10:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=RPuCZivrad42Vby+dOJRqBdPNeiva8hNwJYf3jFbzCU=; b=c/Q6U5YaWiap40F16Y+qezJ7OQ3WH3rjoWZ1fm0kxYBZAliiKH/ThlTD9HTlqiS1gp e80csNYbu+S99cBfzG2+qJq2QgBWFSWg+/VM9LQ0CUA6i8I95jE6xwQXOUAt+Vw48Zfp V7KljzzwBUjkri9JrRaKYkriwyynIEiCKD+N0DUBL4oZVHetY3qgL0KkzFWZVJ5r3PYr 7rdxfTFRdk7M+0PbLKmFlW/9AdjL91vnHUEbTqGJFtimH7iIfAHb3JueGiHvm6xUb4Of sSmYQ/2ncEq8H4KN9F1eatFt8zTuLVeYO1qcWLnGOoX4yA95JiW1M2TWKI3UW984Diwc /0zw== X-Gm-Message-State: ALoCoQkdOqLaLpIE8MV9PjYo8dlPl9h4ykq0+Lof0WJoHOLBG9Ct5+qVNI05P+nl8pxkZ8iZzDW7 MIME-Version: 1.0 X-Received: by 10.50.64.147 with SMTP id o19mr1664405igs.33.1435723830029; Tue, 30 Jun 2015 21:10:30 -0700 (PDT) Received: by 10.36.44.203 with HTTP; Tue, 30 Jun 2015 21:10:29 -0700 (PDT) In-Reply-To: References: Date: Wed, 1 Jul 2015 00:10:29 -0400 Message-ID: Subject: Re: ssh in netstat From: el kalin To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 04:10:31 -0000 nevermind=E2=80=A6. i got it=E2=80=A6. thanks anyway=E2=80=A6 On Wed, Jul 1, 2015 at 12:03 AM, el kalin wrote: > > hi all=E2=80=A6 looking at output from netstat i see this: > > tcp4 0 0 server.name..ssh 218.17.160.22.9225 ESTABLISHE= D > tcp4 0 0 server.name..http baiduspider-220-.18248 FIN_WAIT_2 > tcp4 0 0 server.name..ssh cpe-74-73-236-43.51418 ESTABLISHE= D > tcp4 0 0 server.name..ssh cpe-74-73-236-43.51326 ESTABLISHE= D > tcp4 0 48 server.name..ssh cpe-74-73-236-43.51160 ESTABLISHE= D > > > cpe-74-73-236-43 is me. 218.17.160.22 is some number in that appears to > be in china. > > this is from who: > > myuser p0 cpe-74-73-236-43 5:34PM - traceroute > 218.17.160.22 > myuser p1 cpe-74-73-236-43 5:50PM - w > myuser p2 cpe-74-73-236-43 5:57PM 3:36 -sh (sh) > > how is it that 218.17.160.22 has an established ssh connection and i > can't see it with who? how can i figure out what user is that? there is n= ot > supposed be anybody logging ssh form china to this machine... > > thanks=E2=80=A6 > > From owner-freebsd-security@freebsd.org Wed Jul 1 08:48:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2657A9912CF; Wed, 1 Jul 2015 08:48:54 +0000 (UTC) (envelope-from brueffer@FreeBSD.org) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A98832E02; Wed, 1 Jul 2015 08:48:50 +0000 (UTC) (envelope-from brueffer@FreeBSD.org) Received: from [130.235.5.34] ([130.235.5.34]) by mrelayeu.kundenserver.de (mreue005) with ESMTPSA (Nemesis) id 0LqYLt-1YWE7E3mC1-00e0oz; Wed, 01 Jul 2015 10:48:42 +0200 Message-ID: <5593A843.8030800@FreeBSD.org> Date: Wed, 01 Jul 2015 10:43:47 +0200 From: Christian Brueffer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: trustedbsd-announce@freebsd.org, trustedbsd-discuss@freebsd.org, trustedbsd-audit@freebsd.org, freebsd-security@freebsd.org Subject: OpenBSM moving to GitHub Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:rZ8okqDVsqvdaKBbQPL1bsQxW1iMIZ2H3fRLzzlfRyJTdvPTXXG 7nNrNmjbx1rsUK6+EEPmJis9sCCnSBaYvg2WuWN5vLYbbUxb/D+IukPXrZ2W6Fkaz5KVP8s 7auBdD5vQs6qssZrXJY1ixgb2UTZof0iz0JHPPNCNJ2jsEpdM+DFA9/L+rgVegUaRt2Jizt mtLTmfni7A1Alk0C9bh8g== X-UI-Out-Filterresults: notjunk:1;V01:K0:VUYFl33sHYk=:u8TM1XJoiTa0bPRyfSr0Q6 Xy5Od1V6XsSnUDuhro6KgCl+7uqxzWrYkJxffRqoCk8AxRWZo/gp23jjNJBCSUXpk3La03snP 8zpDZvhvgo/dRr02cuy2C4yoG9SkwQxpKaJ+KYFTHdjhb4A7gOnpWzAptnwRc9FnhrwvB3tHS Kfe3YNNGXP5Y8Sjytf6fQikhhcdTVDhcUoH69VNtjwyXFhPHM21koiO2lUKPdYiPMvbrp79j+ wGHe5KoitwPHb85IynltR8ciGhyWbBhd9GID6h0eTCC6fOrG99pxDogDXC/JzRCiuJD0m7Uww