[ntp:questions] NTP 4.2.8 :"Autokey" problem faced with IFF scheme for client/server pair: Request your inputs
Sowmya Manapragada
skoganty at gmail.com
Mon Sep 21 13:29:58 UTC 2015
Hi All,
I have tried this approach
Approach:> " I recommend cranking the interval
at which the keys are refreshed to under 20 minutes' time" ,
but still see this issue where autokey still does not work.
can somebody please help me in identifying what's going wrong here.
*****************************************
--------------------------------------------------------------
server:
start ntp service on server :
everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)
-------------------------------------------------------
problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.
ntpq> ass
ind assid status conf reach auth condition last_event cnt
===========================================================
1 4167 e011 yes no ok reject mobilize 1
ntpq> rv 4167 flags
flags=0x85301
ntpq> rv 4167
associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,
srcadr=server146572n, srcport=123,
dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,
rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,
reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,
rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,
unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,
flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,
delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"
------------------------------------------------------------------------------
cryptostats o/p i see this in client machine:
57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified
57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified
----------------------------------------------------------
thanks a lot,
Shyam
******************************************
On Wed, Aug 12, 2015 at 7:32 AM, Harlan Stenn <stenn at ntp.org> wrote:
Autokey is being deprecated. It was good at what it did 20 years ago,
but it is no longer usefully secure.
Why do you want to use it?
If you have good reason to use it, I recommend cranking the interval
at which the keys are refreshed to under 20 minutes' time.
--
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!
From: Sowmya Manapragada <skoganty at gmail.com>
Date: Tue, Aug 11, 2015 at 11:49 PM
Subject: NTP 4.2.8 :"Autokey" problem faced with IFF scheme for
client/server pair: Request your inputs
To: questions at lists.ntp.org
Hi All,
Request your help/suggestions on the below problem i am facing, i am
relatively new to NTP and request your inputs
Problem:
I am trying to configure an ntp server/client pair to use the IFF identity
scheme
I followed the directions precisely that were on the following ntp page:(
http://support.ntp.org/bin/view/Support/ConfiguringAutokey)
Both machines running on windows-7 /Ntp version: 4.2.8p2.
Problem is client never sync's with server and always rejects it(
authentication:OK, condition :reject, reach:0)
Please see details below
*************************************************
server machine:>
*************************************************
<server5672N -ntp.conf>
restrict default kod nomodify notrap noquery
# Authentication
statsdir "D:\ntp\stats\"
statistics cryptostats
filegen cryptostats file cryptostats type none enable
server BLRK05A iburst #timesource
crypto ident iff
crypto pw spassword
keysdir "D:\ntp\keys\"
****************************************************
server-step-1)
#Generate the IFF parameters
D:\ntp\keys> ntp-keygen -T -I -p spassword
server-step-2)
#Export the IFF Group Key
D:\ntp\keys> ntp-keygen -e -p spassword
#o/p on the console
Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015
Using host server5672N group server5672N
Using host key ntpkey_host_server5672N
Using host key as sign key
Using IFF keys ntpkey_iffkey_server5672N
Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout
# ntpkey_iffpar_server5672N.3648303779
# Tue Aug 11 23:13:27 2015
-----BEGIN PRIVATE KEY-----
MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w
z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0
q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy
mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB
-----END PRIVATE KEY-----
Generating new certificate server5672N RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N
.3648303779 failed: Cannot create a file when that file already exists.
RSA-MD5cert: Unknown error
Generating new cert file and link
ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779
#end o/p
server-step-3)
copied the IFFkey text (from above starting with #
ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and
pasted into a editor(notepad).
Named this file as ntpkey_iffpar_server5672N.3648303779
copied this file onto client machine into keys dir and created a
sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648303779)
**********************************************************
clientmachine:>
**********************************************************
<client-ntp.conf>
restrict default kod nomodify notrap nopeer noquery
crypto ident iff
crypto pw spassword
server server5672N autokey iburst #prefer to connect to this source
************************************************************
//client
------------------------------------------------------------
client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword
//Obtain the IFF group key, exported above (in server machine)copy the key
file to the keysdir, and create the standard sym-link
client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648213639
****************************************************************************************************************************************************************
Results:>
--------------------------------------------------------------
server:
start ntp service on server :
everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)
-------------------------------------------------------
problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.
ntpq> ass
ind assid status conf reach auth condition last_event cnt
===========================================================
1 4167 e011 yes no ok reject mobilize 1
ntpq> rv 4167 flags
flags=0x85301
ntpq> rv 4167
associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,
srcadr=server146572n, srcport=123,
dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,
rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,
reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,
rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,
unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,
flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,
delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"
------------------------------------------------------------------------------
cryptostats o/p i see this in client machine:
57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified
57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified
----------------------------------------------------------
thanks a lot,
Shyam
More information about the questions
mailing list