[ntp:questions] Re: Crypto iffpar

Serge Bets serge.bets at NOSPAM.laposte.invalid
Fri Dec 9 12:53:01 UTC 2005

 On Thursday, December 8, 2005 at 18:51:39 +0000, Steve Kostecke wrote:

> Test Client: stasis With the following files in the client's /etc/ntp

I'm grateful for the data. And finally understood the mysterious factor
giving us different results. You *do* have a ntpkey_iff_stasis link:

| ntpkey_iff_stasis -> ntpkey_IFFpar_stasis.3342803910

And this symlink changes everything. Stasis is not a strict client.
Stasis is also a server, in another trusted group. You are not in the
conditions of section 6.6.2 "Client Set-Up" of ConfiguringAutokey. The
presence of this ntpkey_iff_stasis symlink is enough to trigger
agreement to use IFF with ntp0. And then during the autokey tango the
needed ntp0 ident file is loaded thru ntpkey_iff_ntp0 symlink.

> In one sense you're correct: it is _possible_ to use an
> ntpkey_iff_client symlink. But, is not _necessary_ to to so.

An ntpkey_iff_client symlink is absolutely necessary(1). It can point
either to its own IFFpar, or server's IFFkey, or even a third trust
group's IFFkey.

> ntpd may belong to more than one Trust Group. Using an
> ntpkey_iff_client symlink (or file) breaks this feature.

No such feature breakage: These were cascaded exclusive "or"s.

Note (1): Symlink, or "crypto ident iff" ntp.conf statement.

More information about the questions mailing list