[ntp:questions] seeking advice; NTP peers, GQ identities and Autokey
mills at udel.edu
Fri Jul 31 20:00:02 UTC 2009
The first problem is the RH version, which is far older than the current
release version and ancient relative to the development version. I say
again for the umpteenth time, only the development version is expected
to work correctly with Autokey. The release version has a mixture of old
and new protocol modules that are incompatible. The old ones work and
the new ones work, but not a combination of the old and new as in the
current release version.
The error code you cite is in facr at the spot you cited, but you
didn't notice the log code is in hex.
Brian Reichert wrote:
>Hello, hopefully someone has some advice.
>I'm trying to manage a pair of peers using GQ identities and unicast
>authentication and AutoKey.
>The symptom(s) I observe, after the several seconds it takes from the
>association's 'auth' field to go from 'bad' to 'ok':
>- the assocation reports the condition as 'reject'
>- the refid on each node alternates between .AUTH. and .CRYP.
>- my cryptolog reports 'error 10f opcode 2010000 ts 0 fs 524353',
> which is regrettably not described here:
>- the association claims the other node is 'unreachable'. I can
> see debug messages flow between the two nodes, so I know there's
> no connectivity problem.
>- my debug log shows that the 'flags' setting is 0x80041, even
> though that's not showing up in the 'rv' command below. I
> deconstructed that according to ntp_crypto.h, and it's obvious
> that there are a lot of bits missing...
>I would definitely appreciate some suggested course of action...
>I've applied notes according to:
>and perhaps more closely, this thread:
>I'm using RedHat's ntp RPM:
> # rpm -q ntp
> driftfile /var/lib/ntp/drift
> statsdir /var/log/ntpstats/
> statistics loopstats peerstats clockstats cryptostats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> filegen cryptostats file cryptostats type day enable
> crypto pw ServerPassword randfile /dev/urandom
> crypto ident 1950dc1.example.com
> #crypto ident 1950qc1.example.com
> keys /etc/ntp/keys
> keysdir /etc/ntp
> peer 1950qc1.example.com autokey
> #peer 1950dc1.example.com autokey
>Obviously, the 'peer' entry differs on each host, as does the 'crypto
>On each node, I created GQ keys:
> cd /etc/ntp
> ntp-keygen -T -G -p ServerPassword -q ServerPassword
>I copied the ntpkey_* files to both hosts.
>I restarted ntpd on both hosts, using the '-g' and -d' flags.
> # ntpq -npcas
> remote refid st t when poll reach delay offset jitter
> 172.20.166.111 .AUTH. 16 u - 128 0 0.000 0.000 0.000
> ind assID status conf reach auth condition last_event cnt
> 1 44420 e04f yes yes ok reject 4
> # ntpq -n -c "rv 44420"
> assID=44420 status=e04f unreach, conf, auth, 4 events, event_15,
> srcadr=172.20.166.111, srcport=123, dstadr=172.20.166.101, dstport=123,
> leap=11, stratum=16, precision=-20, rootdelay=0.000,
> rootdispersion=21.332, refid=AUTH, reach=000, unreach=123, hmode=1,
> pmode=1, hpoll=7, ppoll=10, flash=00 ok, keyid=3440123012, ttl=0,
> offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
> reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
> org=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
> rec=00000000.00000000 Thu, Feb 7 2036 6:28:16.000,
> xmt=ce1b3e19.7e040ed8 Wed, Jul 29 2009 21:31:05.492,
> filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
> filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
> filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>Dunno if other information may be useful; please let me know...
More information about the questions