[ntp:questions] NTP 4.2.8 :"Autokey" problem faced with IFF scheme for client/server pair: Request your inputs

Sowmya Manapragada skoganty at gmail.com
Mon Sep 21 13:29:58 UTC 2015


Hi All,


I have tried this approach
Approach:> " I recommend cranking the interval
 at which the keys are refreshed to under 20 minutes' time" ,
 but still see this issue where autokey still does not work.

can somebody please help me in identifying what's going wrong here.


*****************************************


--------------------------------------------------------------

server:

start ntp service on server :

everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)

-------------------------------------------------------

problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.

ntpq> ass

ind assid status conf reach auth condition last_event cnt

===========================================================

1 4167 e011 yes no ok reject mobilize 1

ntpq> rv 4167 flags

flags=0x85301

ntpq> rv 4167

associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,

srcadr=server146572n, srcport=123,

dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,

rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,

reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,

rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,

unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,

flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,

delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,

filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,

host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"

------------------------------------------------------------------------------

cryptostats o/p i see this in client machine:

57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified

57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified

----------------------------------------------------------



thanks a lot,

Shyam








******************************************

On Wed, Aug 12, 2015 at 7:32 AM, Harlan Stenn <stenn at ntp.org> wrote:


Autokey is being deprecated.  It was good at what it did 20 years ago,
 but it is no longer usefully secure.

 Why do you want to use it?

 If you have good reason to use it, I recommend cranking the interval
 at which the keys are refreshed to under 20 minutes' time.

 --
 Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org  - be a member!






From: Sowmya Manapragada <skoganty at gmail.com>
Date: Tue, Aug 11, 2015 at 11:49 PM
Subject: NTP 4.2.8 :"Autokey" problem faced with IFF scheme for
client/server pair: Request your inputs
To: questions at lists.ntp.org






Hi All,

Request your help/suggestions on the below problem i am facing, i am
relatively new to NTP and request your inputs

Problem:

I am trying to configure an ntp server/client pair to use the IFF identity
scheme

I followed the directions precisely that were on the following ntp page:(
http://support.ntp.org/bin/view/Support/ConfiguringAutokey)

Both machines running on windows-7 /Ntp version: 4.2.8p2.

Problem is client never sync's with server and always rejects it(
authentication:OK, condition :reject, reach:0)

Please see details below

*************************************************

server machine:>

*************************************************

<server5672N -ntp.conf>

restrict default kod nomodify notrap noquery

# Authentication

statsdir "D:\ntp\stats\"

statistics cryptostats

filegen cryptostats file cryptostats type none enable

server BLRK05A iburst #timesource

crypto ident iff

crypto pw spassword

keysdir "D:\ntp\keys\"

****************************************************

server-step-1)

#Generate the IFF parameters

D:\ntp\keys> ntp-keygen -T -I -p spassword

server-step-2)

#Export the IFF Group Key

D:\ntp\keys> ntp-keygen -e -p spassword

#o/p on the console

Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015

Using host server5672N group server5672N

Using host key ntpkey_host_server5672N

Using host key as sign key

Using IFF keys ntpkey_iffkey_server5672N

Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout

# ntpkey_iffpar_server5672N.3648303779

# Tue Aug 11 23:13:27 2015

-----BEGIN PRIVATE KEY-----

MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w

z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0

q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy

mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB

-----END PRIVATE KEY-----

Generating new certificate server5672N RSA-MD5

X509v3 Basic Constraints: critical,CA:TRUE

X509v3 Key Usage: digitalSignature,keyCertSign

X509v3 Extended Key Usage: trustRoot

Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N

.3648303779 failed: Cannot create a file when that file already exists.

RSA-MD5cert: Unknown error

Generating new cert file and link

ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779

#end o/p

server-step-3)

copied the IFFkey text (from above starting with #
ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and
pasted into a editor(notepad).

Named this file as ntpkey_iffpar_server5672N.3648303779

copied this file onto client machine into keys dir and created a
sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648303779)

**********************************************************

clientmachine:>

**********************************************************

<client-ntp.conf>

restrict default kod nomodify notrap nopeer noquery

crypto ident iff

crypto pw spassword

 server server5672N autokey iburst  #prefer to connect to this source

************************************************************

//client

------------------------------------------------------------

client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword

//Obtain the IFF group key, exported above (in server machine)copy the key
file to the keysdir, and create the standard sym-link

client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648213639



****************************************************************************************************************************************************************

Results:>

--------------------------------------------------------------

server:

start ntp service on server :

everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)

-------------------------------------------------------

problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.

ntpq> ass

ind assid status conf reach auth condition last_event cnt

===========================================================

1 4167 e011 yes no ok reject mobilize 1

ntpq> rv 4167 flags

flags=0x85301

ntpq> rv 4167

associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,

srcadr=server146572n, srcport=123,

dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,

rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,

reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,

rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,

unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,

flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,

delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,

filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,

host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"

------------------------------------------------------------------------------

cryptostats o/p i see this in client machine:

57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified

57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified

----------------------------------------------------------



thanks a lot,

Shyam


More information about the questions mailing list