[ntp:questions] /dev/random as opposed to //.rnd

Steve Kostecke kostecke at ntp.isc.org
Fri May 11 21:04:22 UTC 2007


On 2007-05-11, coniptor at gmail.com <coniptor at gmail.com> wrote:

> This is my first post to the ntp list.

Please keep in mind that your messages are also being posted to the
comp.protocols.time.ntp news-group on Usenet.

>I've been googling around for answers regarding autokey with ntp as
>I've only ever setup a non encrypted/secured ntp configuration.

It's authenticated, not encrypted/secured.

NTP Authentication makes it possible for a client to be sure that
the NTP packets that is is receiving from an arbitrary server _are_ from
that server (and not from a bad actor). NTP Authentication does not
encrypt the NTP packets.

> I've been tasked with setting up autokey in the environment and
> thought I had IFF working, I'm not so sure now, since reading some of
> the other posts regarding the TC scheme.

TC is the default when the participants do not have the IFF/GQ/MV
Identity Scheme parameters.

You can "easily" tell what Identity Scheme is being use by examining the
flags for a particular association.

Use ntpq -cas to retrive the list of association IDs. Then ntpq -c"rv
AssnID flags" to view the flags for that association. The flag that
indicates the Indentity Scheme is:

#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ    0x0040 /* GQ identity scheme */
#define CRYPTO_FLAG_MV    0x0080 /* MV identity scheme */

flags=0x87f03 indicates that TC is being used
flags=0x87f23 indicates that IFF is being used

Here are all of the flags:

#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
#define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */

#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ    0x0040 /* GQ identity scheme */
#define CRYPTO_FLAG_MV    0x0080 /* MV identity scheme */

#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */

#define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
#define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */

> Is ntpd and ntp-keygen's non-use of /dev/random considered a bug? Will
> ntpd and ntp-keygen ever support /dev/random?

Add this line to your ntp.conf and it will:

crypto randfile /dev/random

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list