Date: Mon, 27 Mar 2017 17:09:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 217691] net/chrony: add nss option + other cleanups Message-ID: <bug-217691-13-Yxkiv42ZjI@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-217691-13@https.bugs.freebsd.org/bugzilla/> References: <bug-217691-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217691 --- Comment #3 from John Hein <z7dr6ut7gs@snkmail.com> --- Regarding MD5, I haven't looked into its usage in chrony to see how safe or unsafe it is to use. In some cases like the MD5 flavor of HMAC, MD5 is cou= pled with an additional private key which makes the MD5 weaknesses much less important. Similarly MD5 + salt (as in /etc/passwd) with lots of iterations isn't as weak as a single md5 pass. But I haven't looked at chrony to see exactly how it uses md5. But, yes, even with other crypto sprinkled in, md= 5 is weaker, partially because it's less collision resistant and partially becau= se it's a fast algorithm (which makes it somewhat easier to use brute force techniques), although a key generated with good entropy will mitigate that. Anyway, I don't have a problem leaving a user with only MD5. If that's what fits their use case, that's fine. I'd feel better leaving NSS on by default, but I haven't done enough analys= is to feel strongly. If someone digs into the chrony code a bit to see how it uses md5, that would help inform the decision better. Either way, the user should understand the implications of the different options. As port maintainer, you can just make the call. Lots of people u= se unauthenticated ntp, so the crypto users will likely be in the minority and= are more likely to be the ones who will investigate their options. Having it b= e an option is the most important first step. Tweaking the default setting can = be done later. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217691-13-Yxkiv42ZjI>