[ntp:questions] Problem using ntp autokey with the trusted certificate identity s cheme

David Mills mills at udel.edu
Fri Feb 6 19:56:55 UTC 2009


Alain,

You are apparently using the release version of ntpd. That version, 
while dated early this year, has a patchwork of old and new algorithms. 
This means that, while the algorithms have been compatible as the 
versions progress, various combinatinos of old and new algorithms, as in 
the current release version, probably are not. The only version I can 
help you with is the development version, which does have compatible 
algorithms. I put a good deal of effort in the documentation for the 
development version, including configuration and key generation 
examples. However, note that the online dodumentation applies only to 
the development version, not the release version. In any case, the 
codumentation included in your version appllies specifcally to the 
softeare of your version.

If using the development version, pay close attention to the defaults, 
especially the default host name and key. I suspect the defaults are not 
what you expect.

Dave

Bartholome, Alain wrote:

>Hi,
>
>I am currently trying to run the ntp autokey protocol with the Trusted
>Certificate identity scheme.
>
>I use 3 systems (serverT1, server2,server3) all running   ntp-4.2.4p6  on
>windows 2003. 
>
> 
>
>#####
>
>1)The stratum 1 system , serverT1  is trusted.
>
>#####
>
>ntp.conf of serverT1:
>
> 
>
> 
>
>driftfile "d:\appli\NTP\ntp.drift"
>
>keysdir "D:\appli\ntp\etc"
>
>crypto
>
>server 127.127.1.0
>
>fudge 127.127.1.0 stratum 1
>
> 
>
>#end of ntp.conf
>
> 
>
>ServerT1 is trusted. I run on serverT1 the following ntp-keygen command:
>
>ntp-keygen  -T
>
> 
>
>ntpq returns the following informations:
>
> 
>
>ntpq> rv
>
>assID=0 status=0544 leap_none, sync_local_proto, 4 events,
>event_peer/strat_chg,
>
> 
>
>version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",
>
>processor="unknown", system="WINDOWS/NT", leap=00, stratum=2,
>
>precision=-20, rootdelay=0.000, rootdispersion=11.370, peer=60933,
>
>refid=LOCAL(0),
>
>reftime=cd34294d.ecd4a22c  Wed, Feb  4 2009 14:48:45.925, poll=10,
>
>clock=cd34296b.49445fe5  Wed, Feb  4 2009 14:49:15.286, state=4,
>
>offset=0.000, frequency=0.000, jitter=0.001, noise=0.001,
>
>stability=0.000, hostname="serverT1", signature="md5WithRSAEncryption",
>
>flags=0x80001, update=200902041304, tai=0, cert="serverT1 serverT1 0x1",
>
>expire=201001281615
>
>ntpq> rv 60933
>
>assID=60933 status=9614 reach, conf, sel_sys.peer, 1 event, event_reach,
>
>srcadr=LOCAL(0), srcport=123, dstadr=127.0.0.1, dstport=123, leap=00,
>
>stratum=1, precision=-20, rootdelay=0.000, rootdispersion=10.000,
>
>refid=LOCL, reach=377, unreach=0, hmode=3, pmode=4, hpoll=6, ppoll=10,
>
>flash=00 ok, keyid=0, ttl=0, offset=0.000, delay=0.000,
>
>dispersion=0.942, jitter=0.001,
>
>reftime=cd3432f2.ecd4e67b  Wed, Feb  4 2009 15:29:54.925,
>
>org=cd3432f2.ecd4e67b  Wed, Feb  4 2009 15:29:54.925,
>
>rec=cd3432f2.ecd50a41  Wed, Feb  4 2009 15:29:54.925,
>
>xmt=cd3432f2.ecd4c6eb  Wed, Feb  4 2009 15:29:54.925,
>
>filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>
>filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>
>filtdisp=      0.00    0.98    1.97    2.91    3.90    4.88    5.84    6.83
>
> 
>
> 
>
>#####
>
>2) serveur server2 is not trusted , synchronization is successful with
>serverT1
>
>######
>
>ntp.conf of server2:
>
> 
>
>keysdir "D:\appli\ntp\etc"
>
>crypto
>
>server serverT1 autokey iburst
>
> 
>
> #end of ntp.conf
>
> 
>
>Server2 is not  trusted. I run on server2  the following ntp-keygen command:
>
>ntp-keygen  
>
> 
>
> The synchronization with serverT1 is OK.
>
> 
>
>I get the following ntpq informations:
>
> 
>
>ntpq> rv 25408
>
>assID=25408 status=f614 reach, conf, auth, sel_sys.peer, 1 event,
>event_reach,
>
>srcadr=serverT1, srcport=123, dstadr=192.168.1.20, dstport=123, leap=00,
