[ntp:questions] Can't get PKI authentication to work

Terry.Lemons at dell.com Terry.Lemons at dell.com
Thu Dec 19 19:04:44 UTC 2019


Hi

I'm trying to enable a NTP client and NTP server in my environment to work using NTP PKI authentication.

In the /usr/local/etc directory/folder, I've run 'ntp-keygen -S RSA -c RSA-SHA256 -m 2048' on both my NTP client system and my NTP server system; this created the expected certificate and private key pairs:

lava93141:~ #  ls -l /usr/local/etc/
total 24
-rw-r----- 1 root root 1098 Dec 12 14:47 ntpkey_RSA-SHA256cert_lava93141.3785176056
-rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAhost_lava93141.3785176056
-rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAsign_lava93141.3785176056
lrwxrwxrwx 1 root root   42 Dec 12 14:47 ntpkey_cert_lava93141 -> ntpkey_RSA-SHA256cert_lava93141.3785176056
lrwxrwxrwx 1 root root   35 Dec 12 14:47 ntpkey_host_lava93141 -> ntpkey_RSAhost_lava93141.3785176056
lrwxrwxrwx 1 root root   35 Dec 12 14:47 ntpkey_sign_lava93141 -> ntpkey_RSAsign_lava93141.3785176056
lava93141:~ #



On my NTP client, I'm using these parameters in /etc/ntp.conf:
#
# Authentication stuff
#
#keys /etc/ntp.keys             # path for keys file
#trustedkey 1                   # define trusted keys
#requestkey 1                   # key (7) for accessing server variables
#controlkey 1                   # key (6) for accessing server variables
keysdir /usr/local/etc
server lava93101.dev.local autokey
crypto

On my NTP server (lava93101.dev.local), I'm using these parameters in /etc/ntp.conf:

#
# Authentication stuff
#
#keys /etc/ntp.keys             # path for keys file
#trustedkey 1                   # define trusted keys
#requestkey 1                   # key (7) for accessing server variables
#controlkey 1                   # key (6) for accessing server variables
server minnie.lss.emc.com iburst
keysdir /usr/local/etc
crypto

When I start ntpd on both ntp client and ntp server, there are no errors reported in /var/log/messages or in /var/log/ntp related to the crypto stuff. When I start ntpd with the '-D2' option, I don't see anything that looks like an obvious error.

But I'm seeing these problems:

1. 'ntpq -p' forever shows a refid of .INIT.:

lava93141:~ # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
lava93101.dev.l .INIT.          16 u   16   64    0    0.000    0.000   0.000
lava93141:~ #

2. If I use 'date' to set the time on my ntp client to give minutes in the past, the system time is never corrected. If I edit /etc/ntp.conf on my ntp client, comment out the authentication stuff, and restart ntpd, the system time is corrected within seconds of ntpd restarting. This leads me to conclude that ntp is non-functional on my client, at least in its role of maintaining the system time.

I've searched the ntp documentation, but don't see what I've done wrong, and I don't see a way to debug this.

I'm using ntp-4.2.8p13-85.1.x86_64 on SLES 12 SP4.

Thanks for any help!

Terry Lemons
Dell EMC


More information about the questions mailing list