[ntp:questions] notrust alternative?

Richard B. Gilbert rgilbert88 at comcast.net
Sun Nov 5 13:52:24 UTC 2006

David L. Mills wrote:
> Richard,
> You may have misunderstood what the enable/disable auth does. It has 
> nothing to do with the autentication method or lack of it. If the switch 
> is enabled (enable auth), then associations cannot be mobilized unless 
> authentication parameters have been configured and the symmetric active 
> or broadcast client is correctly authenticated.

I think I'm still missing something!  I don't have disable auth nor 
enable auth.  Therefore it defaults to "enable auth".

Correct so far?

I have an NTP keys file with symmetric keys that I use only to access 
the privileged functions of ntpq and ntpdc.  I do not authenticate any 
server! I am, apparently, able to mobilize associations!  But if I 
understand you, I should not be able to mobilize associations. 
"sunblok" and "sunburn" are two servers on my local network.  On 
"sunblok" I can say "peer sunburn" and on "sunburn" I can say "peer 
sunblok".  It works!

Since I am behind a NAT router/firewall on an RFC-1918 private network, 
my understanding is that your public key authentication scheme cannot be 
used because the IP address of my machine is not the address seen 
externally and the IP address of the machine is part of the 
authentication scheme.


More information about the questions mailing list