[ntp:questions] crypto_ident: no compatable identity scheme found

scherniak at stny.rr.com scherniak at stny.rr.com
Fri Mar 23 18:35:34 UTC 2012


I am trying to configure an ntp server/client pair to use the IFF identity scheme. I followed the directions precisely that were on the following ntp page: http://support.ntp.org/bin/view/Support/ConfiguringAutokeyFourTwoFour . Both machines are running the identical level of linux code. The ntp version is 4.2.4p8. When the client tries to connect to the server, It is failing with flags 0x80121/0x80021. Getting flash pkt_autokey, peer_dist, and peer_unfit. In the log file I am getting "crypto_ident: not compatible identity scheme found". There has got to be something wrong with my setup, my NTP build, or something is not quite right with the instructions. Listed below are the commands issued on the server and client side, with their results. Also, in the last section, I removed the client side ntpkeys_iff_<client> link, and restarted ntp and that communication is successful without the iff flag being set, which I am assuming is the Trusted Certificate identity scheme. Thanks in advance for your help.

Steve


<<<<<server side processing>>>>>

[root at HMCLXRF3-/etc/ntp]cat ../ntp.conf
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
crypto pw servpswd
keysdir /etc/ntp
logfile /var/log/ntp
trustedkey 5
[root at HMCLXRF3-/etc/ntp]ntp-keygen -T -I -p servpswd
Using OpenSSL version 10000003
Generating IFF parameters (512 bits)...
IFF 0 479 543   1 49 148        2 1 2           3 1 2
Generating IFF keys (512 bits)...
Confirm g^(q - b) g^b = 1 mod p: yes
Confirm g^k = g^(k + b r) g^(q - b) r: yes
Generating new iff file and link
ntpkey_iff_HMCLXRF3->ntpkey_IFFpar_HMCLXRF3.3541500807
Generating RSA keys (512 bits)...
RSA 0 22 576    1 11 172                        3 1 4
Generating new host file and link
ntpkey_host_HMCLXRF3->ntpkey_RSAkey_HMCLXRF3.3541500807
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Generating new cert file and link
ntpkey_cert_HMCLXRF3->ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
[root at HMCLXRF3-/etc/ntp]ntp-keygen -e -q servpswd -p clntpswd >ntpkey_IFFkey_HMCLXRF3.3541500807
Using OpenSSL version 10000003
Using IFF parameters ntpkey_IFFpar_HMCLXRF3.3541500807
Writing new IFF key ntpkey_IFFkey_HMCLXRF3.3541500807
[root at HMCLXRF3-/etc/ntp]ls -l
total 28
drwxr-x--- 2 root ntp  4096 Mar 23 10:10 crypto
-rw-r----- 1 root ntp    10 Mar 22 19:53 keys
-rw-r----- 1 root root  483 Mar 23 10:17 ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r----- 1 root root  515 Mar 23 10:13 ntpkey_IFFpar_HMCLXRF3.3541500807
-rw-r----- 1 root root  582 Mar 23 10:13 ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
-rw-r----- 1 root root  710 Mar 23 10:13 ntpkey_RSAkey_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root   38 Mar 23 10:13 ntpkey_cert_HMCLXRF3 -> ntpkey_RSA-MD5cert_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root   33 Mar 23 10:13 ntpkey_host_HMCLXRF3 -> ntpkey_RSAkey_HMCLXRF3.3541500807
lrwxrwxrwx 1 root root   33 Mar 23 10:13 ntpkey_iff_HMCLXRF3 -> ntpkey_IFFpar_HMCLXRF3.3541500807
-rw-r--r-- 1 root root   52 Feb  8 16:12 step-tickers
[root at HMCLXRF3-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd:                                        [  OK  ]
Starting ntpd:                                             [  OK  ]
[root at HMCLXRF3-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 tick.tadatv.com 10.0.22.51       2 u   11   64    1  103.017    0.440   1.440
*voxl-nyc-15.ser 209.51.161.238   2 u   10   64    1   26.758    0.590   1.758
 ponderosa.piney 64.90.182.55     2 u    9   64    1   26.741    3.280   0.388
 ntp.sunflower.c 128.206.12.130   3 u    8   64    1   81.966   66.388   1.604
[root at HMCLXRF3-/etc/ntp]ntpq -c rv
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb  8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=00,
stratum=3, precision=-21, rootdelay=26.319, rootdispersion=38.270,
peer=5469, refid=72.26.198.233,
reftime=d3170849.0b455754  Fri, Mar 23 2012 10:33:45.044, poll=6,
clock=d317086e.9f00b76e  Fri, Mar 23 2012 10:34:22.621, state=4,
offset=1.227, frequency=94.157, jitter=2.353, noise=0.361,
stability=0.024, hostname="HMCLXRF3", signature="md5WithRSAEncryption",
flags=0x80021, update=201203231432, ident="ntpkey_iff_HMCLXRF3", tai=0,
cert="HMCLXRF3 HMCLXRF3 0x1", expire=201303231413

