[ntp:questions] Re: symmetric-active mode (peer) and autokey

David L. Mills mills at udel.edu
Thu Feb 2 17:24:31 UTC 2006


Peter,

Lose the iburst in the configuration files. The peers need to dance 
together, not one beating on the other.

Dave

Peter Pramberger wrote:

> Steve Kostecke schrieb:
> 
>>1. Starting with an empty keysdir
>>
>>2. Generate trusted host parameters and IFF parameters:
>>
>>	ntp-keygen -T -I -p password
>>
>>3. Export the IFFkey:
>>
>>	ntp-keygen -e -q password -p password
>>
>>4. Paste the IFFkey text into an editor, save the file and create the
>>symlink on the other peer (via an ssh session).
>>
>>5. Add 'peer the.other.peer autokey' in the ntp.conf on each peer
>>along with the 'crypto pw' and 'keysdir' lines.
>>
>>6. Restart both ntpds and wait a bit.
> 
> 
> Ok, I followed exactly your description, I also removed the symmetric key stuff
> and any access control entries from the configs:
> 
> -------------------------------------------------------------------------------
> # ntp-test01
> #
> 
> server  192.168.219.13  iburst
> server  192.168.219.14  iburst
> server  192.168.219.15  iburst
> 
> peer    ntp-test02	autokey
> 
> statsdir /var/log/ntp/
> statistics cryptostats
> filegen cryptostats file cryptostats type none enable
> 
> driftfile /var/lib/ntp/drift                    # path for drift file
> 
> crypto   pw somepass
> crypto   randfile /var/lib/ntp/random
> keysdir  /etc/ntp
> -------------------------------------------------------------------------------
> 
> and:
> 
> -------------------------------------------------------------------------------
> # ntp-test02
> #
> 
> server  192.168.219.13  iburst
> server  192.168.219.14  iburst
> server  192.168.219.15  iburst
> 
> peer    ntp-test01	autokey
> 
> statsdir /var/log/ntp/
> statistics cryptostats
> filegen cryptostats file cryptostats type none enable
> 
> driftfile /var/lib/ntp/drift                    # path for drift file
> 
> crypto   pw abc123
> crypto   randfile /var/lib/ntp/random
> keysdir  /etc/ntp
> -------------------------------------------------------------------------------
> 
> 
> /etc/ntp has now (ntp-test01):
> 
> -------------------------------------------------------------------------------
> ntpkey_IFFkey_ntp-test02.3347872538
> ntpkey_IFFpar_ntp-test01.3347872532
> ntpkey_RSA-MD5cert_ntp-test01.3347872532
> ntpkey_RSAkey_ntp-test01.3347872532
> ntpkey_cert_ntp-test01 -> ntpkey_RSA-MD5cert_ntp-test01.3347872532
> ntpkey_host_ntp-test01 -> ntpkey_RSAkey_ntp-test01.3347872532
> ntpkey_iff_ntp-test01 -> ntpkey_IFFpar_ntp-test01.3347872532
> ntpkey_iff_ntp-test02 -> ntpkey_IFFkey_ntp-test02.3347872538
> -------------------------------------------------------------------------------
> 
> and (ntp-test02):
> 
> -------------------------------------------------------------------------------
> ntpkey_IFFkey_ntp-test01.3347872532
> ntpkey_IFFpar_ntp-test02.3347872538
> ntpkey_RSA-MD5cert_ntp-test02.3347872538
> ntpkey_RSAkey_ntp-test02.3347872538
> ntpkey_cert_ntp-test02 -> ntpkey_RSA-MD5cert_ntp-test02.3347872538
> ntpkey_host_ntp-test02 -> ntpkey_RSAkey_ntp-test02.3347872538
> ntpkey_iff_ntp-test01 -> ntpkey_IFFkey_ntp-test01.3347872532
> ntpkey_iff_ntp-test02 -> ntpkey_IFFpar_ntp-test02.3347872538
> -------------------------------------------------------------------------------
> 
> 
> But after startup of daemons (both hosts):
> 
> -------------------------------------------------------------------------------
>      remote           refid      st t when poll reach   delay   offset  jitter
> ==============================================================================
> *ntp01           10.112.49.11     2 u   54   64  377    0.668  -36.241   9.859
> +ntp02           10.96.113.11     2 u   50   64  377    0.886   -4.385   9.923
> +ntp03           10.80.49.11      2 u   49   64  377    0.764  -31.635  21.444
>  ntp-test02      .CRYP.          16 u    4 1024    0    0.000    0.000 4000.00
> 
> -------------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------------
