[ntp:questions] NTP iff authentication

Giovanni Clemente giovanni.clemente at mail.ing.unibo.it
Fri Jun 24 11:19:14 UTC 2005

Hello, I'm trying to configure a NTP authenticated service
on my campus network, with our own secure group, but it
doesn't seem to work.


[ national time server ]
        |      with autokey, id scheme iff
[ campus time server ]
        |      with autokey, id scheme iff
    [ client ]

As far as I know, configuration procedes as follows:

   on [ campus time server ] i run:
      bash#ntp-keygen -T -I -p server_pass
   then i get [ national time server] iff client keys
   and install them, with password, ntp.conf and symlinks
   properly configured.

   I start ntpd on [ campus time server ]. After a while,
   it becomes stratum 2, and ntpq -c rv shows certificate
   trail as expected.

   on [ client ] i run:
      bash# ntp-keygen  -p client_pass
   then I run, on [ campus time server ]:
      bash# ntp-keygen -e -q server_pass -p client_pass
   and import the key on [ client ];
   again, password, ntp.conf and symlinks are properly

   I start ntpd on [ client ]. It fails with the following error
      crypto_ident: no compatible identity scheme found

   Now if I delete all client keys and generate a
   [ client ] iff key pair with:
      bash: ntp-keygen -I -p client_pass
   the protocol procedes.
   Quite strange, I think. Why the client should need its
   own ntpkey_IFFpar_client (unrelated to  [campus time server ]'s
   and not used when authenticating it) ?
   It seems ntpd requires an ntpkey_IFFpar_client only to know it
   supports iff scheme.

   Anyway, even with an ntpkey_IFFpar_client, autokey protocol fails
      addto_syslog: crypto_iff: invalid filestamp 3328260929
      peer event 'bad_filestamp' (0x103) status 'unreach,\
      conf, auth, 1 event, event_unreach' (0xe013)
      crypto_recv: error 103 opcode 82070000 ts 3328594015 fs 3328260929
    [ ... ]
      packet: bad data 608 from
      addto_syslog: receive: fatal error 608 for

   ntpq -c rv shows that the client obtained a certificate
   trail ending to [ national time server ], not to [ campus
   time server ] and misses [ campus time server ] self-signed cert.
   I thought it should have got  [ campus time server ] self-signed cert
   and stop hiking since it was marked trusted.

   Interestingly, if I use non-authenticated ntp between
   [ national time server ] and [ campus time server ], leaving
   everything else unchanged, everything works fine, and
   the client becomes stratum3.

What's my fault?
Feel free to ask any kind of configuration and debug information.

Thank you,
  Giovanni Clemente
  University of Bologna, Italy

More information about the questions mailing list