[ntp:questions] Re: Crypto iffpar

Serge Bets serge.bets at NOSPAM.laposte.invalid
Tue Dec 6 13:35:21 UTC 2005


 On Monday, December 5, 2005 at 14:25:37 +0000, Steve Kostecke wrote:

> The correct sym-link for client members of an NTP Trust Group is
> ln -s ntpkey_IFFkey_server.XXXXXXXXXX ntpkey_iff_server

Without an ntpkey_iff_Client on Client to activate IFF scheme
negociation, I get succesfull TC authentication.


> This has worked on every NTP Trust Group client member that I've ever
> set up.

What is the best way to know for sure which scheme is in use? Could you
please check:

| $ ntpq -p Client
|      remote           refid      st t when poll reach   delay   offset  jitter
| ==============================================================================
| *Server          .DCF.            1 u  990 1024  377    2.291    1.078   0.056
|
| $ ntpq -c rv Client
| assID=0 status=4654 leap_add_sec, sync_ntp, 5 events, event_peer/strat_chg,
| version="ntpd 4.2.0b at 20051016-1.1417-o Oct 19 14:18:48 (UTC+02:00) 2005  (3)",
| processor="unknown", system="WINDOWS/NT", leap=01, stratum=2,
| precision=-17, rootdelay=2.291, rootdispersion=47.807, peer=25165,
| refid=192.168.7.10,
| reftime=c73ff06c.dba53b7d  Tue, Dec  6 2005 12:11:40.857, poll=10,
| clock=c73ff84b.98778541  Tue, Dec  6 2005 12:45:15.595, state=4,
| offset=1.078, frequency=-20.771, jitter=0.083, noise=0.350,
| stability=0.013, hostname="Client", signature="md5WithRSAEncryption",
| flags=0x80003, update=200511060130, leapsec=200506280000, tai=32,
| cert="Client Server 0x6", expire=200611060128, cert="Server Server 0x7",
| expire=200610111252, cert="Client Client 0x6", expire=200611052220
|
| $ ntpq -c as Client
| ind assID status  conf reach auth condition  last_event cnt
| ===========================================================
|   1 25165  f624   yes   yes   ok   sys.peer   reachable  2
|
| $ ntpq -c "rv 25165" Client
| assID=25165 status=f624 reach, conf, auth, sel_sys.peer, 2 events, event_reach,
| srcadr=Server, srcport=123, dstadr=192.168.7.12, dstport=123, leap=01,
| stratum=1, precision=-18, rootdelay=0.000, rootdispersion=1.617,
| refid=DCF, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10,
| flash=00 ok, keyid=561218861, ttl=0, offset=1.078, delay=2.291,
| dispersion=18.661, jitter=0.056,
| reftime=c73ff45f.a0d20969  Tue, Dec  6 2005 12:28:31.628,
| org=c73ff46d.4f4e0543  Tue, Dec  6 2005 12:28:45.309,
| rec=c73ff46d.4f5659c3  Tue, Dec  6 2005 12:28:45.309,
| xmt=c73ff46d.4ea5dbe4  Tue, Dec  6 2005 12:28:45.307,
| filtdelay=     2.30    2.29    2.30    1.59    1.58    1.58    2.29    2.25,
| filtoffset=    1.02    1.08    1.00    0.68    0.75    0.75    1.09    1.02,
| filtdisp=      0.01   15.36   30.70   46.09   61.45   76.83   92.22  107.56,
| hostname="Server", signature="md5WithRSAEncryption", flags=0x87f03,
| trust="Server"
|
| $ cat //Client/ntpstats/cryptostats.20051205
| 53709 80480.680 192.168.7.10 newpeer 25165
| 53709 80482.495 ntpkey_RSAkey_Client.3342810008 mod 512
| 53709 80482.504 ntpkey_RSA-MD5cert_Client.3342810008 0x0 len 309
| 53709 80482.539 update ts 3342810082
| 53709 80482.540 refresh ts 3342810082
| 53709 80484.398 192.168.7.10 flags 0x80003 host Server signature md5WithRSAEncryption
| 53709 80486.418 update ts 3342810086
| 53709 80486.420 192.168.7.10 cert Server 0x7 md5WithRSAEncryption (8) fs 3340702253
| 53709 80488.410 192.168.7.10 cook 37fe7690 ts 3342810088 fs 3342755357
| 53709 80490.573 update ts 3342810090
| 53709 80490.573 192.168.7.10 sign Server 0x6 md5WithRSAEncryption (8) fs 3342810008
| 53709 80492.444 update ts 3342810092
| 53709 80492.445 192.168.7.10 leap 96 ts 3342755357 fs 3331497600
| 53709 80529.449 update ts 3342810129
|
| $ ls -l //Client/c\$/Program\ Files/NTP/etc/ntp.keysdir/
| total 3
| -rw-r--r--    1 Administ None          538 Dec  5 23:20 ntpkey_cert_Client
| -rw-r--r--    1 Administ None          616 Dec  5 23:20 ntpkey_host_Client
| -rw-r--r--    1 Administ None          507 Dec  5 23:15 ntpkey_iff_Server

To me, this clearly looks like TC scheme.


Serge.
-- 
Serge point Bets arobase laposte point net




More information about the questions mailing list