[ntp:bugs] [Bug 1864] Autokey authentication causes core dump, ntpd crash

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Mar 29 02:08:13 UTC 2011 

https://bugs.ntp.org/show_bug.cgi?id=1864

--- Comment #16 from Steve Kostecke <kostecke at ntp.org> 2011-03-29 02:08:12 UTC ---
(In reply to comment #6)
> The client setup is
> 
> ntp-keygen -I -c rsA-sHA1 -p grouppasswd
> 
> The server generates an IFF group password using:
> 
> ntp-keygen -e -I -c RSA-SHA1 -p private-key -q group-key 

I'm not sure how you came up with these invocations, but they don't work for
me. The resulting files are wrong (the cert is missing) and you don't use '-I'
on the client.

Here's what I did for a 4.2.6p2 server (i386) and a 4.1.7p142 client (amd64):

On the server:

# cd /etc/ntp
# rm *
# ntp-keygen -TI -c RSA-SHA1 -p server_password
# ntp-keygen -e -p server_password -q client_password

Then copied the exported key to the client

On the client:

# cd /etc/ntp
# rm *
# ntp-keygen -H -p client_key
copy the exported key from the server to /etc/ntp
# ln -s ntpkey_iffpar_server.nonce ntpkey_iffpar_server

Both nodes start up and run

Diagnostics:

On the server:

thing1:/etc/ntp# ntpq -c"rv 0 flags,cert"
flags=0x410021, cert="thing1 thing1 0x1", until=201203280151
thing1:/etc/ntp# ntpq -crv
associd=0 status=0614 leap_none, sync_ntp, 1 event, freq_mode,
version="ntpd 4.2.6p2 at 1.2194-o Sun Oct 17 13:45:13 UTC 2010 (1)",
processor="i686", system="Linux/2.6.32-5-686", leap=00, stratum=2,
precision=-21, rootdelay=0.748, rootdisp=26.826, refid=241.249.207.46,
reftime=d13bbc0e.e15fd5a3  Mon, Mar 28 2011 22:01:50.880,
clock=d13bbcaf.8afc64b8  Mon, Mar 28 2011 22:04:31.542, peer=3214, tc=6,
mintc=3, offset=21.951, frequency=5.401, sys_jitter=4.637,
clk_jitter=7.709, clk_wander=1.910, host="thing1", group="thing1",
flags=0x410021, digest="md5", signature="sha1WithRSAEncryption",
update=201103290156, cert="thing1 thing1 0x1", until=201203280151

On the client (for the association with the server):

stasis:/etc/ntp# ntpq -c"rv &2"
associd=11860 status=f03a conf, authenb, auth, reach, sel_reject, 3 events,
sys_peer,
srcadr=thing1.kostecke.net, srcport=123, dstadr=192.168.19.1,
dstport=123, leap=00, stratum=2, precision=-21, rootdelay=0.748,
rootdisp=25.391, refid=241.249.207.46,
reftime=d13bbc0e.e15fd5a3  Mon, Mar 28 2011 22:01:50.880,
rec=d13bbc50.dc2f21ef  Mon, Mar 28 2011 22:02:56.860, reach=037,
unreach=0, hmode=3, pmode=4, hpoll=6 ppoll=6, headway=304,
flash=800 peer_loop, keyid=0x848baa05, offset=8.499, delay=0.202,
dispersion=0.931, jitter=20.534, xleave=0.061,
filtdelay=     0.20    0.20    3.31    0.22    0.17    0.17    0.18    1.67,
filtoffset=    8.50   14.21    8.47  -14.23  -15.73  -15.79  -15.86  -16.64,
filtdisp=      0.00    1.02    2.03    3.06    3.90    3.93    3.96    3.99,
host="thing1", flags=0x417f21, signature="sha1WithRSAEncryption"

The flags are documented at
http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.4.1.
(and in the source).

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the bugs mailing list