>      remote           refid      st t when poll reach   delay   offset  jitter
> ==============================================================================
> *ntp01           10.112.49.11     2 u   53   64  377    0.702    2.831  25.439
> +ntp02           10.96.113.11     2 u   55   64  377    0.836   35.165  66.753
> +ntp03           10.80.49.11      2 u   49   64  377    0.923   51.884  41.371
>  ntp-test01      .CRYP.          16 u    - 1024    0    0.000    0.000 4000.00
> -------------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------------
> 53768 46256.175 ntpkey_RSAkey_ntp-test01.3347872532 mod 512
> 53768 46256.175 ntpkey_IFFpar_ntp-test01.3347872532 mod 384
> 53768 46256.175 ntpkey_RSA-MD5cert_ntp-test01.3347872532 0x2 len 372
> 53768 46256.744 172.20.79.25 flags 0x80021 host ntp-test02 signature
> md5WithRSAEncryption
> 53768 46257.152 refresh ts 0
> 53768 46257.745 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
> 3347872538
> 53768 46265.165 update ts 3347873465
> 53768 46315.807 172.20.79.25 flags 0x80021 host ntp-test02 signature
> md5WithRSAEncryption
> 53768 46318.812 update ts 3347873518
> 53768 46318.812 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
> 3347872538
> 53768 46320.811 172.20.79.25 flags 0x80021 host ntp-test02 signature
> md5WithRSAEncryption
> 53768 46321.811 update ts 3347873521
> 53768 46321.811 172.20.79.25 cert ntp-test02 0x3 md5WithRSAEncryption (8) fs
> 3347872538
> 53768 46326.815 172.20.79.25 flags 0x80021 host ntp-test02 signature
> md5WithRSAEncryption
> 53768 46329.819 update ts 3347873529
> ...
> -------------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------------
> assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
> version="ntpd 4.2.0a at 1.1190-r Mon Feb 21 17:54:52 GMT 2005 (1)"?,
> processor="i686", system="Linux/2.6.9-22.0.2.EL", leap=00, stratum=3,
> precision=-18, rootdelay=18.076, rootdispersion=118.705, peer=13860,
> refid=192.168.219.13,
> reftime=c78c81b5.fd3a604e  Thu, Feb  2 2006 14:03:49.989, poll=6,
> clock=0xc78c8293.317add15, state=4, offset=-33.838, frequency=212.485,
> noise=14.672, jitter=69.216, stability=407.798,
> hostname="ntp-test01", signature="md5WithRSAEncryption",
> flags=0x80021, hostkey=3347872532, refresh=3347873640,
> cert="ntp-test02 ntp-test02 0x3 3347872538",
> cert="ntp-test01 ntp-test01 0x3 3347872532"
> -------------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------------
> ntp-test01 ntpd[6073]: crypto_ident: no compatible identity scheme found
> ntp-test01 ntpd[6073]: transmit: crypto error for 172.20.79.25
> -------------------------------------------------------------------------------
> 
> 
> The flags value (0x80021) looks strange to me. According to ntp_crypto.h the
> value means:
> 
>    - crypto enable
>    - no leapseconds table
> 
>    - IFF identity scheme
>    - nothing verified?
> 
>    - 0x8....?
> 
> 
> /*
>  * The following bits are set by the CRYPTO_ASSOC message from
>  * the server and are not modified by the client.
>  */
> #define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
> #define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */
> 
> #define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
> #define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
> #define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
> #define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
> #define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
> 	
> /*
>  * The following bits are used by the client during the protocol
>  * exchange.
>  */
> #define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
> #define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
> #define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
> #define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
> #define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
> #define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
> #define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */
> 
> 
> Regards,
> Peter




More information about the questions mailing list