YnMDqTsbljLFanBsBZf/90UoxBwfuXLnjOXu/R9l709a+S+C5vZgk4+olGkxKpBVqqU7w2A1G 98spz3In1HQ7xuFcos8ESCTH6qq2aBLQ8M9ib1k4ICnejtWnubRsHJH1ZYQ7qYlEaA1P4BC5E itJ9qjnMWutOrtFSjKcfAU0FzqLFZyJqizua4LXAwcWCLHp0IYWlrKGCl4JCoLksR7eghC0pC sxe/QxP3c7JxCLHQ4fyfdDlZdun4LOq7G5ct0u9iGppXjKTjF/+1rgKGDrsWApvVLR9x2UcUr tcWv5rHqvcPrd/9++ralKbyGxmqsuNtTX1KoZM7+cg2q/2FMbWHeJwD9WHMj9OUcjkdpfT8TZ LqR3cD2g1qP3mKhFr6auf2xZHLLZo03AgDYrRTvVaShRsyQ== X-Mailman-Approved-At: Wed, 01 Jul 2015 10:23:50 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 08:48:54 -0000 We're pleased to announce the move of the OpenBSM source code repository from the FreeBSD Perforce server to Github.After a period of dormancy, we hope this will make the code more accessible and stimulate outside contributions. Since the converter (git-p4) could not export the release labels from Perforce correctly, they were added to the git repository by hand. Thus, don't be alarmed by the recent tagging dates. The repository can now be found at https://github.com/openbsm/openbsm Christian Brueffer and Robert Watson on behalf of the OpenBSM project. From owner-freebsd-security@freebsd.org Wed Jul 1 13:47:40 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82107990BC4 for ; Wed, 1 Jul 2015 13:47:40 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4884C2FB7; Wed, 1 Jul 2015 13:47:39 +0000 (UTC) (envelope-from des@des.no) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 276DA448E; Wed, 1 Jul 2015 13:47:39 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 4BFD41C1B; Wed, 1 Jul 2015 15:47:37 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder Cc: freebsd-security@freebsd.org Subject: Re: Leap Second References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> Date: Wed, 01 Jul 2015 15:47:37 +0200 In-Reply-To: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> (Mark Felder's message of "Wed, 24 Jun 2015 08:57:54 -0500") Message-ID: <86bnfwxa4m.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 13:47:40 -0000 Mark Felder writes: > I'm not an expert on the leapsecond operation, but if I understand it > correctly there are two ways a system can be notified of a leapsecond: > via a tzdata update or through NTP. Answering a bit late, but no: in practical terms, only NTP works. Recording leap seconds in tzdata breaks POSIX and a lot of assumptions in existing code, not only on the day a leap second occurs but at any time in history after at least one leap second has occurred. > 1) FreeBSD server unaware of leapsecond due to no tzdata entry and not > synced to NTP ends up 1 second off A server which is not synchronized with a reliable external source will end up a lot more than one second off regardless of leap seconds, because it relies solely on onboard RTCs and oscillators which are both inaccurate and imprecise. Clock drift will be measured in seconds per week and vary depending on CPU load, disk I/O, the phase of the moon and your dog's horoscope. > 2) FreeBSD server unaware of leapsecond due to no tzdata entry synced to > leapsecond-aware NTP server successfully handles leapsecond Correct. > 3) FreeBSD server unaware of leapsecond due to no tzdata entry acting as > NTP server doesn't notify clients of leapsecond and they end up 1 second > off This assumes that the hypothetical server is not synchronized with a reliable external source, which is a broken setup to begin with (see 1). