[ntp:questions] IFF autokey issue

Vladimir Smotlacha vs at cesnet.cz
Wed May 9 12:48:42 UTC 2007

Steve Kostecke wrote:
> On 2007-05-07, Vladimir Smotlacha <vs at cesnet.cz> wrote:
>> I setup up an IFF identity scheme  at my labs NTP server and client.
>> I did it exactly according to available documentation and it worked O.K.
>> However, I tried it once more with new keys and certficates but without
>> copying IFF parameters to the client (i.e. the client did not know IFF
>> parameters). I expected that the authentication fails but it was
>> successful again.
> The Trusted Certificate (TC) Identity Scheme was being used because you
> generated trusted host parameters (with '-T') on the server,
>> Should there be observed a difference in client behavior in both
>> cases?
> The only difference that you will see is in the flags for that
> association on the client end.

Having still problem to setup IFF on client site, I discovered
unexpected (and undocumented) behavior: the client of IFF group needs
any  IFF parameter file with name "ntpkey_iff_<hostname>" although that
parameters are never used (assuming right "ntpkey_iff_<server>" is
present for each server). The only role of "ntpkey_iff_<hostname>" is to
set the CRYPTO_FLAG_IFF in crypto_flags variable, otherwise the IFF
authentication process does not start.

As Steve wrote, to distinguish between TC and IFF (GQ, MV) using ntpq,
inspection of hexadecimal value 'flags' obtained by command
     ntpq -c 'rl <assoc>'
is necessary. It is rather tricky task for everybody without deep
knowledge of ntpd implementation.

I think that IFF on client side should be started more straightforward
way, maybe some explicit parameter in 'crypto' command.


More information about the questions mailing list