[ntp:questions] Re: symmetric-active mode (peer) and autokey

Peter Pramberger peter.pramberger at 1012surf.net
Thu Feb 2 13:16:56 UTC 2006


Steve Kostecke schrieb:
> 1. Starting with an empty keysdir
> 
> 2. Generate trusted host parameters and IFF parameters:
> 
> 	ntp-keygen -T -I -p password
> 
> 3. Export the IFFkey:
> 
> 	ntp-keygen -e -q password -p password
> 
> 4. Paste the IFFkey text into an editor, save the file and create the
> symlink on the other peer (via an ssh session).
> 
> 5. Add 'peer the.other.peer autokey' in the ntp.conf on each peer
> along with the 'crypto pw' and 'keysdir' lines.
> 
> 6. Restart both ntpds and wait a bit.

Ok, I followed exactly your description, I also removed the symmetric key stuff
and any access control entries from the configs:

-------------------------------------------------------------------------------
# ntp-test01
#

server  192.168.219.13  iburst
server  192.168.219.14  iburst
server  192.168.219.15  iburst

peer    ntp-test02	autokey

statsdir /var/log/ntp/
statistics cryptostats
filegen cryptostats file cryptostats type none enable

driftfile /var/lib/ntp/drift                    # path for drift file

crypto   pw somepass
crypto   randfile /var/lib/ntp/random
keysdir  /etc/ntp
-------------------------------------------------------------------------------

and:

-------------------------------------------------------------------------------
# ntp-test02
#

server  192.168.219.13  iburst
server  192.168.219.14  iburst
server  192.168.219.15  iburst

peer    ntp-test01	autokey

statsdir /var/log/ntp/
statistics cryptostats
filegen cryptostats file cryptostats type none enable

driftfile /var/lib/ntp/drift                    # path for drift file

crypto   pw abc123
crypto   randfile /var/lib/ntp/random
keysdir  /etc/ntp
-------------------------------------------------------------------------------


/etc/ntp has now (ntp-test01):

-------------------------------------------------------------------------------
ntpkey_IFFkey_ntp-test02.3347872538
ntpkey_IFFpar_ntp-test01.3347872532
ntpkey_RSA-MD5cert_ntp-test01.3347872532
ntpkey_RSAkey_ntp-test01.3347872532
ntpkey_cert_ntp-test01 -> ntpkey_RSA-MD5cert_ntp-test01.3347872532
ntpkey_host_ntp-test01 -> ntpkey_RSAkey_ntp-test01.3347872532
ntpkey_iff_ntp-test01 -> ntpkey_IFFpar_ntp-test01.3347872532
ntpkey_iff_ntp-test02 -> ntpkey_IFFkey_ntp-test02.3347872538
-------------------------------------------------------------------------------

and (ntp-test02):

-------------------------------------------------------------------------------
ntpkey_IFFkey_ntp-test01.3347872532
ntpkey_IFFpar_ntp-test02.3347872538
ntpkey_RSA-MD5cert_ntp-test02.3347872538
ntpkey_RSAkey_ntp-test02.3347872538
ntpkey_cert_ntp-test02 -> ntpkey_RSA-MD5cert_ntp-test02.3347872538
ntpkey_host_ntp-test02 -> ntpkey_RSAkey_ntp-test02.3347872538
ntpkey_iff_ntp-test01 -> ntpkey_IFFkey_ntp-test01.3347872532
ntpkey_iff_ntp-test02 -> ntpkey_IFFpar_ntp-test02.3347872538
-------------------------------------------------------------------------------


But after startup of daemons (both hosts):

-------------------------------------------------------------------------------
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp01           10.112.49.11     2 u   54   64  377    0.668  -36.241   9.859
+ntp02           10.96.113.11     2 u   50   64  377    0.886   -4.385   9.923
+ntp03           10.80.49.11      2 u   49   64  377    0.764  -31.635  21.444
 ntp-test02      .CRYP.          16 u    4 1024    0    0.000    0.000 4000.00

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp01           10.112.49.11     2 u   53   64  377    0.702    2.831  25.439
+ntp02           10.96.113.11     2 u   55   64  377    0.836   35.165  66.753
+ntp03           10.80.49.11      2 u   49   64  377    0.923   51.884  41.371
 ntp-test01      .CRYP.          16 u    - 1024    0    0.000    0.000 4000.00
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
53768 46256.175 ntpkey_RSAkey_ntp-test01.3347872532 mod 512
53768 46256.175 ntpkey_IFFpar_ntp-test01.3347872532 mod 384
53768 46256.175 ntpkey_RSA-MD5cert_ntp-test01.3347872532 0x2 len 372
53768 46256.744 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46257.152 refresh ts 0
53768 46257.745 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46265.165 update ts 3347873465
53768 46315.807 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46318.812 update ts 3347873518
53768 46318.812 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46320.811 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46321.811 update ts 3347873521
53768 46321.811 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46326.815 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46329.819 update ts 3347873529
...
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0a at 1.1190-r Mon Feb 21 17:54:52 GMT 2005 (1)"?,
processor="i686", system="Linux/2.6.9-22.0.2.EL", leap=00, stratum=3,
precision=-18, rootdelay=18.076, rootdispersion=118.705, peer=13860,
refid=192.168.219.13,
reftime=c78c81b5.fd3a604e  Thu, Feb  2 2006 14:03:49.989, poll=6,
clock=0xc78c8293.317add15, state=4, offset=-33.838, frequency=212.485,
noise=14.672, jitter=69.216, stability=407.798,
hostname="ntp-test01", signature="md5WithRSAEncryption",
flags=0x80021, hostkey=3347872532, refresh=3347873640,
cert="ntp-test02 ntp-test02 0x3 3347872538",
cert="ntp-test01 ntp-test01 0x3 3347872532"
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
ntp-test01 ntpd[6073]: crypto_ident: no compatible identity scheme found
ntp-test01 ntpd[6073]: transmit: crypto error for 172.20.79.25
-------------------------------------------------------------------------------


The flags value (0x80021) looks strange to me. According to ntp_crypto.h the
value means:

   - crypto enable
   - no leapseconds table

   - IFF identity scheme
   - nothing verified?

   - 0x8....?


/*
 * The following bits are set by the CRYPTO_ASSOC message from
 * the server and are not modified by the client.
 */
#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
#define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */

#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
#define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
#define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
	
/*
 * The following bits are used by the client during the protocol
 * exchange.
 */
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
#define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
#define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */


Regards,
Peter




More information about the questions mailing list