[ntp:questions] Re: autokey setup with GQ Identity Scheme

Steve Kostecke kostecke at ntp.isc.org
Tue May 30 17:11:58 UTC 2006


Jean-Francois Malouin  wrote:

> After a few days of reading all sort of doc (mainly
> http://ntp.isc.org/bin/view/Support/ConfiguringAutokey) I have
> convinced myself that I'm missing something crucial in my NTP
> sub-domain setup but I can't put the finger on it... I'll be quite
> happy to give further output/debug to anyone who can help and I 
> appologize if this is too long but it has been a few very frustating
> days...

I've had mixed results with Authenticated peers.

> a set of 3 trusted hosts running NTPV4 on Debian/Sarge and supposed to
> peer between each other as stratum 3 servers using GQ scheme as the
> Identity Scheme,

Is there any particular reason why you need to use Authentication
between your peers?

You could use the 'nopeer' restriction to restrict peering to just your
3 hosts. Then the peer Authentication issue would be moot.

| driftfile /path/to/your/drift.file
| crypto pw my_server_secret
| keysdir /etc/ntp
| # Allow only time service (localhost is unrestricted)
|
| restrict default nomodify nopeer noquery notrap
| restrict 127.0.0.1
| # remote time servers
|
| server one.time
| server two.time
| server three.time
|
| # peers w/ relaxed restrictions to allow peering
| server four.time
| peer ntp1.domain.org autokey
| restrict <ntp1_ip_addr>
| peer ntp2.domain.org autokey
| restrict <ntp2_ip_addr>
| peer ntp3.domain.org autokey
| restrict <ntp3_ip_addr>
|
| broadcast xxx.yyy.zzz.255 autokey
| broadcast 224.0.1.1 autokey

> My problem: right now with only 2 servers and one client: the 'good'
> server reports DROP as the peer kiss code of the 'bad' server, the
> client refuses to associate with the 'bad' server and the 'bad' server
> sees the 'good' server as a stratum 3 server but reports 'flash=200
> bad_autokey' in the ntpq association output.

If seen this sort of "Auth confusion" when attempting to bring up some
Authenticate/IFF peers.

Have tried establishing a Authenticated/GQ unicast association between
two of your servers? That would allow you to see if your GQ parameters
work.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list