[ntp:questions] crypto_ident: no compatable identity scheme found
scherniak at stny.rr.com
scherniak at stny.rr.com
Fri Mar 23 18:35:34 UTC 2012
I am trying to configure an ntp server/client pair to use the IFF identity scheme. I followed the directions precisely that were on the following ntp page: http://support.ntp.org/bin/view/Support/ConfiguringAutokeyFourTwoFour . Both machines are running the identical level of linux code. The ntp version is 4.2.4p8. When the client tries to connect to the server, It is failing with flags 0x80121/0x80021. Getting flash pkt_autokey, peer_dist, and peer_unfit. In the log file I am getting "crypto_ident: not compatible identity scheme found". There has got to be something wrong with my setup, my NTP build, or something is not quite right with the instructions. Listed below are the commands issued on the server and client side, with their results. Also, in the last section, I removed the client side ntpkeys_iff_<client> link, and restarted ntp and that communication is successful without the iff flag being set, which I am assuming is the Trusted Certificate identity scheme. Thanks in advance for your help.
Steve
<<<<<server side processing>>>>>
[root at HMCLXRF3-/etc/ntp]cat ../ntp.conf
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
crypto pw servpswd
keysdir /etc/ntp
logfile /var/log/ntp
trustedkey 5
[root at HMCLXRF3-/etc/ntp]ntp-keygen -T -I -p servpswd
Using OpenSSL version 10000003
Generating IFF parameters (512 bits)...
IFF 0 479 543 1 49 148 2 1 2 3 1 2
Generating IFF keys (512 bits)...
Confirm g^(q - b) g^b = 1 mod p: yes
Confirm g^k = g^(k + b r) g^(q - b) r: yes
Generating new iff file and link
ntpkey_iff_HMCLXRF3->ntpkey_IFFpar_HMCLXRF3.3541500807
Generating RSA keys (512 bits)...
RSA 0 22 576 1 11 172 3 1 4
Generating new host file and link
ntpkey_host_HMCLXRF3->ntpkey_RSAkey_HMCLXRF3.3541500807
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Generating new cert file and link
ntpkey_cert_HMCLXRF3->ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
[root at HMCLXRF3-/etc/ntp]ntp-keygen -e -q servpswd -p clntpswd >ntpkey_IFFkey_HMCLXRF3.3541500807
Using OpenSSL version 10000003
Using IFF parameters ntpkey_IFFpar_HMCLXRF3.3541500807
Writing new IFF key ntpkey_IFFkey_HMCLXRF3.3541500807
[root at HMCLXRF3-/etc/ntp]ls -l
total 28
drwxr-x--- 2 root ntp 4096 Mar 23 10:10 crypto
-rw-r----- 1 root ntp 10 Mar 22 19:53 keys
-rw-r----- 1 root root 483 Mar 23 10:17 ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r----- 1 root root 515 Mar 23 10:13 ntpkey_IFFpar_HMCLXRF3.3541500807
-rw-r----- 1 root root 582 Mar 23 10:13 ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
-rw-r----- 1 root root 710 Mar 23 10:13 ntpkey_RSAkey_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root 38 Mar 23 10:13 ntpkey_cert_HMCLXRF3 -> ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root 33 Mar 23 10:13 ntpkey_host_HMCLXRF3 -> ntpkey_RSAkey_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root 33 Mar 23 10:13 ntpkey_iff_HMCLXRF3 -> ntpkey_IFFpar_HMCLXRF3.3541500807
-rw-r--r-- 1 root root 52 Feb 8 16:12 step-tickers
[root at HMCLXRF3-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
[root at HMCLXRF3-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
tick.tadatv.com 10.0.22.51 2 u 11 64 1 103.017 0.440 1.440
*voxl-nyc-15.ser 209.51.161.238 2 u 10 64 1 26.758 0.590 1.758
ponderosa.piney 64.90.182.55 2 u 9 64 1 26.741 3.280 0.388
ntp.sunflower.c 128.206.12.130 3 u 8 64 1 81.966 66.388 1.604
[root at HMCLXRF3-/etc/ntp]ntpq -c rv
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb 8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=00,
stratum=3, precision=-21, rootdelay=26.319, rootdispersion=38.270,
peer=5469, refid=72.26.198.233,
reftime=d3170849.0b455754 Fri, Mar 23 2012 10:33:45.044, poll=6,
clock=d317086e.9f00b76e Fri, Mar 23 2012 10:34:22.621, state=4,
offset=1.227, frequency=94.157, jitter=2.353, noise=0.361,
stability=0.024, hostname="HMCLXRF3", signature="md5WithRSAEncryption",
flags=0x80021, update=201203231432, ident="ntpkey_iff_HMCLXRF3", tai=0,
cert="HMCLXRF3 HMCLXRF3 0x1", expire=201303231413
<<<<<Client side processing>>>>>
[root at HMC1MCP7-/etc/ntp]cat ../ntp.conf
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
crypto pw clntpswd
keysdir /etc/ntp
logfile /var/log/ntp
server HMCLXRF3.endicott.ibm.com autokey iburst
server 9.60.15.224 key 5 iburst
trustedkey 5
[root at HMC1MCP7-/etc/ntp]ls
crypto keys ntpkey_IFFkey_HMCLXRF3.3541500807 step-tickers
[root at HMC1MCP7-/etc/ntp]ntp-keygen -H -p clntpswd
Using OpenSSL version 10000003
Generating RSA keys (512 bits)...
