[ntp:questions] autokey setup with GQ Identity Scheme

Jean-Francois Malouin Jean-Francois.Malouin at bic.mni.mcgill.ca
Mon May 29 19:14:23 UTC 2006

Previous message: [ntp:questions] (reissue, typo) Voyager I & II (31 & 32 NASA-launch numbers) internal timekeeping format
Next message: [ntp:questions] Re: autokey setup with GQ Identity Scheme
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

After a few days of reading all sort of doc (mainly
http://ntp.isc.org/bin/view/Support/ConfiguringAutokey) I have
convinced myself that I'm missing something crucial in my NTP
sub-domain setup but I can't put the finger on it... I'll be quite
happy to give further output/debug to anyone who can help and I 
appologize if this is too long but it has been a few very frustating
days...

NTP setup:
a set of 3 trusted hosts running NTPV4 on Debian/Sarge and supposed to
peer between each other as stratum 3 servers using GQ scheme as the
Identity Scheme, and getting their time in a passive/symmetric way
from a bunch of stratum 2 servers out there. These 3 stratum 3 servers
in turn broadcast/multicast in the sub-domain to the other clients
using autokey (excerpts from the server ntp.conf)

crypto pw my_server_secret
keysdir /etc/ntp
server one.time
server two.time
server three.time
server four.time
peer ntp1.domain.org autokey
peer ntp2.domain.org autokey
peer ntp3.domain.org autokey
broadcast xxx.yyy.zzz.255 autokey
broadcast 224.0.1.1 autokey

My problem: right now with only 2 servers and one client: the 'good'
server reports DROP as the peer kiss code of the 'bad' server, the
client refuses to associate with the 'bad' server and the 'bad' server
sees the 'good' server as a stratum 3 server but reports 'flash=200
bad_autokey' in the ntpq association output.

My question: Which files generated from 'ntp-keygen -T -G -p
<my_server_secret> need to be shared between the trusted servers and
clients? I first created the host key and cert using 'ntp-keygen -T -G
-p <my_server_secret>' on each server and cross-copied the
ntpkey_GQpar_server.timestamp for both servers and created the symlimk
as per the web page above. I also copied the key files of both servers
to the client and created the symlink as well. Is this the correct
procedure? Right now my test client reports (only 2 peers and one
broadcast client at the moment until I figure out what's wrong):

crypto_gq: invalid filestamp 3357912579
ntpd[1124]: receive: fatal error 608 for xxx.xxx.xxx.xxx

and the other ntp server reports that the flash code for this
is 'flash=600 bad_autokey, not_proventic':

ntpq> pe
     remote           refid      st t when poll reach   delay   offset jitter
==============================================================================
+time1.apple.com 17.254.1.194     3 u  126 1024  377   85.862    1.362 1.706
*time.nrc.ca     132.246.168.2    2 u  162 1024  377   30.328    3.765 0.065
-cudns.cit.corne 192.5.41.40      2 u 1016 1024  377   43.614   -8.521 0.649
+ecmail2.cmc.ec. 142.135.6.200    2 u  164 1024  377    3.169    3.229 0.160
 escalus.bic.mni .DROP.          16 u   37   64    0    0.000    0.000 4000.00
 lorax.bic.mni.m .CRYP.          16 u    - 1024    0    0.000    0.000 4000.00
 feeble.bic.mni. .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
 132.206.178.255 .BCST.          16 u    -   64    0    0.000    0.000 4000.00
 NTP.MCAST.NET   .MCST.          16 u    -   64    0    0.000    0.000 4000.00
ntpq> as

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 12116  9414   yes   yes  none  candidat   reachable  1
  2 12117  9614   yes   yes  none  sys.peer   reachable  1
  3 12118  9314   yes   yes  none   outlyer   reachable  1
  4 12119  9414   yes   yes  none  candidat   reachable  1
  5 12120  e0d3   yes   yes   ok     reject  lost reach 13
  6 12121  c000   yes   yes   bad    reject
  7 12122  c000   yes   yes   bad    reject
  8 12123  c000   yes   yes   bad    reject
  9 12124  c000   yes   yes   bad    reject
ntpq> rv 12120
assID=12120 status=e0d3 unreach, conf, auth, 13 events, event_unreach,
srcadr=escalus.bic.mni.mcgill.ca, srcport=123, dstadr=132.206.178.9,
dstport=123, leap=11, stratum=16, precision=-18, rootdelay=0.000,
rootdispersion=0.000, refid=DROP, reach=000, unreach=12, hmode=1,
pmode=0, hpoll=10, ppoll=6, flash=600 bad_autokey, not_proventic,
keyid=739308037, ttl=0, offset=0.000, delay=0.000, dispersion=0.000,
jitter=4000.000,
reftime=00000000.00000000  Thu, Feb  7 2036  1:28:16.000,
org=c825bd92.2ec98e53  Mon, May 29 2006 14:36:02.182,
rec=c825bd92.31bf162a  Mon, May 29 2006 14:36:02.194,
xmt=c825bd91.4e9c347f  Mon, May 29 2006 14:36:01.307,
filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00 0.00,
filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00 0.00,
filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
hostname="escalus", signature="md5WithRSAEncryption", flags=0x80041,
identity="escalus"

regards,
jf
-- 
<° ><

Previous message: [ntp:questions] (reissue, typo) Voyager I & II (31 & 32 NASA-launch numbers) internal timekeeping format
Next message: [ntp:questions] Re: autokey setup with GQ Identity Scheme
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the questions mailing list