[ntp:questions] Re: ntp authentication problems

Danny Mayer mayer at gis.net
Fri Jan 2 14:35:06 UTC 2004

mafn at enginet.com (Marc) wrote in message news:<mailman.17.1072986139.1757.questions at ntp.org>...
> I spent several hours trying to get broadcast NTP to work properly
> with authentication enabled using private keys. I was also seeing
> 'Transmit: no encryption key found', and despite reading the included
> documentation, the ntp online web documentation, and the source
> code, the answer did not leap out at me.
>     I am posting here in case other people having the same problem do
> a web search as I did and hopefully find this information useful.
>     For both 'broadcast' (broadcast server) and 'broadcastclient', I
> had to also include 'trustedkey N' in my config for private key
> authentication to work. Of course, the same key text must be present on
> both the client and server, plus the 'broadcast' statement on the
> server must say which specific key to use. Yes, the documentation
> implicitly explains that trustedkey is needed for a key to be valid,
> but there is no private key broadcastclient example to show simply that
> trustedkey is needed in that case, so it took me a while to connect the
> dots. The autokey scheme definitely appears superior, and I would use
> it if I had rsaref installed. So my server ntp.conf contains:
> 	server server1.xyz.com iburst
> 	server server2.abc.edu iburst
> 	requestkey 15
> 	controlkey 15
> 	trustedkey 1 2 15
> 	keys /etc/ntp.keys
> 	broadcast key 1
> 	driftfile /etc/ntp.drift
> and /etc/ntp.keys contains only MD5 keys that were generated by
> ntp-genkeys. A client configuration contains:
> 	broadcastclient
> 	keys /etc/ntp.keys
> 	trustedkey 1 2 15
> 	driftfile /etc/ntp.drift
> and /etc/ntp.keys on the client is a duplicate of the server copy.
>     I was previously running with authentication disabled, but I do not
> want remote ntpq or ntpdc clients to alter any of my server settings,
> and wasn't sure if I would be protected from that when invoking ntpd
> with the -A option. Turning on authentication caused regular time
> synchronization to cease until I changed my configs as above.
>     Many thanks to David Mills for all his work on NTP!
> -Marc

Broadcast client was broken in 4.2.0 for some systems, particularly Solaris,
if it had IPv6 capability. I just fixed it. If that's what you are running
you will need to wait for the fix. If not, make sure that the client is
receiving the broadcast packets.


More information about the questions mailing list