[ntp:questions] crypto_ident: no compatable identity scheme found

Dave Hart hart at ntp.org
Mon Mar 26 03:41:44 UTC 2012

On Fri, Mar 23, 2012 at 18:35,  <scherniak at stny.rr.com> wrote:
> [root at HMC1MCP7-/etc/ntp]ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMCLXRF3
> [root at HMC1MCP7-/etc/ntp]ln -s ntpkey_host_HMC1MCP7 ntpkey_iff_HMC1MCP7

4.2.4 crypto_ident() tries to retrieve the IFF group key from filename
ntpkey_iff_ISSUER first (which I think would be ntpkey_iff_HMCLXRF3
here), and if that fails, it falls back on ntpkey_iff_HOSTNAME (which
would be ntpkey_iff_HMC1MCP7 here).  Given that you saw behavior
change to TC when you removed the client link ntpkey_iff_HMC1MCP7, and
that ntpkey_IFFkey_HMCLXRF3.3541500807 actually contains the IFF group
key encrypted using the client password, I suggest you try on the

ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMC1MCP7

and see if that allows it to authenticate the server.  It would be
better if the ntpkey_iff_ISSUER name worked, of course.

As you can see, configuring Autokey is intricate and troubleshooting
can be tedious.  The good news is in 4.2.6 and later there's been some
simplification so that in more cases the client configuration is the
same across potentially many clients.  The bad news is it's not
backwards compatible with 4.2.4, so we need a new HOWTO-type document
for 4.2.6-and-later Autokey configuration.

Good luck,
Dave Hart

More information about the questions mailing list