[ntp:questions] Re: Crypto iffpar

Serge Bets serge.bets at NOSPAM.laposte.invalid
Thu Dec 22 17:39:56 UTC 2005


 On Wednesday, December 21, 2005 at 13:54:56 +0000, Steve Kostecke wrote:

> Perhaps _you_ need to use an ntpkey_iffkey_client sym-link, or a
> 'crypto iff...' directive, to force _your_ ntpd to use the IFF
> Identity Scheme. I, on the other hand, don't.

According to the source code, it must be ntpkey_iff_client, and
"crypto ident iff". The symlink variant with "key" (as
"ntpkey_mvkey_client") is a typo in the keygen.html doc. And the
commands "crypto iff|gq|mv" don't exist, they are also doc typos, in
authopt.html this time. In doc versions live from the web.


> This suggests to me that something on your end is broken. Perhaps it's
> your OS or perhaps it's the version of ntpd that you're using.

Unlikely, but possible: I'm investigating. BTW I upgraded both versions:
Now Linux Server runs ntp-dev-4.2.0b-20051208.tar.gz, while Win2k Client
runs ntp-dev-4.2.0b-20051105-nt.zip from Terje Mathisen. IIANM you run
4.2.0a at 1:4.2.0a+stable-2-r (Debian Sarge?) on server ntp0, and what on
client Stasis?


>> This 3rd cryptostats doesn't look like anything I ever saw.
> I did add some in-line commentary.

Odd not about certs. But about "newpeer" line only coming after 30
seconds, instead of startup. And the "auto" line. Never had this with
"server Server autokey". What is it? Incoming broadcast, incoming
symmetric active packet, ...?


> I know what works on all of the systems that I've configured to use
> Autokey+IFF/GQ/MV.

You keep repeating that all is well in ConfiguringAutokey, and that it's
hands on experience. Without really looking at the contrary arguments.
Unfortunately this closed position makes you miss the flaw.

Another argument about GQ identity scheme. The official documentation
http://www.eecis.udel.edu/~mills/ntp/html/keygen.html states:

| On trusted host alice run ntp-keygen -T -G -p password to produce her
| parameter file ntpkey_GQpar_alice.filestamp, which includes both
| server and client keys.
| Copy this file to all group hosts and install a soft link from the
| generic ntpkey_gq_alice to this file.
| In addition, on each host bob install a soft link from generic
| ntpkey_gq_bob to this file.

While ConfiguringAutokey on the Twiki states:

| Obtain the GQ group key, generated in 6.6.1.3.2. GQ Parameters via a
| secure means, copy the key file to the keysdir, and create the
| standard sym-link:
|
| cd /etc/ntp
| ln -s ntpkey_GQpar_server.3301145293 ntpkey_gq_server

There is one lacking symlink:

| ntpkey_gq_client -> ntpkey_GQpar_server.3301145293

Why this difference with The Only True Official Docs?


Serge.
-- 
Serge point Bets arobase laposte point net




More information about the questions mailing list