[ntp:questions] Re: NTP iff authentication

Steve Kostecke kostecke at ntp.isc.org
Tue Jun 28 11:40:09 UTC 2005

On 2005-06-24, Giovanni Clemente <giovanni.clemente at mail.ing.unibo.it> wrote:

> Layout:

That's a reasonable layout.

> As far as I know, configuration procedes as follows:

There is an Autokey Configuration Guide at

<snip: campus time server successfully joins national trust group>

>    on [ client ] i run:
>       bash# ntp-keygen  -p client_pass
>    then I run, on [ campus time server ]:
>       bash# ntp-keygen -e -q server_pass -p client_pass
>    and import the key on [ client ];
>    again, password, ntp.conf and symlinks are properly
>    configured

This sounds right.

>    I start ntpd on [ client ]. It fails with the following error
>    message:
>       crypto_ident: no compatible identity scheme found

It would help to see the campus time server and client ntp.conf files
and a listing of the keys directory on both systems.

>    Quite strange, I think. Why the client should need its own
>    ntpkey_IFFpar_client (unrelated to [campus time server ]'s and
>    not used when authenticating it) ? It seems ntpd requires an
>    ntpkey_IFFpar_client only to know it supports iff scheme.

No. Members of a trust group must have an parameter file from that
group's server (e.g. IFFkey or IFFpar). Your client generated IFFpar
file won't work because it is unrelated to the IFFpar held by the

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list