[ntp:questions] autokey IFF client setup

David Mills mills at udel.edu
Fri May 8 23:46:34 UTC 2009


Apparently, you are following advice on other than the 
online/development documentation, but I can only speak from the latter. 
I reread the authentication options and ntp-keygen pages looking for 
possibly misleading directions and believe the prose is correct. The 
colorful example on the options page is definitive if overkill. It may 
be easier to describe the process than a bunch of detailed instructions.

1. TH: The ident option of the crypto command  is the name of the group 
and the names used for the host certificate. The default is the DNS name 
of the host.
2. otheres: The host option of the crypto command is the names used for 
the host certificate. The default is the DNS name of the host.
3. All hosts must have  host public/private encryption keys, optional 
sign keys and matching certifivate.
4. The TH generates IFF server keys, which happen to contain client 
parameters as well. These must be securely transmitted to other hosts 
that have dependent clients, but not to the clients themselves.
5. The TH extracts client parameters from the server keys and posts in a 
public place. The clients are responxible for retrieval, installation 
and renaming them.

All the above, except the actual transmittion, is done by the ntp-keygen 

The ident option of the crypto command is not strictly necessary, as the 
name of the group is found from the TH certificate at the end of the 
certificate trail when the client parameters file is loaded.. The bits 
you found in the status word are set during the setup phase when the as 
the server keys files are or are not found, so the client should not see 
those bits.

When debugging things like this, it is good practice to use the 
cryptostats and protostats monitoring files. They show the blow by blow 
progress of the state machine and especially what errors might be found. 
In extreme cases the debug trace shows evidence of every packet send and 
received and every crypto extension field transmtted and received.


Victor Jesus Angus wrote:

>NTP client was not able to detect the IFF config files because the crypto_flags in crypto_setup() shows the following line
>crypto_setup: setup 0x80001 host myclient md5WithRSAEncryption
>I'm using 4.2.5p158 and have the following configurations.
>$ cat /etc/ntp.conf
>server myserver.domain.com autokey
>crypto pw myclientpass
>crypto randfile /dev/urandom
>keysdir /etc/ntp
>$ ls /etc/ntp
>ntpkey_cert_myclient -> ntpkey_RSA-MD5cert_myclient.3445412414
>ntpkey_host_myclient -> ntpkey_RSAkey_myclient.3445412414
>ntpkey_iff_myclient -> ntpkey_host_myclient
>It was able to transmit the request though and receive a response from the server but not sure if it is really using the IFF scheme. 
>How to accurately verify this? 
>As for the flag, I checked the defines and bit 0x0020 should have been set during loading of key files, right?
>In http://support.ntp.org/bin/view/Support/ConfiguringAutokey 6.7.2, there is a note, "Trusted ntp servers which also operate as clients of other ntp servers may need to Install Group/Client Keys." If I have a client only setup, then I don't need to install the group keys?
>What is really the purpose of the group keys? If the group keys are optional, what are the downside if it is not installed?
>questions mailing list
>questions at lists.ntp.org

More information about the questions mailing list