[ntp:questions] Can't get PKI authentication to work

Terry.Lemons at dell.com Terry.Lemons at dell.com
Fri Dec 20 18:27:40 UTC 2019


Hi Steven

Thanks for sharing this URL. This is an interesting read. But my need is to make authentication work with standard Linux ntpd, and I didn’t see anything in this article (which focuses on NTPsec) that helps me.

Thanks
tl

From: Steven Sommars <stevesommarsntp at gmail.com>
Sent: Thursday, December 19, 2019 5:58 PM
To: Lemons, Terry
Subject: Re: [ntp:questions] Can't get PKI authentication to work


[EXTERNAL EMAIL]
There is a nice ntpsec article on  https://blog.webernetz.net/setting-up-nts-secured-ntp-with-ntpsec/  that may be useful.

On Thu, Dec 19, 2019 at 1:05 PM <Terry.Lemons at dell.com<mailto:Terry.Lemons at dell.com>> wrote:
Hi

I'm trying to enable a NTP client and NTP server in my environment to work using NTP PKI authentication.

In the /usr/local/etc directory/folder, I've run 'ntp-keygen -S RSA -c RSA-SHA256 -m 2048' on both my NTP client system and my NTP server system; this created the expected certificate and private key pairs:

lava93141:~ #  ls -l /usr/local/etc/
total 24
-rw-r----- 1 root root 1098 Dec 12 14:47 ntpkey_RSA-SHA256cert_lava93141.3785176056
-rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAhost_lava93141.3785176056
-rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAsign_lava93141.3785176056
lrwxrwxrwx 1 root root   42 Dec 12 14:47 ntpkey_cert_lava93141 -> ntpkey_RSA-SHA256cert_lava93141.3785176056
lrwxrwxrwx 1 root root   35 Dec 12 14:47 ntpkey_host_lava93141 -> ntpkey_RSAhost_lava93141.3785176056
lrwxrwxrwx 1 root root   35 Dec 12 14:47 ntpkey_sign_lava93141 -> ntpkey_RSAsign_lava93141.3785176056
lava93141:~ #



On my NTP client, I'm using these parameters in /etc/ntp.conf:
#
# Authentication stuff
#
#keys /etc/ntp.keys             # path for keys file
#trustedkey 1                   # define trusted keys
#requestkey 1                   # key (7) for accessing server variables
#controlkey 1                   # key (6) for accessing server variables
keysdir /usr/local/etc
server lava93101.dev.local autokey
crypto

On my NTP server (lava93101.dev.local), I'm using these parameters in /etc/ntp.conf:

#
# Authentication stuff
#
#keys /etc/ntp.keys             # path for keys file
#trustedkey 1                   # define trusted keys
#requestkey 1                   # key (7) for accessing server variables
#controlkey 1                   # key (6) for accessing server variables
server minnie.lss.emc.com<http://minnie.lss.emc.com> iburst
keysdir /usr/local/etc
crypto

When I start ntpd on both ntp client and ntp server, there are no errors reported in /var/log/messages or in /var/log/ntp related to the crypto stuff. When I start ntpd with the '-D2' option, I don't see anything that looks like an obvious error.

But I'm seeing these problems:

1. 'ntpq -p' forever shows a refid of .INIT.:

lava93141:~ # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
lava93101.dev.l .INIT.          16 u   16   64    0    0.000    0.000   0.000
lava93141:~ #

2. If I use 'date' to set the time on my ntp client to give minutes in the past, the system time is never corrected. If I edit /etc/ntp.conf on my ntp client, comment out the authentication stuff, and restart ntpd, the system time is corrected within seconds of ntpd restarting. This leads me to conclude that ntp is non-functional on my client, at least in its role of maintaining the system time.

I've searched the ntp documentation, but don't see what I've done wrong, and I don't see a way to debug this.

I'm using ntp-4.2.8p13-85.1.x86_64 on SLES 12 SP4.

Thanks for any help!

Terry Lemons
Dell EMC
_______________________________________________
questions mailing list
questions at lists.ntp.org<mailto:questions at lists.ntp.org>
http://lists.ntp.org/listinfo/questions


More information about the questions mailing list