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Jul 1 13:55:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33DBA990E00 for ; Wed, 1 Jul 2015 13:55:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A9531A9E for ; Wed, 1 Jul 2015 13:55:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 4EE3A20C74 for ; Wed, 1 Jul 2015 09:55:42 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Wed, 01 Jul 2015 09:55:42 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=HR7G5uKYrAK5pys RnD2q5MtQ6fc=; b=atqRlIPoIg/UM6QssOOaz8KP251OKMy83ZcNyZCNkabkB8U wvch5falq+dYcJjIKO+J+ANWVMZUfPcNYbdtzdUFrvGPPVDxLhUC8IF6BoxjxTbx 8bYKtOl/NWNiB56BNrlIWfleJ1pNrEye4ROkV8HaJnVW1VQ6SIoBjvvCzf9o= Received: by web3.nyi.internal (Postfix, from userid 99) id 1533A106DE0; Wed, 1 Jul 2015 09:55:42 -0400 (EDT) Message-Id: <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> X-Sasl-Enc: W25WrwKN5mmo6Rv3uP+EBGPuNPv4l+aJJLtIGpcS/S7b 1435758941 From: Mark Felder To: =?ISO-8859-1?Q?Dag-Erling=20Sm=F8rgrav?= Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: MessagingEngine.com Webmail Interface - ajax-eecef38c In-Reply-To: <86bnfwxa4m.fsf@nine.des.no> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> Subject: Re: Leap Second Date: Wed, 01 Jul 2015 08:55:41 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 13:55:45 -0000 On Wed, Jul 1, 2015, at 08:47, Dag-Erling Sm=F8rgrav wrote: > Mark Felder writes: > > I'm not an expert on the leapsecond operation, but if I understand it > > correctly there are two ways a system can be notified of a leapsecond: > > via a tzdata update or through NTP. >=20 > Answering a bit late, but no: in practical terms, only NTP works. Better late than never :-) > Recording leap seconds in tzdata breaks POSIX and a lot of assumptions > in existing code, not only on the day a leap second occurs but at any > time in history after at least one leap second has occurred. >=20 Yeah, I think it's pretty obvious now that doing leapseconds in tzdata is a bad idea -- worse than leapseconds themselves maybe? :-) > > 1) FreeBSD server unaware of leapsecond due to no tzdata entry and not > > synced to NTP ends up 1 second off >=20 > A server which is not synchronized with a reliable external source will > end up a lot more than one second off regardless of leap seconds > because it relies solely on onboard RTCs and oscillators which are both > inaccurate and imprecise. Clock drift will be measured in seconds per > week and vary depending on CPU load, disk I/O, the phase of the moon and > your dog's horoscope. >=20 I was ignoring that bit, but it's worth pointing out to the readers. I should have worded it "...will be one *more* second off" :-) From owner-freebsd-security@freebsd.org Wed Jul 1 17:47:03 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D6CA9923D6 for ; Wed, 1 Jul 2015 17:47:03 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C95922097 for ; Wed, 1 Jul 2015 17:47:02 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by widjy10 with SMTP id jy10so64303990wid.1 for ; Wed, 01 Jul 2015 10:47:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=TF4sTVtfqke7jqq9JeGNidtq3PW0JQMAgj0aCzNinck=; b=ffztSj6vB8IqADIJr45lU1jYOKakHlrh7d/mlz3MWbyJ2YJE1utSLW/+yvbnnPoglI 02VbLAYx4MT5QVn8pTd5aIP8aFONJEOK5WOeJj6MBut704T0TieehQAEBSsb4BWv8p1Q AFYAxNMmv7BTD938oCQOFM0fgWfzkQGJQBtxMrIk3mV0qBbPGQyduaT9qbT9u+z+2SOm 1/7ElytEim+tKuHd1MEvQRgLKKRmglIlQRl7nLXzzTJv/zM//FWufOeaXEoYkqelKzio frF8sfhJqh0oTyYzhLZ07RjLprS9nexnnteau+0hY/34JQLDaw6e5l4EH+f8nL8gcXZt wn2A== X-Gm-Message-State: