[ntp:questions] Secure NTP Server

Steve Kostecke kostecke at ntp.isc.org
Mon Apr 23 20:36:26 UTC 2007

On 2007-04-23, R <srvedire at yahoo.com> wrote:

> This is probably a stupid question, which would take the experts a
> minute to answer.
> I'm planning to have a NTP daemon-A communicate with another NTP
> deamon-B using authentication/security enabled

NTP Authentication (e.g. AutoKey + an identity scheme) authenticates
the server to the client. NTP Authentication does not encrypt the
communication between the server and the client. NTP Authentication is
not intended to be a form of access control.

> and I also want other NTP daemons (configured as pure clients) to
> communicate with NTP deamon-A. Is this possible? In other words can
> you mix and match authentication and no-authentication?

Yes. The systems that need authenticated time service have to be
configured to require it. For example, in the daemon-B ntp.conf you
would specify:

	# Poll daemon-A and use autokey:
	server daemon-A iburst autokey

	# Require authenticated packets from daemon-A:
	restrict daemon-A notrust

There is more information about setting up AutoKey at

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list