[ntp:questions] Re: Crypto iffpar
kostecke at ntp.isc.org
Fri Dec 9 14:32:38 UTC 2005
On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
> On Thursday, December 8, 2005 at 18:51:39 +0000, Steve Kostecke
>> Test Client: stasis
>> With the following files in the client's /etc/ntp
> I'm grateful for the data. And finally understood the mysterious
> factor giving us different results. You *do* have a ntpkey_iff_stasis
>| ntpkey_iff_stasis -> ntpkey_IFFpar_stasis.3342803910
No, I don't. Please re-read my previous article; that line you quoted
above is from a much older article.
Those tests were performed with 'stasis' configured purely as a unicast
client of 'ntp0'. The following files were, and still are, in in the
ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910
ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910
> And this symlink changes everything. Stasis is not a strict client.
> Stasis is also a server, in another trusted group.
Stasis _was_ configured only as a unicast client in my last round of
tests. Stasis is now configured as a multicast client and the
association with ntp0 still shows flags=0x83f21
> You are not in the conditions of section 6.6.2 "Client Set-Up" of
The client has an ntpkey_IFFkey_server.xxxxxxxxxx file with the
ntpkey_iff_server symlink in its keysdir. That _is_ in compliance with
6.6.2. Client Set-Up.
>> In one sense you're correct: it is _possible_ to use an
>> ntpkey_iff_client symlink. But, is not _necessary_ to to so.
> An ntpkey_iff_client symlink is absolutely necessary(1).
Really? My experience with a variety of Linux and FreeBSD systems has
conclusively demonstrated that this is _not_ the case.
And, yes, I've confirmed that their authenticated associations all
>> ntpd may belong to more than one Trust Group. Using an
>> ntpkey_iff_client symlink (or file) breaks this feature.
> No such feature breakage: These were cascaded exclusive "or"s.
You can't have more than one sym-link with the same name. So
you can't create an ntpkey_*_client symlink to each of your
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
More information about the questions