[ntp:questions] Re: Crypto iffpar

David L. Mills mills at udel.edu
Wed Dec 7 01:42:21 UTC 2005


Serge,

Look at the flags word on the association billboard. The bits are 
decoded in the ./include/ntp_crypto.h file. Look also in the cryptostats 
filegen file, assuming you have one. You certificates don't look valid 
to me, unless you have a trusted server with name corresponding to the 
issuer name. Ordinarily, you would have to construct those certficates 
by hand.

Dave

Serge Bets wrote:
>  On Monday, December 5, 2005 at 14:25:37 +0000, Steve Kostecke wrote:
> 
> 
>>The correct sym-link for client members of an NTP Trust Group is
>>ln -s ntpkey_IFFkey_server.XXXXXXXXXX ntpkey_iff_server
> 
> 
> Without an ntpkey_iff_Client on Client to activate IFF scheme
> negociation, I get succesfull TC authentication.
> 
> 
> 
>>This has worked on every NTP Trust Group client member that I've ever
>>set up.
> 
> 
> What is the best way to know for sure which scheme is in use? Could you
> please check:
> 
> | $ ntpq -p Client
> |      remote           refid      st t when poll reach   delay   offset  jitter
> | ==============================================================================
> | *Server          .DCF.            1 u  990 1024  377    2.291    1.078   0.056
> |
> | $ ntpq -c rv Client
> | assID=0 status=4654 leap_add_sec, sync_ntp, 5 events, event_peer/strat_chg,
> | version="ntpd 4.2.0b at 20051016-1.1417-o Oct 19 14:18:48 (UTC+02:00) 2005  (3)",
> | processor="unknown", system="WINDOWS/NT", leap=01, stratum=2,
> | precision=-17, rootdelay=2.291, rootdispersion=47.807, peer=25165,
> | refid=192.168.7.10,
> | reftime=c73ff06c.dba53b7d  Tue, Dec  6 2005 12:11:40.857, poll=10,
> | clock=c73ff84b.98778541  Tue, Dec  6 2005 12:45:15.595, state=4,
> | offset=1.078, frequency=-20.771, jitter=0.083, noise=0.350,
> | stability=0.013, hostname="Client", signature="md5WithRSAEncryption",
> | flags=0x80003, update=200511060130, leapsec=200506280000, tai=32,
> | cert="Client Server 0x6", expire=200611060128, cert="Server Server 0x7",
> | expire=200610111252, cert="Client Client 0x6", expire=200611052220
> |
> | $ ntpq -c as Client
> | ind assID status  conf reach auth condition  last_event cnt
> | ===========================================================
> |   1 25165  f624   yes   yes   ok   sys.peer   reachable  2
> |
> | $ ntpq -c "rv 25165" Client
> | assID=25165 status=f624 reach, conf, auth, sel_sys.peer, 2 events, event_reach,
> | srcadr=Server, srcport=123, dstadr=192.168.7.12, dstport=123, leap=01,
> | stratum=1, precision=-18, rootdelay=0.000, rootdispersion=1.617,
> | refid=DCF, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10,
> | flash=00 ok, keyid=561218861, ttl=0, offset=1.078, delay=2.291,
> | dispersion=18.661, jitter=0.056,
> | reftime=c73ff45f.a0d20969  Tue, Dec  6 2005 12:28:31.628,
> | org=c73ff46d.4f4e0543  Tue, Dec  6 2005 12:28:45.309,
> | rec=c73ff46d.4f5659c3  Tue, Dec  6 2005 12:28:45.309,
> | xmt=c73ff46d.4ea5dbe4  Tue, Dec  6 2005 12:28:45.307,
> | filtdelay=     2.30    2.29    2.30    1.59    1.58    1.58    2.29    2.25,
> | filtoffset=    1.02    1.08    1.00    0.68    0.75    0.75    1.09    1.02,
> | filtdisp=      0.01   15.36   30.70   46.09   61.45   76.83   92.22  107.56,
> | hostname="Server", signature="md5WithRSAEncryption", flags=0x87f03,
> | trust="Server"
> |
> | $ cat //Client/ntpstats/cryptostats.20051205
> | 53709 80480.680 192.168.7.10 newpeer 25165
> | 53709 80482.495 ntpkey_RSAkey_Client.3342810008 mod 512
> | 53709 80482.504 ntpkey_RSA-MD5cert_Client.3342810008 0x0 len 309
> | 53709 80482.539 update ts 3342810082
> | 53709 80482.540 refresh ts 3342810082
> | 53709 80484.398 192.168.7.10 flags 0x80003 host Server signature md5WithRSAEncryption
> | 53709 80486.418 update ts 3342810086
> | 53709 80486.420 192.168.7.10 cert Server 0x7 md5WithRSAEncryption (8) fs 3340702253
> | 53709 80488.410 192.168.7.10 cook 37fe7690 ts 3342810088 fs 3342755357
> | 53709 80490.573 update ts 3342810090
> | 53709 80490.573 192.168.7.10 sign Server 0x6 md5WithRSAEncryption (8) fs 3342810008
> | 53709 80492.444 update ts 3342810092
> | 53709 80492.445 192.168.7.10 leap 96 ts 3342755357 fs 3331497600
> | 53709 80529.449 update ts 3342810129
> |
> | $ ls -l //Client/c\$/Program\ Files/NTP/etc/ntp.keysdir/
> | total 3
> | -rw-r--r--    1 Administ None          538 Dec  5 23:20 ntpkey_cert_Client
> | -rw-r--r--    1 Administ None          616 Dec  5 23:20 ntpkey_host_Client
> | -rw-r--r--    1 Administ None          507 Dec  5 23:15 ntpkey_iff_Server
> 
> To me, this clearly looks like TC scheme.
> 
> 
> Serge.




More information about the questions mailing list