ALoCoQlxoXLuqenZDiKTtBvsLbVp8jvWZ+0DLaCD2SQ9mjTIvGVH5WCgCHCLrDZBxxac2zRK1nFF X-Received: by 10.180.100.74 with SMTP id ew10mr48034211wib.12.1435772821184; Wed, 01 Jul 2015 10:47:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.159.207 with HTTP; Wed, 1 Jul 2015 10:46:21 -0700 (PDT) X-Originating-IP: [68.178.93.3] In-Reply-To: <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> From: Leif Pedersen Date: Wed, 1 Jul 2015 12:46:21 -0500 Message-ID: Subject: Re: Leap Second To: Mark Felder Cc: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 17:47:03 -0000 Is there a reasonable way to enable awareness of leap-seconds while syncing with ntpd? That is to say, how can I get the system to include leap-seconds in calculating `date +%s`, without having `date` be off by 26[1] seconds? The default configuration produces incorrect results when computing historical time deltas. For example, the correct delta between midnights of 1970-01-01 and 2015-01-01 should be 1420070425 seconds, rather than 1420070400 seconds (wrong by 25 seconds). As our clocks continue to slip forward in time, we pretend 1970 was seconds later than it really was, and the recorded moment of the solar flare on 2003-11-04, for example, becomes wronger and wronger. Suppose I want the times I record to remain accurate to the second, and I want to be able to measure deltas between them using the usual approach (convert to epoch-seconds and subtract). Or suppose my task requires observing rates of events where having June 30 be broken by 1s matters. Then I want midnight of 2015-01-01 as reported by `date +%s` to be 1420092025 rather than 1420092000. I tried setting /etc/localtime to UTC including leap-seconds[2]. It works as I expected: `date -j 201501010000 +%s` reports 1420070425, a difference of 25s. However, ntpd continues to sync the clock (from pool.ntp.org) in ignorance of leap-seconds. That makes sense; I was pretty sure ntpd doesn't observe tzdata. Can ntpd undo the leap-seconds inserted by ntp.org? Or is there another NTP pool that would work for me? [1] The tzdata record starts with the 1970 epoch at 10s off of TAI. That is, one should imply an unrecorded leap of 10s at the end of 1969 when considering times between 1958 and 1970. This gets you from TAI to UTC. Refer to https://en.wikipedia.org/wiki/Leap_second . [2] I sort of cheated to accomplish this off-the-cuff. I copied /usr/share/zoneinfo/right/UTC from an OpenBSD installation. -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@freebsd.org Wed Jul 1 20:27:47 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74E829924EE for ; Wed, 1 Jul 2015 20:27:47 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E0D82268F for ; Wed, 1 Jul 2015 20:27:46 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.9/8.14.9) with ESMTP id t61KRZ0b012639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Jul 2015 06:27:41 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id t61KRUCI056834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 2 Jul 2015 06:27:30 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id t61KRSSH056833; Thu, 2 Jul 2015 06:27:28 +1000 (AEST) (envelope-from peter) Date: Thu, 2 Jul 2015 06:27:28 +1000 From: Peter Jeremy To: Leif Pedersen Cc: "freebsd-security@freebsd.org" Subject: Re: Leap Second Message-ID: <20150701202728.GA9532@server.rulingia.