[ntp:questions] Re: Crypto iffpar

Steve Kostecke kostecke at ntp.isc.org
Fri Dec 9 14:32:38 UTC 2005


On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:

>  On Thursday, December 8, 2005 at 18:51:39 +0000, Steve Kostecke
>  wrote:
>
>> Test Client: stasis
>> With the following files in the client's /etc/ntp
>
> I'm grateful for the data. And finally understood the mysterious
> factor giving us different results. You *do* have a ntpkey_iff_stasis
> link:
>
>| ntpkey_iff_stasis -> ntpkey_IFFpar_stasis.3342803910

No, I don't. Please re-read my previous article; that line you quoted
above is from a much older article.

Those tests were performed with 'stasis' configured purely as a unicast
client of 'ntp0'. The following files were, and still are, in in the
client's keysdir:

ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910
ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910

> And this symlink changes everything. Stasis is not a strict client.
> Stasis is also a server, in another trusted group.

Stasis _was_ configured only as a unicast client in my last round of
tests. Stasis is now configured as a multicast client and the
association with ntp0 still shows flags=0x83f21

> You are not in the conditions of section 6.6.2 "Client Set-Up" of
> ConfiguringAutokey.

The client has an ntpkey_IFFkey_server.xxxxxxxxxx file with the
ntpkey_iff_server symlink in its keysdir. That _is_ in compliance with
6.6.2. Client Set-Up.

>> In one sense you're correct: it is _possible_ to use an
>> ntpkey_iff_client symlink. But, is not _necessary_ to to so.
>
> An ntpkey_iff_client symlink is absolutely necessary(1).

Really? My experience with a variety of Linux and FreeBSD systems has
conclusively demonstrated that this is _not_ the case.

And, yes, I've confirmed that their authenticated associations all
report flags=0x83f21.

>> ntpd may belong to more than one Trust Group. Using an
>> ntpkey_iff_client symlink (or file) breaks this feature.
>
> No such feature breakage: These were cascaded exclusive "or"s.

You can't have more than one sym-link with the same name. So
you can't create an ntpkey_*_client symlink to each of your
ntpkey_*_server.xxxxxxxx files.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list