[ntp:questions] Could some one help in pointing out the error here

Steve Kostecke kostecke at ntp.isc.org
Sat Apr 21 13:50:48 UTC 2007


On 2007-04-21, Remo <madhu_mepco at yahoo.co.uk> wrote:

> I was not able to set a remote server's leap. It looks like the NTP
> packets from the query is not generated at all. Though the  "sendpkt"
> procedure is being called "sendrequest", I am not able to see the
> packet reaching the other side. I guess that I am missing something as
> there is a error reported with authentication.

I believe that the real issue is that you can't use writevar to set the
leap.

> ntpq> asso
> ind assID status  conf reach auth condition  last_event cnt
>===========================================================
>   1 17284  f614   yes   yes   ok   sys.peer   reachable  1
>   2 17285  c000   yes   yes   bad    reject
> ntpq> writevar 17284 leap=1
> Keyid: 64
> MD5 Password:
> ***Server disallowed request (authentication?)

I have flock of systems that are set up to allow remote modification
and have a working symmetric key set. When I tried to set the leap on
another ntpd I see the same message:

steve at stasis:~$ ntpq
ntpq> as
...
  2 20879  7014    no   yes   ok     reject   reachable  1
...
ntpq> writevar 20879 leap=1
Keyid: 1
MD5 Password: 
***Server disallowed request (authentication?)

I've also tried setting the local ntpd leap and that fails, too:

ntpq> rv 0 leap
assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
leap=00
ntpq> writevar 0 leap=1
***Server returned an unspecified error
ntpq> rv 0 leap
assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
leap=00

> trustedkey 1234
> requestkey 61
> controlkey 64

All of the keys must be listed on the 'trustedkey' line. This tells ntpd
to trust those keys; the default is to trust these keys to authenticate
time service. Subsets of the trusted keys may also be specified on the
'trustedkey' and 'requestkey' lines if you wish to allow the use of
certain keys by ntpdc and ntpq.

This is discussed in the distribution documentation at
http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis
is mine):

"When ntpd is first started, it reads the key file specified in the keys
configuration command and installs the keys in the key cache. HOWEVER,
INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE
USE. This allows, for instance, the installation of possibly several
batches of keys and then activating or deactivating each batch remotely
using ntpdc. This also provides a revocation capability that can be used
if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY
USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND
SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY."

This is also documented in section 6.1.3.3 at
http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm

> Is this possible to work without authentication. Please help.

You could disable authentication when ntpd is started, but this will
leave your ntpd open to being remotely modified by anyone who can
connect to it.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list