>
>stratum=2, precision=-20, rootdelay=0.000, rootdispersion=11.780,
>
>refid=LOCAL(0), reach=377, unreach=0, hmode=3, pmode=4, hpoll=8,
>
>ppoll=8, flash=00 ok, keyid=2530961316, ttl=0, offset=-5.406,
>
>delay=0.538, dispersion=7.295, jitter=7.284,
>
>reftime=cd342132.ec945c28  Wed, Feb  4 2009 14:14:10.924,
>
>org=cd34216b.6a7954cf  Wed, Feb  4 2009 14:15:07.415,
>
>rec=cd34216b.6bed4439  Wed, Feb  4 2009 14:15:07.421,
>
>xmt=cd34216b.6bc631af  Wed, Feb  4 2009 14:15:07.420,
>
>filtdelay=     0.54    0.73    0.62   24.35    0.54    0.57    0.50    0.51,
>
>filtoffset=   -5.41   -3.59    2.06    5.67    1.19    0.93    3.51    4.64,
>
>filtdisp=      0.00    3.86    7.68   11.51   15.35   19.17   23.01   24.96,
>
>hostname="serverT1", signature="md5WithRSAEncryption", flags=0x83f01,
>
>trust="serverT1"
>
>ntpq> rv
>
>assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
>
>version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",
>
>processor="unknown", system="WINDOWS/NT", leap=00, stratum=3,
>
>precision=-18, rootdelay=0.373, rootdispersion=36.531, peer=25408,
>
>refid=192.168.1.1,
>
>reftime=cd342770.7be454cf  Wed, Feb  4 2009 14:40:48.483, poll=9,
>
>clock=cd3428e6.49fff906  Wed, Feb  4 2009 14:47:02.289, state=4,
>
>offset=-10.760, frequency=20.908, jitter=4.156, noise=10.913,
>
>stability=0.048, hostname="server2", signature="md5WithRSAEncryption",
>
>flags=0x80001, update=200902041308, tai=0, cert="serverT1 serverT1 0x7",
>
>expire=201001281615, cert="server2 server2 0x2",
>
>expire=201002041023
>
> 
>
>######
>
>3) server3 is not trusted and should synchronize with server2
>
>######
>
>   ntp.conf of server3
>
> 
>
>keysdir "D:\appli\ntp\etc"
>
>crypto
>
>server server2 autokey  iburst prefer
>
>#end of ntp.conf
>
> 
>
>Server3 is not trusted. I run on server3  the following ntp-keygen command:
>
>ntp-keygen  
>
> 
>
>server3 does not synchronize with server2
>
> 
>
>ntpq gives the following informations:
>
>ntpq> rv 50257
>
>assID=50257 status=e000 unreach, conf, auth, no events,
>
>srcadr=server2, srcport=123, dstadr=192.168.2.11, dstport=123,
>
>leap=00, stratum=3, precision=-18, rootdelay=0.519,
>
>rootdispersion=32.700, refid=192.168.1.1, reach=000, unreach=27,
>
>hmode=3, pmode=4, hpoll=10, ppoll=9, flash=80 pkt_autokey,
>
>keyid=1380897353, ttl=0, offset=0.000, delay=0.000,
>
>dispersion=15937.500, jitter=0.000,
>
>reftime=cd3417e7.59d3f4e0  Wed, Feb  4 2009 13:34:31.350,
>
>org=cd34186d.a8e79f46  Wed, Feb  4 2009 13:36:45.659,
>
>rec=cd34186d.95b2f617  Wed, Feb  4 2009 13:36:45.584,
>
>xmt=cd34186d.954f37dd  Wed, Feb  4 2009 13:36:45.583,
>
>filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>
>filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>
>filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
>
>hostname="server2", signature="md5WithRSAEncryption", flags=0x80001,
>
>trust="server2"
>
>ntpq> rv
>
>assID=0 status=c011 sync_alarm, sync_unspec, 1 event, event_restart,
>
>version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",
>
>processor="unknown", system="WINDOWS/NT", leap=11, stratum=16,
>
>precision=-18, rootdelay=0.000, rootdispersion=64.065, peer=0,
>
>refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
>
>poll=6, clock=cd342253.1a895515  Wed, Feb  4 2009 14:18:59.103, state=1,
>
>offset=0.000, frequency=16.562, jitter=0.004, noise=0.004,
>
>stability=0.000, hostname="server3", signature="md5WithRSAEncryption",
>
>flags=0x80001, update=203602070628, tai=0,
>
>cert="server2 server2 0x2", expire=201002041023,
>
>cert="server3 server3 0x2", expire=201002041058
>
> 
>
>
> 
>
>
> 
>
>Could you tell me if  my use of autokey with  trusted certificate identity
>scheme is correct?
>
> 
>
>Do you see something wrong?
>
> 
>
>Thanks for your help.
>
> 
>
>Alain BARTHOLOMÉ
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>




More information about the questions mailing list