HPE Community
Operating System - HP-UX
1834809 Members
2611 Online
110070 Solutions
New Discussion

ntpdate vs. xntpd

 
Peng Lu
Occasional Advisor

‎06-03-2004 02:00 PM

‎06-03-2004 02:00 PM

ntpdate vs. xntpd

Hi there,

I've read from some security audit report (can't recall the exact location) that there's a security vulnerability in xntpd (buffer overflow). As such, it is recommended to use ntpdate instead of xntpd if you only want to be a client. I'm not too sure how true it is. Any one knows more detail?

Cheers,
Peng
0 Kudos
Reply
5 REPLIES 5
Sridhar Bhaskarla
Honored Contributor

‎06-03-2004 02:40 PM

‎06-03-2004 02:40 PM

Re: ntpdate vs. xntpd

Hi Peng,

You can use both xntpd as a daemon and ntpdate as a cronjob to synchorinize the local clock. However, you will need to note the following

//
It is also possible to run ntpdate from a cron script. However, it is important to note that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since ntpdate does not discipline the host clock frequency as does xntpd, the accuracy using ntpdate is limited.
//

The above is from the man page. Look at the man page of ntpdate and xntpd for more information.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎06-04-2004 07:11 PM

‎06-04-2004 07:11 PM

Re: ntpdate vs. xntpd

Hi Peng,

I think that the thinking here is that since xntpd is a continuously running service, its more vulnerable than a one-off ntpdate request that could run at any time. I haven't heard of any particular buffer overflow problem, and if one exists, I imagine HP will simply issue a patch.
Normally when ntp is attacked it simply generates a clock-insane error and stops sync'ing, or it can try to check one timesource with serveral others, and then decide which one's are likely to be right. Remember if all fails your system's internal clock should keep reasonably good time until ntp is fixed.

I think the question you should be asking is how accurate/in-sync do I need my clocks to be? If the answer is they need to be very close due to something like Kerberos, then use xnptd, if they could drift a little without causing a problem, use ntpdate. Also if you use ntpdate then there's a little less networking traffic.
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎06-04-2004 08:14 PM

‎06-04-2004 08:14 PM

Re: ntpdate vs. xntpd

Hi Peng,

Are you revering to this Denial of service.

http://secunia.com/advisories/7701/?show_all_related=1

It has been solved with a patch.

HP-UX 11.00: PHNE_27223
HP-UX 11.11: PHNE_24512

Hope this helps,
Robert-Jan
0 Kudos
Reply
Peng Lu
Occasional Advisor

‎06-06-2004 01:18 PM

‎06-06-2004 01:18 PM

Re: ntpdate vs. xntpd

Hi,

Thanks to all who replied to my post.

I managed to find out the location of that document mentioned about xntpd buffer-overflow vulnerability. It is at "http://www.nortelnetworks.com/solutions/securenet/collateral/hp-ux_hardening_guide_v1.pdf". It's a system hardening guideline document produced by someone in Nortel. It appears to be on HP-UX 11 although it doesn't give out details about the vulnerability. (I'm working on 11.11)

I think I'll stick with xntpd as all my servers (they will use a dedicated NTP server over internal network) are behind firewall and it blocks access to port 123 from any external sources.

Thanks again.
Peng
0 Kudos
Reply
Trevor Dyson
Trusted Contributor

‎06-07-2004 02:22 AM

‎06-07-2004 02:22 AM

Re: ntpdate vs. xntpd

xntpd is intended to skew the clock gradually over a period of time to minimise the impact of time changes on applications (especially databases)

ntpdate changes the clock in one action and is really intened to be used to sync the time at boot time.
I've got a little black book with me poems in
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.