[ntp:questions] Re: symmetric-active mode (peer) and autokey
Peter Pramberger
peter.pramberger at 1012surf.net
Thu Feb 2 13:16:56 UTC 2006
Steve Kostecke schrieb:
> 1. Starting with an empty keysdir
>
> 2. Generate trusted host parameters and IFF parameters:
>
> ntp-keygen -T -I -p password
>
> 3. Export the IFFkey:
>
> ntp-keygen -e -q password -p password
>
> 4. Paste the IFFkey text into an editor, save the file and create the
> symlink on the other peer (via an ssh session).
>
> 5. Add 'peer the.other.peer autokey' in the ntp.conf on each peer
> along with the 'crypto pw' and 'keysdir' lines.
>
> 6. Restart both ntpds and wait a bit.
Ok, I followed exactly your description, I also removed the symmetric key stuff
and any access control entries from the configs:
-------------------------------------------------------------------------------
# ntp-test01
#
server 192.168.219.13 iburst
server 192.168.219.14 iburst
server 192.168.219.15 iburst
peer ntp-test02 autokey
statsdir /var/log/ntp/
statistics cryptostats
filegen cryptostats file cryptostats type none enable
driftfile /var/lib/ntp/drift # path for drift file
crypto pw somepass
crypto randfile /var/lib/ntp/random
keysdir /etc/ntp
-------------------------------------------------------------------------------
and:
-------------------------------------------------------------------------------
# ntp-test02
#
server 192.168.219.13 iburst
server 192.168.219.14 iburst
server 192.168.219.15 iburst
peer ntp-test01 autokey
statsdir /var/log/ntp/
statistics cryptostats
filegen cryptostats file cryptostats type none enable
driftfile /var/lib/ntp/drift # path for drift file
crypto pw abc123
crypto randfile /var/lib/ntp/random
keysdir /etc/ntp
-------------------------------------------------------------------------------
/etc/ntp has now (ntp-test01):
-------------------------------------------------------------------------------
ntpkey_IFFkey_ntp-test02.3347872538
ntpkey_IFFpar_ntp-test01.3347872532
ntpkey_RSA-MD5cert_ntp-test01.3347872532
ntpkey_RSAkey_ntp-test01.3347872532
ntpkey_cert_ntp-test01 -> ntpkey_RSA-MD5cert_ntp-test01.3347872532
ntpkey_host_ntp-test01 -> ntpkey_RSAkey_ntp-test01.3347872532
ntpkey_iff_ntp-test01 -> ntpkey_IFFpar_ntp-test01.3347872532
ntpkey_iff_ntp-test02 -> ntpkey_IFFkey_ntp-test02.3347872538
-------------------------------------------------------------------------------
and (ntp-test02):
-------------------------------------------------------------------------------
ntpkey_IFFkey_ntp-test01.3347872532
ntpkey_IFFpar_ntp-test02.3347872538
ntpkey_RSA-MD5cert_ntp-test02.3347872538
ntpkey_RSAkey_ntp-test02.3347872538
ntpkey_cert_ntp-test02 -> ntpkey_RSA-MD5cert_ntp-test02.3347872538
ntpkey_host_ntp-test02 -> ntpkey_RSAkey_ntp-test02.3347872538
ntpkey_iff_ntp-test01 -> ntpkey_IFFkey_ntp-test01.3347872532
ntpkey_iff_ntp-test02 -> ntpkey_IFFpar_ntp-test02.3347872538
-------------------------------------------------------------------------------
But after startup of daemons (both hosts):
-------------------------------------------------------------------------------
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp01 10.112.49.11 2 u 54 64 377 0.668 -36.241 9.859
+ntp02 10.96.113.11 2 u 50 64 377 0.886 -4.385 9.923
+ntp03 10.80.49.11 2 u 49 64 377 0.764 -31.635 21.444
ntp-test02 .CRYP. 16 u 4 1024 0 0.000 0.000 4000.00
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp01 10.112.49.11 2 u 53 64 377 0.702 2.831 25.439
+ntp02 10.96.113.11 2 u 55 64 377 0.836 35.165 66.753
+ntp03 10.80.49.11 2 u 49 64 377 0.923 51.884 41.371
ntp-test01 .CRYP. 16 u - 1024 0 0.000 0.000 4000.00
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
53768 46256.175 ntpkey_RSAkey_ntp-test01.3347872532 mod 512
53768 46256.175 ntpkey_IFFpar_ntp-test01.3347872532 mod 384
53768 46256.175 ntpkey_RSA-MD5cert_ntp-test01.3347872532 0x2 len 372
53768 46256.744 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46257.152 refresh ts 0
53768 46257.745 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46265.165 update ts 3347873465
53768 46315.807 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46318.812 update ts 3347873518
53768 46318.812 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46320.811 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46321.811 update ts 3347873521
53768 46321.811 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
3347872538
53768 46326.815 172.20.79.25 flags 0x80021 host ntp-test02 signature
md5WithRSAEncryption
53768 46329.819 update ts 3347873529
...
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0a at 1.1190-r Mon Feb 21 17:54:52 GMT 2005 (1)"?,
processor="i686", system="Linux/2.6.9-22.0.2.EL", leap=00, stratum=3,
precision=-18, rootdelay=18.076, rootdispersion=118.705, peer=13860,
refid=192.168.219.13,
reftime=c78c81b5.fd3a604e Thu, Feb 2 2006 14:03:49.989, poll=6,
clock=0xc78c8293.317add15, state=4, offset=-33.838, frequency=212.485,
noise=14.672, jitter=69.216, stability=407.798,
hostname="ntp-test01", signature="md5WithRSAEncryption",
flags=0x80021, hostkey=3347872532, refresh=3347873640,
cert="ntp-test02 ntp-test02 0x3 3347872538",
cert="ntp-test01 ntp-test01 0x3 3347872532"
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
ntp-test01 ntpd[6073]: crypto_ident: no compatible identity scheme found
ntp-test01 ntpd[6073]: transmit: crypto error for 172.20.79.25
-------------------------------------------------------------------------------
The flags value (0x80021) looks strange to me. According to ntp_crypto.h the
value means:
- crypto enable
- no leapseconds table
- IFF identity scheme
- nothing verified?
- 0x8....?
/*
* The following bits are set by the CRYPTO_ASSOC message from
* the server and are not modified by the client.
*/
#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */
#define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */
#define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */
#define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */
#define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */
/*
* The following bits are used by the client during the protocol
* exchange.
*/
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
#define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */
#define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */
Regards,
Peter
More information about the questions
mailing list