[ntp:questions] NTP MD5

Eric Liu EricLiu at moxrd.com
Tue Sep 13 05:48:32 UTC 2005


Hello, everyone,

The error was caused by my carelessness. There is nothing wrong with NTP software package.
It was because I had used different keys on server and client. As you all know, the ending character under Linux/FreeBSD/Unix is 0x0a, and 0x0d0x0a under Windows. I had edited client ntp.keys under Windows, then sent the file to client machine by ftp, and server ntp.keys under Linux. Ntpd always think the ending character is 0x0a, so the two keys are different.

Anyway, I must think people here.

Thanks and Regards
Eric

> -----Original Message-----
> From: Danny Mayer [mailto:mayer at gis.net]
> Sent: Tuesday, September 13, 2005 11:00 AM
> To: Eric Liu
> Cc: questions at lists.ntp.isc.org
> Subject: Re: [ntp:questions] NTP MD5
> 
> 
> Eric Liu wrote:
> > Hi all:
> > 
> > Let's look into the source code of NTP package.
> > It is about file ntp-4.2.0/libntp/a_md5encrypt.c.
> > The function "MD5authdecrypt" works out different result under 
> subtle conditions.
> > 
> > I am testing authentication with ntp-4.2.0.
> 
> Which specific version. Was it built with or without OpenSSL? If it's 
> without SSL you won't be able to authenticate.

  ./configure --without-crypto
  However, I am able to authenticate.

> 
> > All configuration files,  such as ntp.conf, ntp.key, are all ok.
> 
> On what basis did you make this statement though I don't think that this 
> has anything to do with the question.

  I just mean the problem should has nothing to do with configureation files.
  Ironically, the problem is finally proved to be caused by  wrong ntp.keys.

> 
>  > But the server always think the packet from client is not
>  > authenticated because function "MD5authdecrypt"
>  > always returns 0. One proof is the debug output from ntpd
>  > "receive: at 26 192.168.0.120<-192.168.0.47 mode 3 code 2 keyid 
> 0000000a len 48 mac 20 auth 0".
>  > Attention, here "auth 0" means unauthenticated.
> > 
> It depends on what's being authenticated. The above doesn't just use 
> MD5, it uses a bunch of code in ntp_crypto.c. MD5 is certainly not an 
> authentication mechanism. MD stands for message digest.
> 

  I do use MD5. I added some debug code in MD5authdecrypt() function, and ntpd had output something on screen.

> > After 3 days hard work, I still get the same result.
>  > I am testing under Redhat Linux7.2. So I decide to use ntpd distributed
>  > with the OS. However, surprisingly, the authentication works very well
>  > with the old ntpd.
> 
> Which version is it.
> 
>   Then I reuse ntpd-4.2.0. And I find it becomes to work well.
>  > It is because function "MD5authdecrypt" returns 1 indicating the 
> packet from
>  > client is authenticated.
> > 
> 
> Are you sure you are using that version and not the RedHat version?
> 
> > I am quite confused with the result. Really very very confused! 
> Probably it
>  > is related to principle of MD5.
> 
> Most unlikely since you can't authenticate with MD5.
> 
> > Unfortunately, I know nothing about it.
> > I wish the coder of this function could see the post and find 
> out what is wrong.
> > 
> It's not clear that anything is wrong.
> 
> > By the way, on page 
http://ntp.isc.org/bin/view/Main/SoftwareDownloads there is
 > a link to obsolete versions of NTP. However,  neither the deprecated 
FTP nor
 > the deprecated HTTP are available. Where can I get old version NTP 
package
 > such as the version that distributed with Red hat linux 7.2 ? I mean 
I can
 > compare the source code of the two Ntp packages to find out something.
> 
We have no idea what RedHat ships since they can and do make their own 
changes. You have to ask RedHat. It may even be in the sources that 
should come with your distribution. It almost certainly was built with 
OpenSSL but you'd have to figure out which one.

Since you are looking in the wrong place, you are unlikely to find out.

> Thanks
> Eric
> 
> 
> _______________________________________________
> questions mailing list
> questions at lists.ntp.isc.org
> https://lists.ntp.isc.org/mailman/listinfo/questions
> 







More information about the questions mailing list