From cd65e32cf065f9f68dc730fbfb73f87a552348fb Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 14:13:13 +0200 Subject: [PATCH] doc: warn about MD5 keys not protecting extension fields Add a warning to the chrony.conf man page that MD5 keys cannot protect NTP extension fields due to the length extension attack. --- doc/chrony.conf.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index 4b7e28d..7ccdd20 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -2821,7 +2821,11 @@ source is specified in the configuration file with a key shorter than 80 bits. + The recommended key types are AES ciphers and SHA3 hash functions. MD5 should be avoided unless no other type is supported on the server and client, or -peers. +peers. A major weakness of MD5 for the NTP MAC is a length extension attack, +where a man-in-the-middle attacker can add arbitrary extension fields to the +NTP message and update the MAC to pass the verification of the extended +message. The *extfield* option (enabling processing of the specified extension +field) should not be used for NTP sources authenticated with an MD5 key. + The <> command of *chronyc* can be used to generate random keys for the key file. By default, it generates 160-bit MD5 or