[ntp:questions] Re: Different GroupKey and Client Passwords

Steve Kostecke kostecke at ntp.isc.org
Mon Sep 11 14:37:48 UTC 2006

On 2006-09-11, DanR <dan at dolphtech.com> wrote:
> Regarding Client/Server mode, with AutoKey and the IFF scheme:
> Following the instruction on
> http://ntp.isc.org/bin/view/Support/ConfiguringAutokey I have
> successfully configured, generated keys, and tested a client/server
> setup using AutoKey with an encrypted group key using the IFF scheme.
> Q1: How it possible for a leaf client to use different groupkey and
> client credential passwords, which are specified in the configuration
> file (i.e. crypto pw clientpassword)?


Currently, each ntpd can have exactly _one_ crypto password.

In the case of an IFF Trust Group each participant may use a unique
crypto password. This password is used to generate the host parameters
(i.e. cert and key files) and is used for the portion of the "groupkey"
held by that ntpd.

The Trust Group server generates the "groupkey" with:

	ntp-keygen -T -I -p serverpassword

The resulting file, ntpkey_IFFpar_server.hostname.NNNNNNNNNN, is the
server's "private key" and is not distributed to the clients.

A "public key" is exported for each client using that client's crypto
password (which, as stated above, may be unique):

	ntp-keygen -e -q serverpassword -p clientpassword

> Q2: How can the passwords be read without specifying them in the clear
> within the respecitive server/client configuration files?

AFAIK, the only way to specify the crypto password is in the ntp.conf

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list