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 20:27:47 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-Jul-01 12:46:21 -0500, Leif Pedersen wrote: >Is there a reasonable way to enable awareness of leap-seconds while syncing >with ntpd? That is to say, how can I get the system to include leap-seconds >in calculating `date +%s`, without having `date` be off by 26[1] seconds? ntpd(8) has provision for specifying a leapsecond file which presumably makes it leap-second aware. I haven't looked into the details. There's also posix2time(3) to convert between a TAI-based time_t and a POSIX-based time_t. --=20 Peter Jeremy --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVlE0wXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0E4QP/j6Cv45gktUsLeZHjhbn1pD3 0G1H/ZiJfmFqJBEmHTiADZW2mzj/TZ3uYZBuoMYLtRHAfLXWqPd595WDk1NHWaZj /JRRKqmZCTmu50AWycTbknN7Kgy0HRJSWBK2Pxi122bv83GuuaJC6/+XASc+q1Nr nolvFpbw7gQDYyq50vNNm6CRfFDE+VgnAoNwMGcLeq5LeP7Ol32YiSUId0mr7iJ9 8LTcdXmW/3gARuAMatjjYXPaQft49/Dfz+OpWhB4yUwEQup/igAKdQLs+L2/lL3A CpeRp5YRbaPUf7+sv2X3ncX+bGkSjGqwjfAD/pLXc1kZyNgjILzPw+KbTCbUQsUk wFxUHZOVCThoMw4zced4Yp70dP8/Tx6oWkVjpb/y4fme713KGEqb8Xw64CMPJqGj OWp6hYkh2HA5zRxSZ6N4x189S+9DmXzmXlHv5vFpuJoTFanFKQ3dQNzMPPM74XDY BcjJ/ZNtGRlpFCCuWJIXp7S9kKhMHtu2hpYqbaDUjti0YAa5LQUhi9pecH7rq1Kz akRLWms6P38GjDl2yUMGgUUIQBk8B8w7IoD2cRldQ6RL3PP0MiAFV8wl6C+2ER5/ +UDHpRen3rC5ljEoeZ6B55MlQOavtxpZ4S25cPgPaPTmNUvaXAlzV+5B3bO5PrNG wjmsjWQuu6brr9Wf+WK8 =yFtm -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From owner-freebsd-security@freebsd.org Wed Jul 1 21:01:50 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 71549992B85 for ; Wed, 1 Jul 2015 21:01:50 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FE421B31 for ; Wed, 1 Jul 2015 21:01:49 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t61L1nvX006603 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Jul 2015 14:01:49 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t61L1mVF006602; Wed, 1 Jul 2015 14:01:48 -0700 (PDT) (envelope-from jmg) Date: Wed, 1 Jul 2015 14:01:48 -0700 From: John-Mark Gurney To: Peter Jeremy Cc: Leif Pedersen , "freebsd-security@freebsd.org" Subject: Re: Leap Second Message-ID: <20150701210148.GF96349@funkthat.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> <20150701202728.GA9532@server.rulingia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150701202728.GA9532@server.rulingia.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 01 Jul 2015 14:01:49 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 21:01:50 -0000 Peter Jeremy wrote this message on Thu, Jul 02, 2015 at 06:27 +1000: > On 2015-Jul-01 12:46:21 -0500, Leif Pedersen wrote: > >Is there a reasonable way to enable awareness of leap-seconds while syncing > >with ntpd? That is to say, how can I get the system to include leap-seconds > >in calculating `date +%s`, without having `date` be off by 26[1] seconds? > > ntpd(8) has provision for specifying a leapsecond file which presumably > makes it leap-second aware. I haven't looked into the details. > > There's also posix2time(3) to convert between a TAI-based time_t and a > POSIX-based time_t. Though from my reading of the code, you need to have TZ files compiled w/ leap seconds which FreeBSD doesn't do by default... