[ntp:questions] autokey IFF client setup

Victor Jesus Angus shurvic at yahoo.com
Fri May 8 10:40:48 UTC 2009


Further reading Authentication Options and stime.pdf, is it safe to say that given the setup below and using the Schnorr/IFF scheme, 

1. the group name is not needed on the clients ?
2. there's no need to send any server files/keys to the client and still IFF will work as designed ?

Again how else do you know that the scheme is working other than being able to receive the time?

                server
                ------
                  |
           +------+-----+-----+
        client1   |  client3  |
               client2    client4

Thanks.

Victor

--- On Thu, 5/7/09, Victor Jesus Angus <shurvic at yahoo.com> wrote:

> From: Victor Jesus Angus <shurvic at yahoo.com>
> Subject: [ntp:questions] autokey IFF client setup
> To: questions at lists.ntp.org
> Date: Thursday, May 7, 2009, 12:08 PM
> 
> NTP client was not able to detect the IFF config files
> because the crypto_flags in crypto_setup() shows the
> following line
> 
> crypto_setup: setup 0x80001 host myclient
> md5WithRSAEncryption
> 
> I'm using 4.2.5p158 and have the following configurations.
> 
> $ cat /etc/ntp.conf
> server myserver.domain.com autokey
> crypto pw myclientpass
> crypto randfile /dev/urandom
> keysdir /etc/ntp
> 
> $ ls /etc/ntp
> ntpkey_cert_myclient ->
> ntpkey_RSA-MD5cert_myclient.3445412414
> ntpkey_host_myclient ->
> ntpkey_RSAkey_myclient.3445412414
> ntpkey_iff_myclient -> ntpkey_host_myclient
> ntpkey_iffkey_myserver
> ntpkey_RSAkey_myclient.3445412394
> ntpkey_RSAkey_myclient.3445412414
> ntpkey_RSA-MD5cert_myclient.3445412394
> ntpkey_RSA-MD5cert_myclient.3445412414
> 
> It was able to transmit the request though and receive a
> response from the server but not sure if it is really using
> the IFF scheme. 
> How to accurately verify this? 
> 
> As for the flag, I checked the defines and bit 0x0020
> should have been set during loading of key files, right?
> In http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> 6.7.2, there is a note, "Trusted ntp servers which also
> operate as clients of other ntp servers may need to 6.7.3.4.
> Install Group/Client Keys." If I have a client only setup,
> then I don't need to install the group keys?
> What is really the purpose of the group keys? If the group
> keys are optional, what are the downside if it is not
> installed?
> 
> Thanks.
> 
> Victor
> 
> 
> 
>       
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/questions
> 


      



More information about the questions mailing list