[ntp:questions] Re: Crypto iffpar
David L. Mills
mills at udel.edu
Mon Dec 5 02:15:15 UTC 2005
Serge (and others),
A detailed, but long and boring, explanation about Autokey configuration
is on the NTP project page. The cookbook approach used in most
documentation today hides the principles, which are easy to understand
as long as you don't let the cookbook get in the way. Autokey
configuration can be devilishly complicated if more than one group
shares the same subnet and where more than one trused host is involved.
The examples on the project page should help guide what it is you want
1. The certificate hike must be unbroken and land on a trusted host;
that is, one with a self-signed trusted certificate.
2. The client looks for a group key file with the subject name on the
3. A client acting as a server for downstream clients needs to load the
group key for the clients at startup. It need not be the same as used
for its own upstream servers. This is often the case where the host is
trusted for a secure compartment within a larger group.
4. The host first attempts to load the above group key file with its own
name, which can be redirected by links, of course.
5. If the iffpar option is present, the host attempts to load the given
name, but it better agree with the subject name on its trusted certificate.
As it says on the project page, there are many cryptotypes involving
trusted, untrusted and unauthenticated configurations are valid, but not
necessarily a good idea. A server running IFF will tolerate a client
running TC and even unauthenticated, but a client running IFF will not
tolerate a server capable only of TC. It is likely to overheat your
brain thinking about all the ways to achieve a working subnet, but the
following is my advice:
1. When copying a group key to a client, don't change the name or
filestamp. Use a link instead.
2. Live within the naming structure; don't try to define your own naming
structure unless you really know what you are doing.
3. Test the configuration in the simplest scenario, first
unauthenticated, then TC and IFF in that order, then GQ or MV if that needs.
Serge Bets wrote:
> Hi Danny,
> On Sunday, December 4, 2005 at 3:01:17 +0000, Danny Mayer wrote:
>>Serge Bets wrote:
>>>"crypto iffpar some_filename" seems to work for the host's own
>>>IFFpar, which will be read and used. But not for another host's
>>Have you read this documentation:
> Well yes, very good and easy manual, but why do you suggest it here?
> ConfiguringAutokey doesn't talk about "crypto iffpar" command. If it was
> about the IFF activation bit, I am under the impression that there lacks
> on Client side in section "126.96.36.199.1. IFF Group Keys" either one of:
> | ln -s ntpkey_IFFkey_server.3301264563 ntpkey_iff_Client
> in /etc/ntp keysdir, or:
> | crypto ident iff
> in ntp.conf, to activate IFF scheme, flags 0x80023. Otherwise Client
> seems to negociate with the Server the TC scheme only, flags 0x80003.
> Is it right?
> Other docs talk about this "ntpkey_iff_Client" additional link as
> mandatory, including Heiko's checklist in ConfiguringAutokeyDev. While
> "crypto ident iff" seems to work equally well, without the link name
More information about the questions