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Wed Jul 1 21:25:28 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA013992F99 for ; Wed, 1 Jul 2015 21:25:27 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9BF4627C5 for ; Wed, 1 Jul 2015 21:25:27 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by wgjx7 with SMTP id x7so47199169wgj.2 for ; Wed, 01 Jul 2015 14:25:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PTm0b0RzqenWu5ZHCFMFYhZvSU0Q9aeKKOBOHlqjtOw=; b=HMqQhLle12okcOMX3mDBzF4JoWXGkZ9JbgcWkbunQQEEeSuAWMZ0jcShUMlPd1Bd7J QLXTZxDkQSAlLA6voKGb4X+iWxnRBjmvujpHAJ1yPtccFABXGx+EVThc5yauKsLMz3+q IWMe/3ux6XSzPY/NwCEmlKqOIGVQv0N2px1a7HKQAe+pVmkRsVf1IaupY5IjBTX48uHu majskUvnQkkR1TGEFNpGGtZOTDQY/GPOIGhNX1ug5TUt/ycqyWCP931ctXtAdGpbJ7im 8JrvUgi/jSo1AHWJb3jIHFxQT3+jimaC8AlGiAidRhyyqUR3KSPjsqplnx9qNNki8h9m tp1g== X-Gm-Message-State: ALoCoQlNo8frDxOWEzNPFwIy/hEpPWrRGbL5s0fdSK+Oz2iBVMQoZvluwFvPYP5xkN7y96/4I6fi X-Received: by 10.180.100.74 with SMTP id ew10mr49566415wib.12.1435785925426; Wed, 01 Jul 2015 14:25:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.159.207 with HTTP; Wed, 1 Jul 2015 14:24:45 -0700 (PDT) X-Originating-IP: [68.178.93.3] In-Reply-To: <20150701210148.GF96349@funkthat.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> <20150701202728.GA9532@server.rulingia.com> <20150701210148.GF96349@funkthat.com> From: Leif Pedersen Date: Wed, 1 Jul 2015 16:24:45 -0500 Message-ID: Subject: Re: Leap Second To: John-Mark Gurney Cc: Peter Jeremy , "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 21:25:28 -0000 On Wed, Jul 1, 2015 at 4:01 PM, John-Mark Gurney wrote: > Though from my reading of the code, you need to have TZ files compiled > w/ leap seconds which FreeBSD doesn't do by default... > I did an equivalent, see my note [2]...and afaict ntp doesn't use tzdata. -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@freebsd.org Wed Jul 1 22:27:56 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4F97B992961 for ; Wed, 1 Jul 2015 22:27:56 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E21EF22B7 for ; Wed, 1 Jul 2015 22:27:55 +0000 (UTC) (envelope-from bilbo@hobbiton.org) Received: by wiwl6 with SMTP id l6so178967575wiw.0 for ; Wed, 01 Jul 2015 15:27:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=R28qHzSdgplGJi7MwRVpAYrOflowjRL4BfjCN5l+S6A=; b=lkbkvODpT5apkiz225zB2lDjKb7q4rxOBwvy+jGdT1AfUcWW3KFKGugGz3o3YtjkKm C0ND756njo6IwKFindzA9KP5jQEDyHin+oW1UC0Bib9FUgC8PfZZsAWmH399oRCQ3bzd HFytSkHMgIO8KlQrJrtQzjgeQVRTjamf07hnFEsjFbD9rD1NZnNoWwiBXR0SmfpLCoBj reP4kQ3R9yRpkHQeteukCZzmnu2UQ/J41owe4hAPUihqFvlMBqJy3P2tWotfKCeK+RE9 Lo5FNtXAb2ewSCtCD9exz61Q/of4VD+0FLg15Gf06Lqdd7q0/DUPykH2Ei9juyUd7K1N hYiA== X-Gm-Message-State: ALoCoQkPiHLNNVDGjB095S2o7/CkMSeIbLdKbiugsCv/cqAqG+1evyY0ACN6GcdYTNOlnn2gFl8o X-Received: by 10.180.9.225 with SMTP id d1mr48138370wib.73.1435789673303; Wed, 01 Jul 2015 15:27:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.159.207 with HTTP; Wed, 1 Jul 2015 15:27:13 -0700 (PDT) X-Originating-IP: [68.178.93.3] In-Reply-To: <20150701202728.GA9532@server.rulingia.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> <20150701202728.GA9532@server.rulingia.com> From: Leif Pedersen Date: Wed, 1 Jul 2015 17:27:13 -0500 Message-ID: Subject: Re: Leap Second To: Peter Jeremy Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2015 22:27:56 -0000 On Wed, Jul 1, 2015 at 3:27 PM, Peter Jeremy wrote: > > On 2015-Jul-01 12:46:21 -0500, Leif Pedersen wrote: > >Is there a reasonable way to enable awareness of leap-seconds while syncing > >with ntpd? That is to say, how can I get the system to include leap-seconds > >in calculating `date +%s`, without having `date` be off by 26[1] seconds? > > ntpd(8) has provision for specifying a