[ntp:questions] seeking advice; NTP peers, GQ identities and Autokey

David Mills mills at udel.edu
Fri Jul 31 20:00:02 UTC 2009


Brian,

The first problem is the RH version, which is far older than the current 
release version and ancient relative to the development version. I say 
again for the umpteenth time, only the development version is expected 
to work correctly with Autokey. The release version has a mixture of old 
and new protocol modules that are incompatible. The old ones work and 
the new ones work, but not a combination of the old and new as in the 
current release version.

The error code you cite is in facr  at the spot you cited, but you 
didn't notice the log code is in hex.

Dave

Brian Reichert wrote:

>Hello, hopefully someone has some advice.
>
>I'm trying to manage a pair of peers using GQ identities and unicast
>authentication and AutoKey.
>
>The symptom(s) I observe, after the several seconds it takes from the
>association's 'auth' field to go from 'bad' to 'ok':
>
>- the assocation reports the condition as 'reject'
>
>- the refid on each node alternates between .AUTH. and .CRYP.
>
>- my cryptolog reports 'error 10f opcode 2010000 ts 0 fs 524353',
>  which is regrettably not described here:
>
>  http://www.eecis.udel.edu/~mills/ntp/html/authopt.html#err
>
>- the association claims the other node is 'unreachable'.  I can
>  see debug messages flow between the two nodes, so I know there's
>  no connectivity problem.
>
>- my debug log shows that the 'flags' setting is 0x80041, even
>  though that's not showing up in the 'rv' command below.  I
>  deconstructed that according to ntp_crypto.h, and it's obvious
>  that there are a lot of bits missing...
>
>I would definitely appreciate some suggested course of action...
>
>I've applied notes according to:
>
>  http://support.ntp.org/bin/view/Support/ConfiguringAutokey
>
>and perhaps more closely, this thread:
>
>  http://www.mail-archive.com/questions@lists.ntp.isc.org/msg05140.html
>
>Some specifics:
>
>I'm using RedHat's ntp RPM:
>
>  # rpm -q ntp
>  ntp-4.2.2p1-9.el5_3.2
>
>My ntp.conf:
>
>  driftfile /var/lib/ntp/drift
>  statsdir /var/log/ntpstats/
>  statistics loopstats peerstats clockstats cryptostats
>  filegen loopstats file loopstats type day enable
>  filegen peerstats file peerstats type day enable
>  filegen clockstats file clockstats type day enable
>  filegen cryptostats file cryptostats type day enable
>  crypto pw ServerPassword randfile /dev/urandom
>  crypto ident 1950dc1.example.com
>  #crypto ident 1950qc1.example.com
>  keys /etc/ntp/keys
>  keysdir /etc/ntp
>  peer 1950qc1.example.com autokey
>  #peer 1950dc1.example.com autokey
>
>Obviously, the 'peer' entry differs on each host, as does the 'crypto
>ident' entry.
>
>On each node, I created GQ keys:
>
>   cd /etc/ntp
>   ntp-keygen -T -G -p ServerPassword -q ServerPassword
>
>I copied the ntpkey_* files to both hosts.
>
>I restarted ntpd on both hosts, using the '-g' and -d' flags.
>
> # ntpq -npcas
>     remote           refid      st t when poll reach   delay   offset jitter
> ==============================================================================
> 172.20.166.111  .AUTH.          16 u    -  128    0    0.000    0.000 0.000
>
> ind assID status  conf reach auth condition  last_event cnt
> ===========================================================
>    1 44420  e04f   yes   yes   ok     reject              4
>
>  # ntpq -n -c "rv 44420"
>  assID=44420 status=e04f unreach, conf, auth, 4 events, event_15,
>  srcadr=172.20.166.111, srcport=123, dstadr=172.20.166.101, dstport=123,
>  leap=11, stratum=16, precision=-20, rootdelay=0.000,
>  rootdispersion=21.332, refid=AUTH, reach=000, unreach=123, hmode=1,
>  pmode=1, hpoll=7, ppoll=10, flash=00 ok, keyid=3440123012, ttl=0,
>  offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000,
>  reftime=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
>  org=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
>  rec=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,
>  xmt=ce1b3e19.7e040ed8  Wed, Jul 29 2009 21:31:05.492,
>  filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>  filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,
>  filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
>Dunno if other information may be useful; please let me know...
>
>  
>




More information about the questions mailing list