[ntp:questions] Re: symmetric-active mode (peer) and autokey

Peter Pramberger peter.pramberger at 1012surf.net
Sat Feb 4 14:55:08 UTC 2006

Peter Pramberger schrieb:
> 4) As soon as I put the current leapseconds file
> (ftp://time.nist.gov/pub/leap-seconds.3331497600) on one or both hosts, I get
> errors in the log, and the authentication fails. When I remove them,
> authentication is working again.

Update: It seems I've done the IFF part wrong. According to
http://www.eecis.udel.edu/~mills/ntp/html/keygen.html ...

"For the IFF scheme proceed as in the TC scheme to generate keys and
certificates for all group hosts, then for every trusted host in the group,
generate the IFF parameter file. On trusted host alice run ntp-keygen -T -I -p
password to produce her parameter file ntpkey_IFFpar_alice.filestamp, which
includes both server and client keys. Copy this file to all group hosts that
operate as both servers and clients and install a soft link from the generic
ntpkey_iff_alice to this file."

... instead of running "ntp-keygen -T -I -p somepass" on all trusted servers
peering with each other in the trust group I had to create the IFFpar only on
one of them and just copy it to the other trusted servers, create the link,
and then create their host certificates ("ntp-keygen -T -q somepass").

Then I can put the leapseconds file on one (only!) of the trusted servers and
it will get distributed among the trust group.


More information about the questions mailing list