[ntp:questions] Can't get autokey working

Joel Shellman joelshellman at yahoo.com
Thu Jan 19 18:53:43 UTC 2006


I've been fighting with this for too long and need
some help. I followed
http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
on both server and client.

I run the server and client both with -dd to get extra
info. Both
client and server appear to load up their own keys
initially.

Then the conversation looks like this,

Client:

crypto_xmit: ext offset 48 len 40 code 201 assocID 0
session_key: 192.168.184.129 > 72.232.11.82 0587beec
00000000 hash
8093ec13 life 2
       MCAST   *****sendpkt(fd=7 dst=72.232.11.82,
src=192.168.184.129, ttl=0, len=108)
transmit: at 587 192.168.184.129->72.232.11.82 mode 3
keyid 0587beec
len 88 mac 20 index 89
poll_update: at 587 72.232.11.82 flags 000b poll 6
burst 0 last 587 next 651
receive: at 587 192.168.184.129<-72.232.11.82 restrict
000
receive: at 587 192.168.184.129<-72.232.11.82 mode 4
code 1 keyid
00000000 len 48 mac 4 auth 0



Server:

input_handler: if=3 fd=7 length 108 from 45a11df6
69.161.29.246
receive: at 3001 72.232.11.82<-69.161.29.246 restrict
180
session_key: 69.161.29.246 > 72.232.11.82 00000000
d820326e hash cfd8bb5f life 0
authtrust: keyid 0587beec life 2
session_key: 69.161.29.246 > 72.232.11.82 0587beec
00000000 hash 581652d0 life 2
session_key: 69.161.29.246 > 72.232.11.82 0587beec
cfd8bb5f hash 0420d945 life 0
authtrust: keyid 0587beec life 0
receive: at 3001 72.232.11.82<-69.161.29.246 mode 3
code 2 keyid
0587beec len 88 mac 20 auth 0
       MCAST   *****sendpkt(fd=7 dst=69.161.29.246,
src=72.232.11.82,
ttl=0, len=52)
transmit: at 3001 72.232.11.82->69.161.29.246 mode 4
keyid 00000000 len 48 mac 4


I see that the server appears to be sending back keyid
00000000.

Any ideas on what might be wrong or how to
troubleshoot this further?

One thing is that I don't see anywhere in the client
log that is
loading up the server cert.

Here's my keysdir:

lrwxrwxrwx  1 root root   42 Jan 19 11:26
ntpkey_cert_TestHostname ->
ntpkey_RSA-MD5cert_TestHostname.3346676773
lrwxrwxrwx  1 root root   37 Jan 19 11:26
ntpkey_host_TestHostname ->
ntpkey_RSAkey_TestHostname.3346676773
-rw-r--r--  1 root root  512 Jan 19 10:17
ntpkey_IFFkey_worker1.mentics.com.3346672562
lrwxrwxrwx  1 root root   44 Jan 19 12:28
ntpkey_iff_worker1.mentics.com ->
ntpkey_IFFkey_worker1.mentics.com.3346672562
-rw-r--r--  1 root root  623 Jan 19 11:26
ntpkey_RSAkey_TestHostname.3346676773
-rw-r--r--  1 root root  565 Jan 19 11:26
ntpkey_RSA-MD5cert_TestHostname.3346676773


client ntp.conf:

restrict default nomodify notrap noquery
restrict 127.0.0.1
restrict worker1.mentics.com
server worker1.mentics.com autokey
driftfile /var/lib/ntp/drift
crypto pw HelloClient
keysdir /etc/ntp/autokey
statsdir /var/log/ntpstats/
filegen cryptostats file cryptostats type day enable


And server ntp.conf:

restrict default nomodify notrap noquery
restrict 127.0.0.1
restrict 69.161.29.246 mask 255.255.255.255 nomodify
notrap
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
crypto pw HelloServer
keysdir /etc/ntp/autokey
statsdir /var/log/ntpstats/
filegen cryptostats file cryptostats type day enable


Thanks,

-joel

ps: client and server are both CentOS 4.2 boxes.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the questions mailing list