[ntp:questions] Re: Crypto iffpar
David L. Mills
mills at udel.edu
Sat Dec 10 21:52:46 UTC 2005
In the expected naming scheme the name of the group key is the name of
the subject on the trusted certificate held by the trusted host. You
need a symlink only to truncate the filestamp. The client can belong to
several groups, so will hold keys for each one. The one to use is
determined by the ceritificate trail to the trusted host.
Only if the client is to be a server for a dependent client do you need
to specify which of possibly several group keys to use. By default it is
the name of the client and of course a symlink can be used to point to a
different key. Alternatively, the name can be specified on the crypto
Note the example on the Autokey protocol page linked from the NTP
project page, which involves three trusted groups, USNO, NIST and a
notional campus group. The campus server holds the USNO, NIST and its
own group key. Dependents of this trusted host need only hold the latter
group key. It would of course be possible to dispense with the campus
server and each group member dicker directly with either USNO or NIST or
both and so would need to have the group keys for each. I expect that
the first scenario will be the norm for serious Autokey applications.
Serge Bets wrote:
> On Friday, December 9, 2005 at 14:32:38 +0000, Steve Kostecke wrote:
>>On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
>>>You *do* have a ntpkey_iff_stasis
>>No, I don't.
> You have one. Its loading at startup is visible in the cryptostats you
> posted in previous mail. iffpar?
>>you can't create an ntpkey_*_client symlink to each of your
> Fortunately you need only one client symlink at startup to trigger one
> ident scheme, then used for as many servers as needed. Of course you
> then need as many server symlinks, to access the good server keys.
> There are two stages. Luke at the source: In ntpd/ntp_crypto.c
> crypto_setup(), then crypto_ident().
More information about the questions