[ntp:questions] NTP iff authentication

Giovanni Clemente giovanni.clemente at mail.ing.unibo.it
Fri Jun 24 11:19:14 UTC 2005


Hello, I'm trying to configure a NTP authenticated service
on my campus network, with our own secure group, but it
doesn't seem to work.


Layout:

[ national time server ]
        ^
        |      with autokey, id scheme iff
        |
[ campus time server ]
        ^
        |      with autokey, id scheme iff
        |
    [ client ]


As far as I know, configuration procedes as follows:

STEP1
   on [ campus time server ] i run:
      bash#ntp-keygen -T -I -p server_pass
   then i get [ national time server] iff client keys
   and install them, with password, ntp.conf and symlinks
   properly configured.

STEP2
   I start ntpd on [ campus time server ]. After a while,
   it becomes stratum 2, and ntpq -c rv shows certificate
   trail as expected.

STEP3
   on [ client ] i run:
      bash# ntp-keygen  -p client_pass
   then I run, on [ campus time server ]:
      bash# ntp-keygen -e -q server_pass -p client_pass
   and import the key on [ client ];
   again, password, ntp.conf and symlinks are properly
   configured



STEP4
   I start ntpd on [ client ]. It fails with the following error
   message:
      crypto_ident: no compatible identity scheme found

   Now if I delete all client keys and generate a
   [ client ] iff key pair with:
      bash: ntp-keygen -I -p client_pass
   the protocol procedes.
   Quite strange, I think. Why the client should need its
   own ntpkey_IFFpar_client (unrelated to  [campus time server ]'s
   and not used when authenticating it) ?
   It seems ntpd requires an ntpkey_IFFpar_client only to know it
   supports iff scheme.

   Anyway, even with an ntpkey_IFFpar_client, autokey protocol fails
   showing:
      addto_syslog: crypto_iff: invalid filestamp 3328260929
      peer 137.204.144.235 event 'bad_filestamp' (0x103) status 'unreach,\
      conf, auth, 1 event, event_unreach' (0xe013)
      crypto_recv: error 103 opcode 82070000 ts 3328594015 fs 3328260929
    [ ... ]
      packet: bad data 608 from 137.204.144.235
      addto_syslog: receive: fatal error 608 for 137.204.144.235

   ntpq -c rv shows that the client obtained a certificate
   trail ending to [ national time server ], not to [ campus
   time server ] and misses [ campus time server ] self-signed cert.
   I thought it should have got  [ campus time server ] self-signed cert
   and stop hiking since it was marked trusted.


   Interestingly, if I use non-authenticated ntp between
   [ national time server ] and [ campus time server ], leaving
   everything else unchanged, everything works fine, and
   the client becomes stratum3.



What's my fault?
Feel free to ask any kind of configuration and debug information.

Thank you,
  Giovanni Clemente
  University of Bologna, Italy




More information about the questions mailing list