leapsecond file which presumably > makes it leap-second aware. I haven't looked into the details. > >From the docs, I'm fairly sure that the leap-second files don't stop NTP from fudging hardware clock, and only help it do so more gracefully. > There's also posix2time(3) to convert between a TAI-based time_t and a > POSIX-based time_t. posix2time(3) doesn't seem to have anything to do with setting the hardware clock. > > -- > Peter Jeremy -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@freebsd.org Thu Jul 2 01:52:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7ADA992A69 for ; Thu, 2 Jul 2015 01:52:54 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C07916A6 for ; Thu, 2 Jul 2015 01:52:54 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id t621qmnX013847; Wed, 1 Jul 2015 21:52:48 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id t621qk6Q013842; Wed, 1 Jul 2015 21:52:46 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21908.39278.416719.875140@hergotha.csail.mit.edu> Date: Wed, 1 Jul 2015 21:52:46 -0400 From: Garrett Wollman To: Peter Jeremy Cc: "freebsd-security@freebsd.org" Subject: Re: Leap Second In-Reply-To: <20150701202728.GA9532@server.rulingia.com> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> <20150701202728.GA9532@server.rulingia.com> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Wed, 01 Jul 2015 21:52:48 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Thu, 02 Jul 2015 03:55:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2015 01:52:54 -0000 < said: > ntpd(8) has provision for specifying a leapsecond file which presumably > makes it leap-second aware. I haven't looked into the details. The current NTP protocol, as implemented by ntpd, distributes leap-second information if provided. This information may be provided by higher-stratum (upstream) NTP servers, or by using the "leapfile" configuration statement in ntp.conf to specify a local copy of the leapseconds file in NIST/USNO format. No such file is provided by default. We could easily do so, but shouldn't, because that file would take precedence over the leap indicator learned from higher-stratum servers, and that's not desirable for clients. If you're running a bunch of servers, you should distribute and install the leapseconds file using your configuration-management system. (For example, my puppet module for NTP, which we use at CSAIL for three NTP servers, does so: .) -GAWollman From owner-freebsd-security@freebsd.org Thu Jul 2 08:43:28 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B6D60993E7D for ; Thu, 2 Jul 2015 08:43:28 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7ABAF1649; Thu, 2 Jul 2015 08:43:28 +0000 (UTC) (envelope-from des@des.no) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 1C0914669; Thu, 2 Jul 2015 08:43:25 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id BE69B1D06; Thu, 2 Jul 2015 10:43:24 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Leif Pedersen Cc: Mark Felder , "freebsd-security\@freebsd.org" Subject: Re: Leap Second References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> Date: Thu, 02 Jul 2015 10:43:23 +0200 In-Reply-To: (Leif Pedersen's message of "Wed, 1 Jul 2015 12:46:21 -0500") Message-ID: <86oajvvtjo.