RSA 0 11 16 1 11 24 3 1 2
Generating new host file and link
ntpkey_host_HMC1MCP7->ntpkey_RSAkey_HMC1MCP7.3541501696
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_HMC1MCP7->ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
[root at HMC1MCP7-/etc/ntp]ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMCLXRF3
[root at HMC1MCP7-/etc/ntp]ln -s ntpkey_host_HMC1MCP7 ntpkey_iff_HMC1MCP7
[root at HMC1MCP7-/etc/ntp]ls -l
total 24
drwxr-x--- 2 root ntp 4096 Mar 6 18:30 crypto
-rw-r----- 1 root ntp 10 Mar 23 09:57 keys
-rw-r----- 1 root root 483 Mar 23 10:21 ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r----- 1 root root 549 Mar 23 10:28 ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
-rw-r----- 1 root root 710 Mar 23 10:28 ntpkey_RSAkey_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root 38 Mar 23 10:28 ntpkey_cert_HMC1MCP7 -> ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root 33 Mar 23 10:28 ntpkey_host_HMC1MCP7 -> ntpkey_RSAkey_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root 20 Mar 23 10:30 ntpkey_iff_HMC1MCP7 -> ntpkey_host_HMC1MCP7
lrwxrwxrwx 1 root root 33 Mar 23 10:29 ntpkey_iff_HMCLXRF3 -> ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r--r-- 1 root root 52 Feb 8 16:12 step-tickers
[root at HMC1MCP7-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd: [FAILED]
Starting ntpd: [ OK ]
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico .STEP. 16 u 156 64 0 0.000 0.000 0.000
9.60.15.224 .STEP. 16 u 861 64 0 0.000 0.000 0.000
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico 72.26.198.233 3 u 3 64 0 0.000 0.000 0.000
9.60.15.224 9.56.192.96 2 u 3 64 1 0.239 0.424 0.000
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico 72.26.198.233 3 u 18 64 0 0.000 0.000 0.000
9.60.15.224 9.56.192.96 2 u 18 64 1 0.239 0.424 0.000
[root at HMC1MCP7-/etc/ntp]ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 49841 e000 yes yes ok reject
2 49842 f024 yes yes ok reject reachable 2
[root at HMC1MCP7-/etc/ntp]ntpq -c rv
assID=0 status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb 8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=11,
stratum=16, precision=-21, rootdelay=0.000, rootdispersion=0.630,
peer=0, refid=STEP,
reftime=00000000.00000000 Thu, Feb 7 2036 1:28:16.000, poll=4,
clock=d317090f.cd61a74f Fri, Mar 23 2012 10:37:03.802, state=4,
offset=0.000, frequency=-51.008, jitter=0.150, noise=0.000,
stability=0.000, hostname="HMC1MCP7", signature="md5WithRSAEncryption",
flags=0x80021, update=203602070628, ident="ntpkey_iff_HMC1MCP7", tai=0,
cert="HMCLXRF3 HMCLXRF3 0x7", expire=201303231413,
cert="HMC1MCP7 HMC1MCP7 0x2", expire=201303231428
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.306,
rootdispersion=40.161, refid=72.26.198.233, reach=000, unreach=2,
hmode=3, pmode=4, hpoll=6, ppoll=6,
flash=1480 pkt_autokey, peer_dist, peer_unfit, keyid=2414430830, ttl=0,
offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
reftime=d3170849.0b455754 Fri, Mar 23 2012 10:33:45.044,
org=d31708ed.062f6524 Fri, Mar 23 2012 10:36:29.024,
rec=d31708ed.06268f05 Fri, Mar 23 2012 10:36:29.024,
xmt=d31708ed.06110dc2 Fri, Mar 23 2012 10:36:29.023,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x80021,
trust="HMCLXRF3"
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico 72.26.198.233 3 u 46 64 0 0.000 0.000 0.000
9.60.15.224 9.56.192.96 2 u 49 64 3 0.238 3.783 3.360
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.306,
