[ntp:questions] Re: NTP server authentication

Vladimir Smotlacha vs at cesnet.cz
Fri May 20 15:57:43 UTC 2005


Steve Kostecke wrote:

> This should be:
>
> ntp-keygen -e -q server_password -p client_password > output_file
>

Thank you for the suggestion. I tested this method of password change and it
works. But it does not solve my problem as it requires to generate the key
for every particular client password.
I'd like to arrange authentication for public ntp server without taking care
for each individual client.

>
> I've seen reports that it is possible to not use a server or client
> password, but have not confirmed this myself.
>

I found and tested server time.pre-secure.de. The IFF-key is at
http://www.ecsirt.net/tools/crypto-ntp.html.
I checked that it works with any (or without) client password.
My goal is just to find how to make such IFF-key.

I didn't succeed to generate IFFpar (or IFFkey) without password. If I omit
-p  in ntp-keygen, hostname is used as default. If I tried
 -p '',  I got an empty file.

>
>>Using a password avoids applying two or more servers of different
>>authorities in a client configuration. Doesn't it?
>
>
> In the case of the IFF Identity Scheme, the server must posess the
> IFFpar file from which the IFFkey file was exported to be trusted. The
> password is just used to encrypt the IFFpar and IFFkey files.
>
> You can use different passwords for every member of your NTP Trust Group
> (i.e. the server and each client) *or* you could use a server password and
> one shared client password *or* you could just share one password for
> all members.

But how to solve this arrangemet:

Two or more independent NTP Trust Groups operating authenticated NTP
servers. A client likes to use servers from two groups but they deny
generating IFF keys with specific client password.

The solution can be password independent IFF-keys (like time.pre-secure.de).


Best regards,

  Vladimir

 ----------------------------------------------------------------------------Vladimir Smotlacha                                 CESNET z.s.p.oE-Mail:  vs at cesnet.cz                              Zikova 4Phone:   +420 2 24352915                           160 00 Prague 6Fax:     +420 2 24313211                           Czech Republic----------------------------------------------------------------------------




More information about the questions mailing list