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2015 08:43:28 -0000 Leif Pedersen writes: > Is there a reasonable way to enable awareness of leap-seconds while > syncing with ntpd? That is to say, how can I get the system to include > leap-seconds in calculating `date +%s`, without having `date` be off > by 26[1] seconds? No. POSIX deals with leap seconds by pretending they don't exist. > I tried setting /etc/localtime to UTC including leap-seconds [...] > However, ntpd continues to sync the clock (from pool.ntp.org) in > ignorance of leap-seconds. [...] Can ntpd undo the leap-seconds > inserted by ntp.org? Or is there another NTP pool that would work for > me? NTP works in UTC as well. The pool does not set the clock; all it does is coordinate servers who claim to know the correct time. I guess you could try to convince the ISC and JHU to add a TAI offset field to the next version of the NTP protocol... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Jul 2 14:22:48 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A4CA993C21 for ; Thu, 2 Jul 2015 14:22:48 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E48301B60 for ; Thu, 2 Jul 2015 14:22:47 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wicgi11 with SMTP id gi11so75383487wic.0 for ; Thu, 02 Jul 2015 07:22:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=F4GtV2dRXGCbOZFEtRRcuVLY+PZJdJdtcOLrFu89cnk=; b=XSewZ31fnkCI3qgKml6ArUNxtQAnPynNqQIAzhLIqW/49eL0KHPiczq/CJdE31mD7h 3bny1+pmPM9q3RcneqAvX/9jfn3VnVOD5Xiblf/C5hhizQ49dHctURg3ITeOnP6TUR7x K+UqaBHBQuT1c0ekWVB8wB8p3uzm6yhmYz+QkyUMttOmK5IgtrH642s2qGX8QRr3P9CV te/egMlimyU1RJ/PqKMJjfl/AzKMzlIEFnN3fYkxMJ5u2LWH9Zoj98q/RpS4TW7JA3hc GL+pqjPOCog/c5R+uZ718EnwJqqCXo7LCkmE2k98RDay++lB9eHdg7icB1BhhrD1an1I uhsw== X-Received: by 10.194.59.212 with SMTP id b20mr55555185wjr.31.1435846966343; Thu, 02 Jul 2015 07:22:46 -0700 (PDT) Received: from gumby.homeunix.com (4e5670d0.skybroadband.com. [78.86.112.208]) by mx.google.com with ESMTPSA id i6sm8419307wjf.29.2015.07.02.07.22.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Jul 2015 07:22:44 -0700 (PDT) Date: Thu, 2 Jul 2015 15:22:37 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Leap Second Message-ID: <20150702152237.42ba56cf@gumby.homeunix.com> In-Reply-To: <21908.39278.416719.875140@hergotha.csail.mit.edu> References: <1435154274.964221.306546033.052903CD@webmail.messagingengine.com> <86bnfwxa4m.fsf@nine.des.no> <1435758941.105242.312562265.3103CECB@webmail.messagingengine.com> <20150701202728.GA9532@server.rulingia.com> <21908.39278.416719.875140@hergotha.csail.mit.edu> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2015 14:22:48 -0000 On Wed, 1 Jul 2015 21:52:46 -0400 Garrett Wollman wrote: > < said: > > > ntpd(8) has provision for specifying a leapsecond file which > > presumably makes it leap-second aware. I haven't looked into the > > details. > > The current NTP protocol, as implemented by ntpd, distributes > leap-second information if provided. This information may be provided > by higher-stratum (upstream) NTP servers, or by using the "leapfile" > configuration statement in ntp.conf to specify a local copy of the > leapseconds file in NIST/USNO format. No such file is provided by > default. We could easily do so, but shouldn't, because that file > would take precedence over the leap indicator learned from > higher-stratum servers, and that's not desirable for clients. I thought this sounded unlikely because the files have an explicit expiry date, so I looked it up. Apparently before 4.2.8 ntpd doesn't ignore expired leap-second files, so they continue to take precedence over fresh information from other servers.