[ntp:questions] Re: NTP server authentication

Steve Kostecke kostecke at ntp.isc.org
Fri May 20 12:50:22 UTC 2005

On 2005-05-20, Vladimir Smotlacha <vs at cesnet.cz> wrote:

> I am trying to setup public key authentication of our primary NTP
> servers using IFF identity schema. I do not know how to deal with
> password (un)protected keys.

There is a step-by-step guide to configuring Autokey Authentication at
http://ntp.isc.org/Support/ConfiguringAutokey. The author of that topic
is often on #ntp at irc.freenode.net.

> I run on server MYSERVER (with hostname and DNS name MYSERVER)


>    ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key

This should be:

ntp-keygen -e -q server_password -p client_password > output_file

> I copied iff_key to client keys directory under the name
> ntpkey_iff_MYSERVER

You should also create a sym-link to that file. For example, on one of
my Autokey clients the client key file is named:


and the symlink is: ntpkey_iff_ntp0.kostecke.net

The first line of the exported client key contains the file-name, BTW.

> On client, I run:


An unrelated point: you can speed up the initial synchronization 
with MYSERVER (to ~15 seconds) by adding 'iburst' to the server line:

server MYSERVER iburst autokey

> This works very well when I use the same password on both client and
> server but it does not work without password (i.e. neither '-p' in
> ntp-keygen nor 'pw' in ntp.conf) in both server and client. Why?

I've seen reports that it is possible to not use a server or client
password, but have not confirmed this myself.

> Using a password avoids applying two or more servers of different
> authorities in a client configuration. Doesn't it?

In the case of the IFF Identity Scheme, the server must posess the
IFFpar file from which the IFFkey file was exported to be trusted. The
password is just used to encrypt the IFFpar and IFFkey files.

You can use different passwords for every member of your NTP Trust Group
(i.e. the server and each client) *or* you could use a server password and
one shared client password *or* you could just share one password for
all members.

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list