[ntp:questions] autokey IFF client setup

Steve Kostecke kostecke at ntp.org
Mon May 11 17:23:07 UTC 2009

Victor Jesus Angus said:

>I'm using 4.2.5p158 and have the following configurations.

You should be using the "Official NTP Documentation" linked from
http://www.ntp.org/documentation.html as your guide.

>It was able to transmit the request though and receive a response from the ser
>ver but not sure if it is really using the IFF scheme. 
>How to accurately verify this? 

See the "Monitoring Authentication Status" section at:


>As for the flag, I checked the defines and bit 0x0020 should have been
>set dur ing loading of key files, right?

There are a number of places where you can see the flags.

>In http://support.ntp.org/bin/view/Support/ConfiguringAutokey

Please note that this topic applies to the current NTP Stable release
and has not yet been updated to reflect the changes in Autokey
configuration for NTP Dev.

> 6.7.2, there is a note, "Trusted ntp servers which also operate as
>clients of other ntp server s may need to Install Group/Client
>Keys." If I have a client only set up, then I don't need to install the
>group keys?

They're the same thing.

>What is really the purpose of the group keys?

What some people call "group keys" and other people call "client keys"
are the server's "Identity Scheme Parameters". The members of a trust
group have one portion of the server's parameters (i.e. the server's
public key) and the server has the other portion (i.e. its private key).

The Identity Scheme Parameters allow the server to authenticate itsself
to the Trust Group Members.

>If the group keys are optional, what are the downside if it is not

If you want to use the IFF, GQ, or MV Identity Schemes the clients have
to have the appropriate parameters. Otherwise you're just using the TC
or PC scheme.

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list