[ntp:questions] Re: Crypto iffpar

David L. Mills mills at udel.edu
Sat Dec 10 21:52:46 UTC 2005


In the expected naming scheme the name of the group key is the name of 
the subject on the trusted certificate held by the trusted host. You 
need a symlink only to truncate the filestamp. The client can belong to 
several groups, so will hold keys for each one. The one to use is 
determined by the ceritificate trail to the trusted host.

Only if the client is to be a server for a dependent client do you need 
to specify which of possibly several group keys to use. By default it is 
the name of the client and of course a symlink can be used to point to a 
different key. Alternatively, the name can be specified on the crypto 

Note the example on the Autokey protocol page linked from the NTP 
project page, which involves three trusted groups, USNO, NIST and a 
notional campus group. The campus server holds the USNO, NIST and its 
own group key. Dependents of this trusted host need only hold the latter 
group key. It would of course be possible to dispense with the campus 
server and each group member dicker directly with either USNO or NIST or 
both and so would need to have the group keys for each. I expect that 
the first scenario will be the norm for serious Autokey applications.


Serge Bets wrote:
>  On Friday, December 9, 2005 at 14:32:38 +0000, Steve Kostecke wrote:
>>On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
>>>You *do* have a ntpkey_iff_stasis
>>No, I don't.
> You have one. Its loading at startup is visible in the cryptostats you
> posted in previous mail. iffpar?
>>you can't create an ntpkey_*_client symlink to each of your
>>ntpkey_*_server.xxxxxxxx files.
> Fortunately you need only one client symlink at startup to trigger one
> ident scheme, then used for as many servers as needed. Of course you
> then need as many server symlinks, to access the good server keys.
> There are two stages. Luke at the source: In ntpd/ntp_crypto.c
> crypto_setup(), then crypto_ident().
> Serge.

More information about the questions mailing list