[ntp:questions] autokey IFF client setup

Victor Jesus Angus shurvic at yahoo.com
Thu May 7 04:08:27 UTC 2009

NTP client was not able to detect the IFF config files because the crypto_flags in crypto_setup() shows the following line

crypto_setup: setup 0x80001 host myclient md5WithRSAEncryption

I'm using 4.2.5p158 and have the following configurations.

$ cat /etc/ntp.conf
server myserver.domain.com autokey
crypto pw myclientpass
crypto randfile /dev/urandom
keysdir /etc/ntp

$ ls /etc/ntp
ntpkey_cert_myclient -> ntpkey_RSA-MD5cert_myclient.3445412414
ntpkey_host_myclient -> ntpkey_RSAkey_myclient.3445412414
ntpkey_iff_myclient -> ntpkey_host_myclient

It was able to transmit the request though and receive a response from the server but not sure if it is really using the IFF scheme. 
How to accurately verify this? 

As for the flag, I checked the defines and bit 0x0020 should have been set during loading of key files, right?
In http://support.ntp.org/bin/view/Support/ConfiguringAutokey 6.7.2, there is a note, "Trusted ntp servers which also operate as clients of other ntp servers may need to Install Group/Client Keys." If I have a client only setup, then I don't need to install the group keys?
What is really the purpose of the group keys? If the group keys are optional, what are the downside if it is not installed?




More information about the questions mailing list