[ntp:questions] Generating keys for ntpdc control

Martin Burnicki martin.burnicki at meinberg.de
Thu Jul 3 13:07:19 UTC 2008


Bob wrote:
> "Martin Burnicki" <martin.burnicki at meinberg.de> wrote in message
> news:lbeuj5-4i6.ln1 at gateway.py.meinberg.de...
>> Bob,
>> Bob wrote:
>>> Can someone run me through the steps necessary to generate, and apply
>>> keys
>>> so I can use ntpdc to make on the fly changes to ntpd? I've read through
>>> the docs - repeatedly! - and tried every incarnation of ntp-keygen
>>> listed.
>> ntp-keygen is used to generate private/public key pairs which are used
>> for NTP's "autokey" schemes which have been introduced in NTPv4. The
>> advantage of autokey is that you just have to distribute the public key
>> to other machines but don't have to copy the private key to some other
>> machine.
>> The autokey scheme is used to let NTP clients be able to verify that a
>> NTP packet received from a NTP server has indeed been sent by that server
>> and not by someone else wh wants to spoof a wrong time.
>> The key numbers mentioned for ntpdc are referring to symmetric keys which
>> have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
>> same key as used on the server has to be copied to the client in order to
>> be able to autenticate (-> "symmetric").
>> Those symmetric keys can also be used with ntpdc. However, AFAIK, the
>> autokey scheme can not.
>> To configure symmetric keys you have to create a text file on the NTP
>> server, e.g /etc/ntp.keys, which contains the keys, e.g.:
>> 1 M my_secret_key
>> 2 M another_secret_key
>>> What I seem not to be able to get is what the "key number" represents.
>> The first column is the key number you have been asking for. The second
>> column is a shortcut for the type of encryption, where 'M' is for MD5
>> which
>> is AFAIK the only type of encryption still supported for symmetric keys.
>> The 3rd column are the keys, just text strings, which must be shared with
>> the clients.
>> Then the following lines need to be added to the server's ntp.conf file:
>> keys /etc/ntp.keys   # path for keys file
>> trustedkey 1 2
>> After ntpd has been restarted you should be able to use either key 1,
>> "my_secret_key", or key 2, "another_secret_key", from your NTP client or
>> with ntpdc.
>> Having multiple keys as in the example above can be useful to be share
>> one key with one group of clients, and another key with another group of
>> clients, if required.
>> [...]
>>> I'm running the current Meinberg windows port.
>> Please note this is based on the original sources from ntp.org. Here at
>> Meinberg we have just compiled those sources for Windows and put the
>> resulting binaries into a GUI installer to simplify installation under
>> Windows.
>> Martin
>> --
>> Martin Burnicki
>> Meinberg Funkuhren
>> Bad Pyrmont
>> Germany
> I'm getting closer... you actually put the key data in a file that you
> point to. OK... how do I generate the keys? 

Hm, in the past I've just put a kind of password in as a key. That works.

> For example, I tried the below 
> (of course, the keys listed have been erased...) and which file do I use
> the contents of as key material, how much do I use (just the data and no
> headers), and do I have to do it all on one line per key? Thanks for the
> help on this. I've searched for detailed info without success.

I've just seen a new bug
which says the MD5 keys generated by ntpkeygen -M are 1 character shorter
than they should be.

Running ntp-keygen -M produces a file with 16 MD5 keys, e.g.:

# ntpkey_MD5key_gateway.3424077267
# Thu Jul  3 14:34:27 2008
 1 MD5  {ph":xjnCg=6ih` # MD5 key
 2 MD5  6Ny0U9qNXY*2D at p # MD5 key
 3 MD5  Qlsn(6Lz>m~x}V2 # MD5 key
 4 MD5  L{%cTECTpwaiHF< # MD5 key
 5 MD5  }zOay at i+;1v8S]S # MD5 key
 6 MD5  )<A(C.t~%Sx`7%> # MD5 key
 7 MD5  lB~^/}6Bt0=N`1q # MD5 key
 8 MD5  t.n$r{C=t'|E{<j # MD5 key
 9 MD5  yzyb]G><F`N>LmJ # MD5 key
10 MD5  Ve7`}+ at y~SdcLgv # MD5 key
11 MD5  xq`?%KeehO`'?g3 # MD5 key
12 MD5  1SV?LIMl1IA;L2i # MD5 key
13 MD5  g$@J-h4n7iiJ^Tu # MD5 key
14 MD5  OFh)V>%AT?6XiI~ # MD5 key
15 MD5  cPi|bxlwH&^)dB@ # MD5 key
16 MD5  5[0?>~(;4C0?at% # MD5 key

where gateway is the name of the machine the command has been run on.

Interestingly, while older NTP docs stated the second column should read
just 'M' for MD5 keys, the generated key file contains 'MD5'. Don't know
whether this is accepted by older and/or current versions of ntpd and

Also, in my earlier post I forgot to mention that you should specify which
keys should be used to authenticate with ntpdc and ntpq, i.e.:

keys /etc/ntp.keys   # path for keys file
trustedkey 1 2 15
controlkey 15        # ntpq
requestkey 15        # ntpdc

Though at least bug #418 
mentions at least the controlkey stuff has never been implemented.

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the questions mailing list