Get rid of ntpdate, patch ntpd, says security researcher
12 Nov 2015 at 07:56, Richard Chirgwin
Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced.
Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it's too easy for a sysadmin to put together an attackable implementation.
As he explains in two posts here (the background) and here (proof of concept), if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.
Full Article
