[ntp:questions] seeking advice; NTP peers, GQ identities and Autokey

Brian Reichert reichert at numachi.com
Wed Jul 29 22:11:07 UTC 2009


Hello, hopefully someone has some advice.

I'm trying to manage a pair of peers using GQ identities and unicast
authentication and AutoKey.

The symptom(s) I observe, after the several seconds it takes from the
association's 'auth' field to go from 'bad' to 'ok':

- the assocation reports the condition as 'reject'

- the refid on each node alternates between .AUTH. and .CRYP.

- my cryptolog reports 'error 10f opcode 2010000 ts 0 fs 524353',
  which is regrettably not described here:

  http://www.eecis.udel.edu/~mills/ntp/html/authopt.html#err

- the association claims the other node is 'unreachable'.  I can
  see debug messages flow between the two nodes, so I know there's
  no connectivity problem.

- my debug log shows that the 'flags' setting is 0x80041, even
  though that's not showing up in the 'rv' command below.  I
  deconstructed that according to ntp_crypto.h, and it's obvious
  that there are a lot of bits missing...

I would definitely appreciate some suggested course of action...

I've applied notes according to:

  http://support.ntp.org/bin/view/Support/ConfiguringAutokey

and perhaps more closely, this thread:

  http://www.mail-archive.com/questions@lists.ntp.isc.org/msg05140.html

Some specifics:

I'm using RedHat's ntp RPM:

  # rpm -q ntp
  ntp-4.2.2p1-9.el5_3.2

My ntp.conf:

  driftfile /var/lib/ntp/drift
  statsdir /var/log/ntpstats/
  statistics loopstats peerstats clockstats cryptostats
  filegen loopstats file loopstats type day enable
  filegen peerstats file peerstats type day enable
  filegen clockstats file clockstats type day enable
  filegen cryptostats file cryptostats type day enable
  crypto pw ServerPassword randfile /dev/urandom
  crypto ident 1950dc1.example.com
  #crypto ident 1950qc1.example.com
  keys /etc/ntp/keys
  keysdir /etc/ntp
  peer 1950qc1.example.com autokey
  #peer 1950dc1.example.com autokey

Obviously, the 'peer' entry differs on each host, as does the 'crypto
ident' entry.

On each node, I created GQ keys:

   cd /etc/ntp
   ntp-keygen -T -G -p ServerPassword -q ServerPassword

I copied the ntpkey_* files to both hosts.

I restarted ntpd on both hosts, using the '-g' and -d' flags.

 # ntpq -npcas
     remote           refid      st t when poll reach   delay   offset jitter
 ==============================================================================
 172.20.166.111  .AUTH.          16 u    -  128    0    0.000    0.000 0.000

 ind assID status  conf reach auth condition  last_event cnt
 ===========================================================
    1 44420  e04f   yes   yes   ok     reject              4

  # ntpq -n -c "rv 44420"
  assID=44420 status=e04f unreach, conf, auth, 4 events, event_15,
  srcadr=172.20.166.111, srcport=123, dstadr=172.20.166.101, dstport=123,
  leap=11, stratum=16, precision=-20, rootdelay=0.000,
  rootdispersion=21.332, refid=AUTH, reach=000, unreach=123, hmode=1,
  pmode=1, hpoll=7, ppoll=10, flash=00 ok, keyid=3440123012, ttl=0,
  offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
  reftime=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
  org=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
  rec=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
  xmt=ce1b3e19.7e040ed8  Wed, Jul 29 2009 21:31:05.492,
  filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
  filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
  filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Dunno if other information may be useful; please let me know...

-- 
Brian Reichert				<reichert at numachi.com>
55 Crystal Ave. #286			Daytime number: (603) 434-6842
Derry NH 03038-1725 USA			BSD admin/developer at large	



More information about the questions mailing list