[ntp:questions] Re: Crypto iffpar
Serge Bets
serge.bets at NOSPAM.laposte.invalid
Tue Dec 6 13:35:21 UTC 2005
On Monday, December 5, 2005 at 14:25:37 +0000, Steve Kostecke wrote:
> The correct sym-link for client members of an NTP Trust Group is
> ln -s ntpkey_IFFkey_server.XXXXXXXXXX ntpkey_iff_server
Without an ntpkey_iff_Client on Client to activate IFF scheme
negociation, I get succesfull TC authentication.
> This has worked on every NTP Trust Group client member that I've ever
> set up.
What is the best way to know for sure which scheme is in use? Could you
please check:
| $ ntpq -p Client
| remote refid st t when poll reach delay offset jitter
| ==============================================================================
| *Server .DCF. 1 u 990 1024 377 2.291 1.078 0.056
|
| $ ntpq -c rv Client
| assID=0 status=4654 leap_add_sec, sync_ntp, 5 events, event_peer/strat_chg,
| version="ntpd 4.2.0b at 20051016-1.1417-o Oct 19 14:18:48 (UTC+02:00) 2005 (3)",
| processor="unknown", system="WINDOWS/NT", leap=01, stratum=2,
| precision=-17, rootdelay=2.291, rootdispersion=47.807, peer=25165,
| refid=192.168.7.10,
| reftime=c73ff06c.dba53b7d Tue, Dec 6 2005 12:11:40.857, poll=10,
| clock=c73ff84b.98778541 Tue, Dec 6 2005 12:45:15.595, state=4,
| offset=1.078, frequency=-20.771, jitter=0.083, noise=0.350,
| stability=0.013, hostname="Client", signature="md5WithRSAEncryption",
| flags=0x80003, update=200511060130, leapsec=200506280000, tai=32,
| cert="Client Server 0x6", expire=200611060128, cert="Server Server 0x7",
| expire=200610111252, cert="Client Client 0x6", expire=200611052220
|
| $ ntpq -c as Client
| ind assID status conf reach auth condition last_event cnt
| ===========================================================
| 1 25165 f624 yes yes ok sys.peer reachable 2
|
| $ ntpq -c "rv 25165" Client
| assID=25165 status=f624 reach, conf, auth, sel_sys.peer, 2 events, event_reach,
| srcadr=Server, srcport=123, dstadr=192.168.7.12, dstport=123, leap=01,
| stratum=1, precision=-18, rootdelay=0.000, rootdispersion=1.617,
| refid=DCF, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10,
| flash=00 ok, keyid=561218861, ttl=0, offset=1.078, delay=2.291,
| dispersion=18.661, jitter=0.056,
| reftime=c73ff45f.a0d20969 Tue, Dec 6 2005 12:28:31.628,
| org=c73ff46d.4f4e0543 Tue, Dec 6 2005 12:28:45.309,
| rec=c73ff46d.4f5659c3 Tue, Dec 6 2005 12:28:45.309,
| xmt=c73ff46d.4ea5dbe4 Tue, Dec 6 2005 12:28:45.307,
| filtdelay= 2.30 2.29 2.30 1.59 1.58 1.58 2.29 2.25,
| filtoffset= 1.02 1.08 1.00 0.68 0.75 0.75 1.09 1.02,
| filtdisp= 0.01 15.36 30.70 46.09 61.45 76.83 92.22 107.56,
| hostname="Server", signature="md5WithRSAEncryption", flags=0x87f03,
| trust="Server"
|
| $ cat //Client/ntpstats/cryptostats.20051205
| 53709 80480.680 192.168.7.10 newpeer 25165
| 53709 80482.495 ntpkey_RSAkey_Client.3342810008 mod 512
| 53709 80482.504 ntpkey_RSA-MD5cert_Client.3342810008 0x0 len 309
| 53709 80482.539 update ts 3342810082
| 53709 80482.540 refresh ts 3342810082
| 53709 80484.398 192.168.7.10 flags 0x80003 host Server signature md5WithRSAEncryption
| 53709 80486.418 update ts 3342810086
| 53709 80486.420 192.168.7.10 cert Server 0x7 md5WithRSAEncryption (8) fs 3340702253
| 53709 80488.410 192.168.7.10 cook 37fe7690 ts 3342810088 fs 3342755357
| 53709 80490.573 update ts 3342810090
| 53709 80490.573 192.168.7.10 sign Server 0x6 md5WithRSAEncryption (8) fs 3342810008
| 53709 80492.444 update ts 3342810092
| 53709 80492.445 192.168.7.10 leap 96 ts 3342755357 fs 3331497600
| 53709 80529.449 update ts 3342810129
|
| $ ls -l //Client/c\$/Program\ Files/NTP/etc/ntp.keysdir/
| total 3
| -rw-r--r-- 1 Administ None 538 Dec 5 23:20 ntpkey_cert_Client
| -rw-r--r-- 1 Administ None 616 Dec 5 23:20 ntpkey_host_Client
| -rw-r--r-- 1 Administ None 507 Dec 5 23:15 ntpkey_iff_Server
To me, this clearly looks like TC scheme.
Serge.
--
Serge point Bets arobase laposte point net
More information about the questions
mailing list