[ntp:questions] Generating keys for ntpdc control

Martin Burnicki martin.burnicki at meinberg.de
Thu Jul 3 08:14:13 UTC 2008


Bob wrote:
> Can someone run me through the steps necessary to generate, and apply keys
> so I can use ntpdc to make on the fly changes to ntpd? I've read through
> the docs - repeatedly! - and tried every incarnation of ntp-keygen listed.

ntp-keygen is used to generate private/public key pairs which are used for
NTP's "autokey" schemes which have been introduced in NTPv4. The advantage
of autokey is that you just have to distribute the public key to other
machines but don't have to copy the private key to some other machine. 

The autokey scheme is used to let NTP clients be able to verify that a NTP
packet received from a NTP server has indeed been sent by that server and
not by someone else wh wants to spoof a wrong time.

The key numbers mentioned for ntpdc are referring to symmetric keys which
have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
same key as used on the server has to be copied to the client in order to
be able to autenticate (-> "symmetric").

Those symmetric keys can also be used with ntpdc. However, AFAIK, the
autokey scheme can not.

To configure symmetric keys you have to create a text file on the NTP
server, e.g /etc/ntp.keys, which contains the keys, e.g.:

1 M my_secret_key
2 M another_secret_key

> What I seem not to be able to get is what the "key number" represents.

The first column is the key number you have been asking for. The second
column is a shortcut for the type of encryption, where 'M' is for MD5 which
is AFAIK the only type of encryption still supported for symmetric keys.
The 3rd column are the keys, just text strings, which must be shared with
the clients.

Then the following lines need to be added to the server's ntp.conf file:

keys /etc/ntp.keys   # path for keys file
trustedkey 1 2

After ntpd has been restarted you should be able to use either key 1,
"my_secret_key", or key 2, "another_secret_key", from your NTP client or
with ntpdc.

Having multiple keys as in the example above can be useful to be share one
key with one group of clients, and another key with another group of
clients, if required.

> I'm running the current Meinberg windows port. 

Please note this is based on the original sources from ntp.org. Here at
Meinberg we have just compiled those sources for Windows and put the
resulting binaries into a GUI installer to simplify installation under

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the questions mailing list