[ntp:questions] Re: Crypto iffpar

David L. Mills mills at udel.edu
Sun Dec 11 16:17:05 UTC 2005


Steve,

Certificates expire after one year. Is this a factor?

Dave

Steve Kostecke wrote:

> On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
> 
>> On Friday, December 9, 2005 at 14:32:38 +0000, Steve Kostecke wrote:
>>
>>
>>>On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
>>>
>>>>You *do* have a ntpkey_iff_stasis
>>>
>>>No, I don't.
>>
>>You have one.
> 
> 
> No. I really don't
> 
> Let's review, shall we?
> 
> Test client: stasis
> Test server: ntp0
> 
> In the client ntp.conf we have:
> 
> crypto pw <password>
> keysdir /etc/ntp
> server ntp0.kostecke.net iburst autokey
> 
> In the client keysdir we have:
> 
> ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
> ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910
> ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910
> 
> Note that there is NO ntpkey_iff_client.
> 
> After restarting stasis we see:
> 
> stasis:~$ ntpq -pcas
>      remote           refid      st t when poll reach   delay   offset  jitter
> ==============================================================================
> *ntp0.kostecke.n .GPS.            1 u   52   64   17    0.800   -0.113   0.082
> 
> ind assID status  conf reach auth condition  last_event cnt
> ===========================================================
>   1 16052  f614   yes   yes   ok   sys.peer   reachable  1
> 
> and the association flags are correct:
> 
> stasis:~$ ntpq -c"rv 16052 flags,hostname"
> assID=16052 status=f614 reach, conf, auth, sel_sys.peer, 1 event, event_reach,
> flags=0x83f21, hostname="ntp0.kostecke.net"
> 
> and we see in the log:
> 
> 53714 4726.021 192.168.19.4 newpeer 16052
> 53714 4726.053 ntpkey_RSAkey_stasis.3342803910 mod 512
> 53714 4726.055 ntpkey_RSA-MD5cert_stasis.3342803910 0x2 len 333
> 53714 4726.931 refresh ts 0
> 53714 4726.934 192.168.19.4 flags 0x80021 host ntp0.kostecke.net \
> 	signature md5WithRSAEncryption
> 53714 4728.935 192.168.19.4 cert ntp0.kostecke.net 0x3 \
> 	md5WithRSAEncryption (8) fs 3315100165
> 53714 4730.935 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
> 53714 4730.978 192.168.19.4 iff fs 3315100165
> 53714 4732.961 192.168.19.4 cook 86e55a98 ts 3343166332 fs 3343140882
> 53714 4733.944 update ts 3343166333
> 53714 4734.999 update ts 3343166334
> 53714 4734.999 192.168.19.4 sign ntp0.kostecke.net 0x3 \
> 	md5WithRSAEncryption (8) fs 3342803910
> 
> 
>>[ntpkey_iff_stasis] loading at startup is visible in the cryptostats
>>you posted in previous mail. iffpar?
> 
> 
> Where's the ntpkey_iff_client shown above? I don't see it.
> 
> You may be confused by the fact the one of my sets of results was
> generated while stasis was configured to serve authenticated time to a
> third host.
> 
> 
>>>you can't create an ntpkey_*_client symlink to each of your
>>>ntpkey_*_server.xxxxxxxx files.
>>
>>Fortunately you need only one client symlink at startup to trigger one
>>ident scheme, then used for as many servers as needed.
> 
> 
> Perhaps you do. I don't.
> 




More information about the questions mailing list