rootdispersion=41.153, refid=72.26.198.233, reach=000, unreach=3,
hmode=3, pmode=4, hpoll=6, ppoll=6,
flash=1480 pkt_autokey, peer_dist, peer_unfit, keyid=1363541228, ttl=0,
offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
reftime=d3170849.0b455754 Fri, Mar 23 2012 10:33:45.044,
org=d317092f.05f6bbca Fri, Mar 23 2012 10:37:35.023,
rec=d317092f.0507e864 Fri, Mar 23 2012 10:37:35.019,
xmt=d317092f.04e93a6c Fri, Mar 23 2012 10:37:35.019,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x80121,
trust="HMCLXRF3"
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico .AUTH. 16 u 311 64 0 0.000 0.000 0.000
9.60.15.224 9.56.192.96 2 u 21 64 7 0.238 3.783 3.358
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=11, stratum=16, precision=-21, rootdelay=26.306,
rootdispersion=41.153, refid=AUTH, reach=000, unreach=4, hmode=3,
pmode=4, hpoll=6, ppoll=10, flash=1400 peer_dist, peer_unfit,
keyid=344130701, ttl=0, offset=0.000, delay=0.000, dispersion=16000.000,
jitter=0.000, reftime=d3170849.0b455754 Fri, Mar 23 2012 10:33:45.044,
org=00000000.00000000 Thu, Feb 7 2036 1:28:16.000,
rec=00000000.00000000 Thu, Feb 7 2036 1:28:16.000,
xmt=00000000.00000000 Thu, Feb 7 2036 1:28:16.000,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
<<<<<Client with removal of host link, presumably using TC identity scheme successfully>>>>>
[root at HMC1MCP7-/etc/ntp]rm ntpkey_iff_HMC1MCP7
[root at HMC1MCP7-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd: [ OK ]
Starting ntpd: [ OK ]
[root at HMC1MCP7-/etc/ntp]ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
HMCLXRF3.endico 72.26.198.233 3 u 1 64 1 0.192 4.927 1.193
*9.60.15.224 9.56.192.96 2 u 2 64 1 0.237 4.158 4.091
[root at HMC1MCP7-/etc/ntp]ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 15109 f014 yes yes ok reject reachable 1
2 15110 f614 yes yes ok sys.peer reachable 1
[root at HMC1MCP7-/etc/ntp]# ntpq -c "rv 15109"
[root at HMC1MCP7-/etc/ntp]ntpq -c rv
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb 8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=00,
stratum=3, precision=-21, rootdelay=20.760, rootdispersion=974.844,
peer=15110, refid=9.60.15.224,
reftime=d3170c35.c13cfb94 Fri, Mar 23 2012 10:50:29.754, poll=6,
clock=d3170c5f.cc9c2621 Fri, Mar 23 2012 10:51:11.799, state=4,
offset=4.158, frequency=-51.008, jitter=5.281, noise=1.470,
stability=0.000, hostname="HMC1MCP7", signature="md5WithRSAEncryption",
flags=0x80001, update=201203231450, tai=0, cert="HMCLXRF3 HMCLXRF3 0x7",
expire=201303231413, cert="HMC1MCP7 HMC1MCP7 0x2", expire=201303231428
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 15109"
assID=15109 status=f014 reach, conf, auth, 1 event, event_reach,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.474,
rootdispersion=59.830, refid=66.228.35.252, reach=003, unreach=0,
hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=65476236,
ttl=0, offset=5.001, delay=0.190, dispersion=0.787, jitter=1.156,
reftime=d3170bcc.1af1b75e Fri, Mar 23 2012 10:48:44.105,
org=d3170c70.c2fcce3f Fri, Mar 23 2012 10:51:28.761,
rec=d3170c70.c138146a Fri, Mar 23 2012 10:51:28.754,
xmt=d3170c70.c1252d0d Fri, Mar 23 2012 10:51:28.754,
filtdelay= 0.20 0.19 0.19 0.19 0.20 0.19 0.19 0.28,
filtoffset= 7.01 5.08 5.00 4.93 4.85 4.78 5.44 7.25,
filtdisp= 0.00 0.75 0.78 0.81 0.84 0.87 0.90 0.93,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x83f01,
trust="HMCLXRF3"
More information about the questions
mailing list