[ntp:questions] Re: NTP server authentication

Martin Burnicki martin.burnicki at meinberg.de
Fri May 20 12:38:18 UTC 2005


Vladimir Smotlacha wrote:
> Hi,
> I am trying to setup public key authentication of our primary NTP servers
> using IFF identity schema. I do not know how to deal with password
> (un)protected keys.
> I run on server MYSERVER (with hostname and DNS name MYSERVER)
>    ntp-keygen -T -m 1024 -c RSA-SHA1 -p PASSWD
>    ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key
> I copied iff_key to client keys directory under the name ntpk
> ey_iff_MYSERVER

AFAIK, if you want to use a different password on the server, you must
export the IFF key on the server. If your server password is PASSWD, and
your client password is CLPASSWD, you should run the following command on
the server:

ntp-keygen -e -q PASSWD -p CLPASSWD > ntpkey_iff_hostname

where hostname is the client's hostname.  Then copy the file
ntpkey_iff_hostname to the client, AFTER you have generated the cert and
host files on the client.

In order to verify that authentication works, please test running ntpd in
the foreground using the option -ddd. 

In ntpd versions after ntpd 4.2.0a at 1.1345 things have been messed up a bit.
If you run "ntpq -c as" as suggested in the docs, the output reports "auth
bad" even if authentication works OK. For details, please refer to

Hope this helps.

Best regards,

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the questions mailing list