[ntp:questions] Re: Stratum 1 or 2 authenticated servers?

Steve Kostecke kostecke at ntp.isc.org
Fri Oct 29 15:37:43 UTC 2004

On 2004-10-29, Richard B. Gilbert <rgilbert88 at comcast.net> wrote:

> Paul Croome wrote:
>>mister.mandarino at bluemail.ch wrote:
>>>Are there OpenAccess stratum 1 or 2 authenticated servers around If ?
>>>yes, is there an accessible list? Where                             ?
>>See: http://ntp.isc.org/bin/view/Servers/WebHome
> The OP asked for AUTHENTICATED servers.

Keep in mind that NTP Authentication is designed to authenticate the
server to the client. NTP Authentication was not designed to be used as
a form of access control.

> While the list at the URL you cited does list public access servers,
> it does not address the question of authentication.

The NTP Public Support Project Time Server List
(http://ntp.isc.org/servers) does not currently provide a field for
listing the availability of server authentication. If there is
sufficient interest I'll add one.

> I'd suggest picking a good set of servers from the list, testing them 
> for "goodness" and then asking the person responsible for the server if 
> he is willing to authenticate for you.  Authentication must be supported 
> by the software he is using

Symmetric keys have been available in the NTP Reference Implmentation
(from www.ntp.org) since NTP3. Autokey was added in NTP4.

> and the server must have sufficient computing capacity to handle the
> extra load.

NTP Autokey has been designed to minimize the load on ntpd.

> It will consume some of his time as well; there are procedures for key
> generation and exchange and other setup that you must both do before
> authentication works.

There is a step-by-step guide to configuring autokey at

Assuming that we're discussing NTP Autokey...

Each participant in an NTP trust group generates their own host
parameters (i.e. host private key, and host public certificate) and the
server generates the Identify Scheme parameters.

The only thing that the clients need to acquire from the server is the
exchangeable portion of the identity scheme parameters; the certificate
exchange is handled automatically by the Autokey protocol. Distribution
of the identity scheme parameters to the members of an NTP trust group
should be done securely. Encrypted e-mail is one way. An SSL secured web
form (e.g. https://ntp.isc.org/crypto.php) is another.

The amount of on-going NTP Authentication maintenance required of a time
server operator depends on how their authentication policy and
implementation. An "open" authentication policy coupled with an
automated key request form requires almost no maintenance at all.

Steve Kostecke <kostecke at ntp.isc.org>

More information about the questions mailing list