[ntp:questions] autokey IFF client setup
Victor Jesus Angus
shurvic at yahoo.com
Fri May 8 10:40:48 UTC 2009
Further reading Authentication Options and stime.pdf, is it safe to say that given the setup below and using the Schnorr/IFF scheme,
1. the group name is not needed on the clients ?
2. there's no need to send any server files/keys to the client and still IFF will work as designed ?
Again how else do you know that the scheme is working other than being able to receive the time?
client1 | client3 |
--- On Thu, 5/7/09, Victor Jesus Angus <shurvic at yahoo.com> wrote:
> From: Victor Jesus Angus <shurvic at yahoo.com>
> Subject: [ntp:questions] autokey IFF client setup
> To: questions at lists.ntp.org
> Date: Thursday, May 7, 2009, 12:08 PM
> NTP client was not able to detect the IFF config files
> because the crypto_flags in crypto_setup() shows the
> following line
> crypto_setup: setup 0x80001 host myclient
> I'm using 4.2.5p158 and have the following configurations.
> $ cat /etc/ntp.conf
> server myserver.domain.com autokey
> crypto pw myclientpass
> crypto randfile /dev/urandom
> keysdir /etc/ntp
> $ ls /etc/ntp
> ntpkey_cert_myclient ->
> ntpkey_host_myclient ->
> ntpkey_iff_myclient -> ntpkey_host_myclient
> It was able to transmit the request though and receive a
> response from the server but not sure if it is really using
> the IFF scheme.
> How to accurately verify this?
> As for the flag, I checked the defines and bit 0x0020
> should have been set during loading of key files, right?
> In http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> 6.7.2, there is a note, "Trusted ntp servers which also
> operate as clients of other ntp servers may need to 22.214.171.124.
> Install Group/Client Keys." If I have a client only setup,
> then I don't need to install the group keys?
> What is really the purpose of the group keys? If the group
> keys are optional, what are the downside if it is not
> questions mailing list
> questions at lists.ntp.org
More information about the questions