<<<<<Client side processing>>>>>

[root at HMC1MCP7-/etc/ntp]cat ../ntp.conf
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
crypto pw clntpswd
keysdir /etc/ntp
logfile /var/log/ntp
server HMCLXRF3.endicott.ibm.com autokey iburst
server 9.60.15.224 key 5 iburst
trustedkey 5
[root at HMC1MCP7-/etc/ntp]ls
crypto  keys  ntpkey_IFFkey_HMCLXRF3.3541500807  step-tickers
[root at HMC1MCP7-/etc/ntp]ntp-keygen -H -p clntpswd
Using OpenSSL version 10000003
Generating RSA keys (512 bits)...
RSA 0 11 16     1 11 24                         3 1 2
Generating new host file and link
ntpkey_host_HMC1MCP7->ntpkey_RSAkey_HMC1MCP7.3541501696
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_HMC1MCP7->ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
[root at HMC1MCP7-/etc/ntp]ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMCLXRF3
[root at HMC1MCP7-/etc/ntp]ln -s ntpkey_host_HMC1MCP7 ntpkey_iff_HMC1MCP7
[root at HMC1MCP7-/etc/ntp]ls -l
total 24
drwxr-x--- 2 root ntp  4096 Mar  6 18:30 crypto
-rw-r----- 1 root ntp    10 Mar 23 09:57 keys
-rw-r----- 1 root root  483 Mar 23 10:21 ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r----- 1 root root  549 Mar 23 10:28 ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
-rw-r----- 1 root root  710 Mar 23 10:28 ntpkey_RSAkey_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root   38 Mar 23 10:28 ntpkey_cert_HMC1MCP7 -> ntpkey_RSA-MD5cert_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root   33 Mar 23 10:28 ntpkey_host_HMC1MCP7 -> ntpkey_RSAkey_HMC1MCP7.3541501696
lrwxrwxrwx 1 root root   20 Mar 23 10:30 ntpkey_iff_HMC1MCP7 -> ntpkey_host_HMC1MCP7
lrwxrwxrwx 1 root root   33 Mar 23 10:29 ntpkey_iff_HMCLXRF3 -> ntpkey_IFFkey_HMCLXRF3.3541500807
-rw-r--r-- 1 root root   52 Feb  8 16:12 step-tickers
[root at HMC1MCP7-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd:                                        [FAILED]
Starting ntpd:                                             [  OK  ]
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico .STEP.          16 u  156   64    0    0.000    0.000   0.000
 9.60.15.224     .STEP.          16 u  861   64    0    0.000    0.000   0.000
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico 72.26.198.233    3 u    3   64    0    0.000    0.000   0.000
 9.60.15.224     9.56.192.96      2 u    3   64    1    0.239    0.424   0.000
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico 72.26.198.233    3 u   18   64    0    0.000    0.000   0.000
 9.60.15.224     9.56.192.96      2 u   18   64    1    0.239    0.424   0.000
[root at HMC1MCP7-/etc/ntp]ntpq -c as

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 49841  e000   yes   yes   ok     reject
  2 49842  f024   yes   yes   ok     reject   reachable  2
[root at HMC1MCP7-/etc/ntp]ntpq -c rv
assID=0 status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb  8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=11,
stratum=16, precision=-21, rootdelay=0.000, rootdispersion=0.630,
peer=0, refid=STEP,
reftime=00000000.00000000  Thu, Feb  7 2036  1:28:16.000, poll=4,
clock=d317090f.cd61a74f  Fri, Mar 23 2012 10:37:03.802, state=4,
offset=0.000, frequency=-51.008, jitter=0.150, noise=0.000,
stability=0.000, hostname="HMC1MCP7", signature="md5WithRSAEncryption",
flags=0x80021, update=203602070628, ident="ntpkey_iff_HMC1MCP7", tai=0,
cert="HMCLXRF3 HMCLXRF3 0x7", expire=201303231413,
cert="HMC1MCP7 HMC1MCP7 0x2", expire=201303231428
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.306,
rootdispersion=40.161, refid=72.26.198.233, reach=000, unreach=2,
hmode=3, pmode=4, hpoll=6, ppoll=6,
flash=1480 pkt_autokey, peer_dist, peer_unfit, keyid=2414430830, ttl=0,
offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
reftime=d3170849.0b455754  Fri, Mar 23 2012 10:33:45.044,
org=d31708ed.062f6524  Fri, Mar 23 2012 10:36:29.024,
rec=d31708ed.06268f05  Fri, Mar 23 2012 10:36:29.024,
xmt=d31708ed.06110dc2  Fri, Mar 23 2012 10:36:29.023,
filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x80021,
trust="HMCLXRF3"
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico 72.26.198.233    3 u   46   64    0    0.000    0.000   0.000
 9.60.15.224     9.56.192.96      2 u   49   64    3    0.238    3.783   3.360
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.306,
rootdispersion=41.153, refid=72.26.198.233, reach=000, unreach=3,
hmode=3, pmode=4, hpoll=6, ppoll=6,
flash=1480 pkt_autokey, peer_dist, peer_unfit, keyid=1363541228, ttl=0,
offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
reftime=d3170849.0b455754  Fri, Mar 23 2012 10:33:45.044,
org=d317092f.05f6bbca  Fri, Mar 23 2012 10:37:35.023,
rec=d317092f.0507e864  Fri, Mar 23 2012 10:37:35.019,
xmt=d317092f.04e93a6c  Fri, Mar 23 2012 10:37:35.019,
filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x80121,
trust="HMCLXRF3"
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico .AUTH.          16 u  311   64    0    0.000    0.000   0.000
 9.60.15.224     9.56.192.96      2 u   21   64    7    0.238    3.783   3.358
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 49841"
assID=49841 status=e000 unreach, conf, auth, no events,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=11, stratum=16, precision=-21, rootdelay=26.306,
rootdispersion=41.153, refid=AUTH, reach=000, unreach=4, hmode=3,
pmode=4, hpoll=6, ppoll=10, flash=1400 peer_dist, peer_unfit,
keyid=344130701, ttl=0, offset=0.000, delay=0.000, dispersion=16000.000,
jitter=0.000, reftime=d3170849.0b455754  Fri, Mar 23 2012 10:33:45.044,
org=00000000.00000000  Thu, Feb  7 2036  1:28:16.000,
rec=00000000.00000000  Thu, Feb  7 2036  1:28:16.000,
xmt=00000000.00000000  Thu, Feb  7 2036  1:28:16.000,
filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

