[ntp:questions] Re: symmetric-active mode (peer) and autokey

Peter Pramberger peter.pramberger at 1012surf.net
Fri Feb 3 21:45:52 UTC 2006


Peter Pramberger schrieb:
> I'm currently trying to implement public key authentication on a NTP testlab,
>
> NTP is version 4.2.0a-20040617 on RHEL4/CentOS4.

Finally I got TC and even IFF working, but it took me a lot of trial and error:

1) When running ntpd as non-root user (RedHat included the droproot patch in
their package), "/etc/ntp" has to be owned by "ntp:ntp". Don't try to set
something like "root:ntp", it won't work (it seems the EGID isn't set correctly).

2) When the driftfile doesn't exist at daemon startup, you can wait until end
of universe, authentication would never complete.

3) For some reason the IFF scheme (and maybe others too) isn't working while
running as non-root user. The cryptostats file shows the repeated loading of
the other host's IFF key, but authentication would never complete. Run ntpd as
root and it works perfectly (don't forget "chown root:root /etc/ntp"). Maybe a
too restrictive capability set. I've reported this to RedHat.

4) As soon as I put the current leapseconds file
(ftp://time.nist.gov/pub/leap-seconds.3331497600) on one or both hosts, I get
errors in the log, and the authentication fails. When I remove them,
authentication is working again.

--------------------------------------------------------------------------
Feb  3 22:32:22 dns ntpd[4953]: receive: fatal error 608 for 192.168.20.20
Feb  3 22:35:38 dns ntpd[4953]: crypto_iff: invalid filestamp 3347979197
--------------------------------------------------------------------------
53769 77738.911 192.168.20.20 error 103 opcode 82070000 ts 3347991338 fs
3347979197
--------------------------------------------------------------------------

Where is the right place (host) to put the leapseconds file?


Regards,
Peter




More information about the questions mailing list