[ntp:questions] Re: Crypto iffpar

David L. Mills mills at udel.edu
Mon Dec 5 02:15:15 UTC 2005

Serge (and others),

A detailed, but long and boring, explanation about Autokey configuration 
is on the NTP project page. The cookbook approach used in most 
documentation today hides the principles, which are easy to understand 
as long as you don't let the cookbook get in the way. Autokey 
configuration can be devilishly complicated if more than one group 
shares the same subnet and where more than one trused host is involved. 
The examples on the project page should help guide what it is you want 
to do.

1. The certificate hike must be unbroken and land on a trusted host; 
that is, one with a self-signed trusted certificate.

2. The client looks for a group key file with the subject name on the 
trusted certificate.

3. A client acting as a server for downstream clients needs to load the 
group key for the clients at startup. It need not be the same as used 
for its own upstream servers. This is often the case where the host is 
trusted for a secure compartment within a larger group.

4. The host first attempts to load the above group key file with its own 
name, which can be redirected by links, of course.

5. If the iffpar option is present, the host attempts to load the given 
name, but it better agree with the subject name on its trusted certificate.

As it says on the project page, there are many cryptotypes involving 
trusted, untrusted and unauthenticated configurations are valid, but not 
necessarily a good idea. A server running IFF will tolerate a client 
running TC and even unauthenticated, but a client running IFF will not 
tolerate a server capable only of TC. It is likely to overheat your 
brain thinking about all the ways to achieve a working subnet, but the 
following is my advice:

1. When copying a group key to a client, don't change the name or 
filestamp. Use a link instead.

2. Live within the naming structure; don't try to define your own naming 
structure unless you really know what you are doing.

3. Test the configuration in the simplest scenario, first 
unauthenticated, then TC and IFF in that order, then GQ or MV if that needs.


Serge Bets wrote:
> Hi Danny,
>  On Sunday, December 4, 2005 at 3:01:17 +0000, Danny Mayer wrote:
>>Serge Bets wrote:
>>>"crypto iffpar some_filename" seems to work for the host's own
>>>IFFpar, which will be read and used. But not for another host's
>>Have you read this documentation:
> Well yes, very good and easy manual, but why do you suggest it here?
> ConfiguringAutokey doesn't talk about "crypto iffpar" command. If it was
> about the IFF activation bit, I am under the impression that there lacks
> on Client side in section " IFF Group Keys" either one of:
> | ln -s ntpkey_IFFkey_server.3301264563 ntpkey_iff_Client
> in /etc/ntp keysdir, or:
> | crypto ident iff
> in ntp.conf, to activate IFF scheme, flags 0x80023. Otherwise Client
> seems to negociate with the Server the TC scheme only, flags 0x80003.
> Is it right?
> Other docs talk about this "ntpkey_iff_Client" additional link as
> mandatory, including Heiko's checklist in ConfiguringAutokeyDev. While
> "crypto ident iff" seems to work equally well, without the link name
> contradiction.
> Serge.

More information about the questions mailing list