[ntp:questions] Re: symmetric-active mode (peer) and autokey

Peter Pramberger peter.pramberger at 1012surf.net
Thu Feb 9 07:42:46 UTC 2006

Steve Kostecke schrieb:
>>... instead of running "ntp-keygen -T -I -p somepass" on all trusted servers
>>peering with each other in the trust group I had to create the IFFpar only on
>>one of them and just copy it to the other trusted servers, create the link,
>>and then create their host certificates ("ntp-keygen -T -q somepass").
> I've tried that (a shared IFFpar) in that past and couldn't get it to
> work. Both of my authenticated peers have their own unique IFFpar file
> and have exchanged IFFkey files.

Works here. And this way you only have to extract the client key from one of the

>>Then I can put the leapseconds file on one (only!) of the trusted servers and
>>it will get distributed among the trust group.
> Which is then dependent on that particular ntpd staying up.

Not necessarily. As long as one peer in the trust group has ever synced with
this particular server (has the leapseconds data in memory) and stays up, it
should still provide the leapseconds data to its clients.

Actually my statement was wrong. Putting the leapseconds file on only one peer
didn't work too. It just took longer to produce the same (or similar) errors as
with both peers.


More information about the questions mailing list