<<<<<Client with removal of host link, presumably using TC identity scheme successfully>>>>>

[root at HMC1MCP7-/etc/ntp]rm ntpkey_iff_HMC1MCP7
[root at HMC1MCP7-/etc/ntp]/sbin/service ntpd restart
Shutting down ntpd:                                        [  OK  ]
Starting ntpd:                                             [  OK  ]
[root at HMC1MCP7-/etc/ntp]ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 HMCLXRF3.endico 72.26.198.233    3 u    1   64    1    0.192    4.927   1.193
*9.60.15.224     9.56.192.96      2 u    2   64    1    0.237    4.158   4.091
[root at HMC1MCP7-/etc/ntp]ntpq -c as

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 15109  f014   yes   yes   ok     reject   reachable  1
  2 15110  f614   yes   yes   ok   sys.peer   reachable  1
[root at HMC1MCP7-/etc/ntp]# ntpq -c "rv 15109"
[root at HMC1MCP7-/etc/ntp]ntpq -c rv
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.4p8 at 1.1612-o Wed Feb  8 21:15:58 UTC 2012 (1)",
processor="i686", system="Linux/2.6.32-220.4.2.2.mcp7.2.i686", leap=00,
stratum=3, precision=-21, rootdelay=20.760, rootdispersion=974.844,
peer=15110, refid=9.60.15.224,
reftime=d3170c35.c13cfb94  Fri, Mar 23 2012 10:50:29.754, poll=6,
clock=d3170c5f.cc9c2621  Fri, Mar 23 2012 10:51:11.799, state=4,
offset=4.158, frequency=-51.008, jitter=5.281, noise=1.470,
stability=0.000, hostname="HMC1MCP7", signature="md5WithRSAEncryption",
flags=0x80001, update=201203231450, tai=0, cert="HMCLXRF3 HMCLXRF3 0x7",
expire=201303231413, cert="HMC1MCP7 HMC1MCP7 0x2", expire=201303231428
[root at HMC1MCP7-/etc/ntp]ntpq -c "rv 15109"
assID=15109 status=f014 reach, conf, auth, 1 event, event_reach,
srcadr=HMCLXRF3.endicott.ibm.com, srcport=123, dstadr=9.60.15.37,
dstport=123, leap=00, stratum=3, precision=-21, rootdelay=26.474,
rootdispersion=59.830, refid=66.228.35.252, reach=003, unreach=0,
hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=65476236,
ttl=0, offset=5.001, delay=0.190, dispersion=0.787, jitter=1.156,
reftime=d3170bcc.1af1b75e  Fri, Mar 23 2012 10:48:44.105,
org=d3170c70.c2fcce3f  Fri, Mar 23 2012 10:51:28.761,
rec=d3170c70.c138146a  Fri, Mar 23 2012 10:51:28.754,
xmt=d3170c70.c1252d0d  Fri, Mar 23 2012 10:51:28.754,
filtdelay=     0.20    0.19    0.19    0.19    0.20    0.19    0.19    0.28,
filtoffset=    7.01    5.08    5.00    4.93    4.85    4.78    5.44    7.25,
filtdisp=      0.00    0.75    0.78    0.81    0.84    0.87    0.90    0.93,
hostname="HMCLXRF3", signature="md5WithRSAEncryption", flags=0x83f01,
trust="HMCLXRF3"



More information about the questions mailing list