[ntp:questions] Generating keys for ntpdc control

Bob bobsjunkmail at bellsouth.net
Thu Jul 3 11:16:54 UTC 2008

"Martin Burnicki" <martin.burnicki at meinberg.de> wrote in message 
news:lbeuj5-4i6.ln1 at gateway.py.meinberg.de...
> Bob,
> Bob wrote:
>> Can someone run me through the steps necessary to generate, and apply 
>> keys
>> so I can use ntpdc to make on the fly changes to ntpd? I've read through
>> the docs - repeatedly! - and tried every incarnation of ntp-keygen 
>> listed.
> ntp-keygen is used to generate private/public key pairs which are used for
> NTP's "autokey" schemes which have been introduced in NTPv4. The advantage
> of autokey is that you just have to distribute the public key to other
> machines but don't have to copy the private key to some other machine.
> The autokey scheme is used to let NTP clients be able to verify that a NTP
> packet received from a NTP server has indeed been sent by that server and
> not by someone else wh wants to spoof a wrong time.
> The key numbers mentioned for ntpdc are referring to symmetric keys which
> have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
> same key as used on the server has to be copied to the client in order to
> be able to autenticate (-> "symmetric").
> Those symmetric keys can also be used with ntpdc. However, AFAIK, the
> autokey scheme can not.
> To configure symmetric keys you have to create a text file on the NTP
> server, e.g /etc/ntp.keys, which contains the keys, e.g.:
> 1 M my_secret_key
> 2 M another_secret_key
>> What I seem not to be able to get is what the "key number" represents.
> The first column is the key number you have been asking for. The second
> column is a shortcut for the type of encryption, where 'M' is for MD5 
> which
> is AFAIK the only type of encryption still supported for symmetric keys.
> The 3rd column are the keys, just text strings, which must be shared with
> the clients.
> Then the following lines need to be added to the server's ntp.conf file:
> keys /etc/ntp.keys   # path for keys file
> trustedkey 1 2
> After ntpd has been restarted you should be able to use either key 1,
> "my_secret_key", or key 2, "another_secret_key", from your NTP client or
> with ntpdc.
> Having multiple keys as in the example above can be useful to be share one
> key with one group of clients, and another key with another group of
> clients, if required.
> [...]
>> I'm running the current Meinberg windows port.
> Please note this is based on the original sources from ntp.org. Here at
> Meinberg we have just compiled those sources for Windows and put the
> resulting binaries into a GUI installer to simplify installation under
> Windows.
> Martin
> -- 
> Martin Burnicki
> Meinberg Funkuhren
> Bad Pyrmont
> Germany

I'm getting closer... you actually put the key data in a file that you point 
to. OK... how do I generate the keys? For example, I tried the below (of 
course, the keys listed have been erased...) and which file do I use the 
contents of as key material, how much do I use (just the data and no 
headers), and do I have to do it all on one line per key? Thanks for the 
help on this. I've searched for detailed info without success.

C:\Program Files\NTP\bin>ntp-keygen -c RSA-MD5 -V 5 -p Passwd
Using OpenSSL version 90805f
Random seed file C:/.rnd 1024 bytes
Generating MV parameters for 5 keys (102 bits)...
Birthday keys rejected 0
Duplicate keys rejected 335
Generating polynomial coefficients for 5 roots (510 bits)
Generating g[i] parameters
Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: yes
Generating new mv file and link
Revoke key 5
Generating RSA keys (512 bits)...
RSA                                             3 1 2
Generating new host file and link
Using host key as sign key
Generating certificate RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link

Here's the contents of the only key that says MD5 anywhere in it  - 
ntpkey_cert_wsr-88d - and, how do I make more than one?

# ntpkey_RSA-MD5cert_wsr-88d.3424071294

# Thu Jul 03 06:54:54 2008










More information about the questions mailing list