[ntp:questions] IFF identity scheme on an intermediate server

Bartholome, Alain alain.bartholome at eads.com
Thu May 7 12:09:49 UTC 2009


With my testing of iff, I get protocol_error.

The following is extracted from the authentications options documentation:

>When an identity scheme is included, for example IFF, the TH generates host
>key, trusted certificate and private server identity files using the
ntp->keygen -T -I -i group command, where group is the group name. The
>reemaining group hosts use the same command as above. The client identity
>files are obtained separately. All hosts use the crypto ident group
>configuration command.

The intermediate server should use ntp->keygen -T -I -i group ?

For the intermediate server I made the 2 following tests:
(Int_server is not trusted, so I dropped  the -T option)

ntp-keygen -p little -i secgroup
ntp-keygen -I -p little -i secgroup

I get protocol_error with both.
Hereafter are the ntp.conf files and the ntp_keygen commands 

On the trusted host trustedhost of the group  secgroup:

The ntp.conf file:

keysdir "D:\appli\ntp\etc"
crypto pw little ident secgroup
leapfile  "D:\appli\ntp\etc\ntpkey_leap" 
fudge stratum 7

#end of file

the following commands have been executed on trustedhost:

ntp-keygen -T -I -p trusted -i secgroup

ntp-keygen -e -p trusted -q little >ntpkey_iffpar_secgroup
this file is copied to the clients

ntp-keygen   -p trusted -q little >ntpkey_iffkey_secgroup
this file uses ntpkey_iffkey_secgroup created by " ntp-keygen -T -I -p
trusted -i secgroup" and generates a new ntpkey_iffkey_secgroup copied to

intermediate server int_server

The ntp.conf file:
keysdir "D:\appli\ntp\etc"
crypto pw little ident secgroup
enable stats auth
server trustedhost autokey iburst
#end of file

the following commands have been executed on int_server:

ntp-keygen -p little -i secgroup

ntpkey_iffkey_secgroup have been copied to int_server



-----Message d'origine-----
De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
part de David Mills
Envoyé : mercredi 6 mai 2009 18:44
À : 'questions at lists.ntp.org'
Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server


See the Authentication Options and ntp-keygen pages in the curtent 
online documentation. I've rewritten some of that text withexamples. 
Hosts with dependent clients need the keys file, while client need only 
the paramters file. The ntp-keygen page has examples showing how these 
files can be generated and distributed.


Bartholome, Alain wrote:

>I am using NTP version 4.2.5p158 on windows sever 2003.
>I would like to know what iff files, in addition to the host key and the
>certificate  files,  must exist on an intermediate NTP server.
>According to what I have read, the documentation describes the
>on the trusted host server of the group and on the clients but not  for
>servers in between them.
>questions mailing list
>questions at lists.ntp.org

questions mailing list
questions at lists.ntp.org

More information about the questions mailing list