[ntp:questions] How to verify Autokey Identity Schemes?

Joe Smithian joe.smithian at gmail.com
Fri Dec 16 14:36:36 UTC 2011


Hi Steve,

I am posting my questions again in text format. I hoe you can read it this time.

Thank you for your comments. I tried ntpq -c "rv assID flags" command,
it shows the
Identity Scheme that the server supports regardless of what identity
scheme has been installed on the client.
Here are the result of my experiments:

Server Identity scheme    | ntpq -c "rv assID flags"
-------------------------------------|----------------------------------
IFF                                |  0x417f21
GQ                                |  0x417f41
IFF and GQ                    |  0x417f61

"rv assID flags" returns the same value whether I install IFF
parameters, or GQ parameters or none on the client. So my question
again is that how can I verify that IFF or GQ schemes are actually
working?

Association flag shows auth is 'ok' whether I install an Identity
Scheme on the client or not, so it's not an indication that IFF or GQ
is actually being used.

BTW, I found two problems in this
document:http://support.ntp.org/bin/view/Support/ConfiguringAutokey

In sections 6.7.2.5 and 6.7.3.6:
    ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`

      '-q' option for updatuing keys doesn't work, '-p'works; is this
a typo in the document?

[root at myserver]# ntp-keygen -T -q `awk '/crypto pw/ { print $3 }'
</etc/ntp.conf`
Using OpenSSL version 90802f
Using host myserver group myserver
Corrupt file ntpkey_host_myserver or wrong key myserver
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

Regards

On Thu, Dec 15, 2011 at 10:18 AM, Joe Smithian <joe.smithian at gmail.com> wrote:
>
> Hi Steve,
>
> Thank you for your comments. I tried ntpq -c "rv assID flags" command, it shows the
> Identity Scheme that the server supports regardless of what identity scheme has been installed on the client.
> Here are the result of my experiments:
>
> Server Identity scheme    | ntpq -c "rv assID flags"
> -------------------------------------|----------------------------------
> IFF                                |  0x417f21
> GQ                                |  0x417f41
> IFF and GQ                    |  0x417f61
>
> "rv assID flags" returns the same value whether I install IFF parameters, or GQ parameters or none on the client. So my question again is that how can I verify that IFF or GQ schemes are actually working?
>
> Association flag shows auth is 'ok' whether I install an Identity Scheme on the client or not, so it's not an indication that IFF or GQ is actually being used.
>
> BTW, I found two problems in this document:http://support.ntp.org/bin/view/Support/ConfiguringAutokey
>
> In sections 6.7.2.5 and 6.7.3.6:
>     ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
>
>       '-q' option for updatuing keys doesn't work, '-p'works; is this a typo in the document?
>
> [root at myserver]# ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
> Using OpenSSL version 90802f
> Using host myserver group myserver
> Corrupt file ntpkey_host_myserver or wrong key myserver
> error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
>
> Regards
>
> Joe
>
>
>
> On Tue, Dec 13, 2011 at 10:55 AM, Steve Kostecke <kostecke at ntp.org> wrote:
>>
>> On 2011-12-12, Joe Smithian <joe.smithian at gmail.com> wrote:
>>
>> > I have configured my NTP server and client to use Autokey with IFF
>> > Identity scheme and it's working, client synchronizes to my servers.
>> > It synchronizes with and without copying the IFF parameter to the
>> > client. So I'm wondering if IFF identity scheme is actually being
>> > used; How can I verify that?
>>
>> By checking the association flags.
>>
>> Please see
>> http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.4.
>>
>> --
>> Steve Kostecke <kostecke at ntp.org>
>> NTP Public Services Project - http://support.ntp.org/
>>
>> _______________________________________________
>> questions mailing list
>> questions at lists.ntp.org
>> http://lists.ntp.org/listinfo/questions
>
>


More information about the questions mailing list