[ntp:questions] Re: Authentication using MV identity scheme

David L. Mills mills at udel.edu
Wed Jun 15 01:49:57 UTC 2005


Abhijith,

Have you previously used the IFF and/or GQ schemes successfully? This 
would be helpful to understand how they work and to gain confidence. The 
MV scheme is rather exotic and fragile if you don't get the right server 
key to the server and (one of) the client keys to the client. In any 
case, you should see tracks in the cryptostats logging and trace, 
assuming you have turned it on.

The MV scheme remains incomplete. Its strength is the ability to revoke 
a client key without changing other client keys, but there is yet no 
program to  actually edit the server key to revoke a client key.

Dave

abhijit madhav wrote:
> Hi everybody,
> 
> Following is the scenario being tried out by myself to
> establish an autokey(MV scheme) authenticated 
> client-server association.
> 
> In the server machine
> 1.ntp.conf in the server_machine
>     crypto pw password
>     keysdir ./
>     server  127.127.1.0
>     fudge   127.127.1.0 stratum 10
>     server <primary_server> iburst prefer
> 
> 2. I generate the required parameter files, keyfiles
> and certificates using
>      /usr/sbin/ntp-keygen -V 3 -p password
> 
> 3. Transfer one of the generated MVkey file
> ntpkey_MVkey1_server.3327641677 to the client.
> 
> 4. Run
>     /usr/sbin/ntpd -c ntp.conf -l log
>     and wait until the server gets synchronised to the
> primary server and the server's stratum gets reduced
> to 2
> 
> In the client machine
> 5. ntp.conf in the client
>     crypto pw password
>     keysdir ./
>     server <server_machine> autokey iburst
> 
> 6. Generate the required keyfiles using
>     /usr/sbin/ntp-keygen -H -p password
>     (The MVkey file of step 3 is earlier transferred
> to this machine)
> 
> 7. Create a soft link to the parameter file
>     ln -s ntpkey_MVkey1_server.3327641677
> ntpkey_mv_servername
> 
> 8.  Run
>     /usr/sbin/ntpd -c ntp.conf -l log
> 
> On Quering the status of the client ntpd the
> reachability register remains 0, and the client does
> not get synchronised to the server.
> 
> Also the flash code displays 
> flash 400 not_proventic
> 
> 
> 
> My doubts are
> What is wrong with my configuration?
> 
> 
> Thanks in advance,
> Abhijith Madhav
> 
> 
> 	
> 
> 	
> 		
> __________________________________________________________
> Free antispam, antivirus and 1GB to save all your messages
> Only in Yahoo! Mail: http://in.mail.yahoo.com



More information about the questions mailing list