[ntp:questions] Can't get autokey working
Joel Shellman
joelshellman at yahoo.com
Thu Jan 19 18:53:43 UTC 2006
I've been fighting with this for too long and need
some help. I followed
http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
on both server and client.
I run the server and client both with -dd to get extra
info. Both
client and server appear to load up their own keys
initially.
Then the conversation looks like this,
Client:
crypto_xmit: ext offset 48 len 40 code 201 assocID 0
session_key: 192.168.184.129 > 72.232.11.82 0587beec
00000000 hash
8093ec13 life 2
MCAST *****sendpkt(fd=7 dst=72.232.11.82,
src=192.168.184.129, ttl=0, len=108)
transmit: at 587 192.168.184.129->72.232.11.82 mode 3
keyid 0587beec
len 88 mac 20 index 89
poll_update: at 587 72.232.11.82 flags 000b poll 6
burst 0 last 587 next 651
receive: at 587 192.168.184.129<-72.232.11.82 restrict
000
receive: at 587 192.168.184.129<-72.232.11.82 mode 4
code 1 keyid
00000000 len 48 mac 4 auth 0
Server:
input_handler: if=3 fd=7 length 108 from 45a11df6
69.161.29.246
receive: at 3001 72.232.11.82<-69.161.29.246 restrict
180
session_key: 69.161.29.246 > 72.232.11.82 00000000
d820326e hash cfd8bb5f life 0
authtrust: keyid 0587beec life 2
session_key: 69.161.29.246 > 72.232.11.82 0587beec
00000000 hash 581652d0 life 2
session_key: 69.161.29.246 > 72.232.11.82 0587beec
cfd8bb5f hash 0420d945 life 0
authtrust: keyid 0587beec life 0
receive: at 3001 72.232.11.82<-69.161.29.246 mode 3
code 2 keyid
0587beec len 88 mac 20 auth 0
MCAST *****sendpkt(fd=7 dst=69.161.29.246,
src=72.232.11.82,
ttl=0, len=52)
transmit: at 3001 72.232.11.82->69.161.29.246 mode 4
keyid 00000000 len 48 mac 4
I see that the server appears to be sending back keyid
00000000.
Any ideas on what might be wrong or how to
troubleshoot this further?
One thing is that I don't see anywhere in the client
log that is
loading up the server cert.
Here's my keysdir:
lrwxrwxrwx 1 root root 42 Jan 19 11:26
ntpkey_cert_TestHostname ->
ntpkey_RSA-MD5cert_TestHostname.3346676773
lrwxrwxrwx 1 root root 37 Jan 19 11:26
ntpkey_host_TestHostname ->
ntpkey_RSAkey_TestHostname.3346676773
-rw-r--r-- 1 root root 512 Jan 19 10:17
ntpkey_IFFkey_worker1.mentics.com.3346672562
lrwxrwxrwx 1 root root 44 Jan 19 12:28
ntpkey_iff_worker1.mentics.com ->
ntpkey_IFFkey_worker1.mentics.com.3346672562
-rw-r--r-- 1 root root 623 Jan 19 11:26
ntpkey_RSAkey_TestHostname.3346676773
-rw-r--r-- 1 root root 565 Jan 19 11:26
ntpkey_RSA-MD5cert_TestHostname.3346676773
client ntp.conf:
restrict default nomodify notrap noquery
restrict 127.0.0.1
restrict worker1.mentics.com
server worker1.mentics.com autokey
driftfile /var/lib/ntp/drift
crypto pw HelloClient
keysdir /etc/ntp/autokey
statsdir /var/log/ntpstats/
filegen cryptostats file cryptostats type day enable
And server ntp.conf:
restrict default nomodify notrap noquery
restrict 127.0.0.1
restrict 69.161.29.246 mask 255.255.255.255 nomodify
notrap
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
crypto pw HelloServer
keysdir /etc/ntp/autokey
statsdir /var/log/ntpstats/
filegen cryptostats file cryptostats type day enable
Thanks,
-joel
ps: client and server are both CentOS 4.2 boxes.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the questions
mailing list