[ntp:questions] ntp-keygen -s

Carsten Rieck carsten.rieck at sp.se
Mon Jun 29 11:40:57 UTC 2009


I hope someone can advice me some guidelines for the following:
Lets say I have have a couple of primary servers at different domains 
that are all called "ntp[123].whateverXdomain". These servers I want to 
configure for IFF autokey all forming there own (domain wise) auth/trus 
group. Sym-links for the particular group keys of these servers are by 
default all need to be called "ntpkey_iff_ntp[123]" at a clients 
locations. This makes it impossible (?) to use several of these servers 
at the same time, i.e. group names have to be distinct from each other. 
At first glans this should be a client (configuration) problem. On the 
client it seems to me that the naming of the generic link: 
ntpkey_iff_server only works for with the short hostname of the server.

Nevertheless, on the server (maybe unrelated):
(4.2.4p5) ntp-keygen/ntpd by default seem to use the short hostname 
(versus  long hostname fqdn) when creating/searching for keys and 
Using ntp-keygen with the -s option and "crypto host" and "crypto cert" 
of ntp.conf suggest that the naming convention can be changed.

as an example:
ntp-keygen -s perl.sp.se -T -I -p "a_proper_passwd"


lrwxrwxrwx   1 root root    40 2009-06-29 12:00 ntpkey_cert_perl.sp.se -> ntpkey_RSA-MD5cert_perl.sp.se.3455258405
lrwxrwxrwx   1 root root    35 2009-06-29 12:00 ntpkey_host_perl.sp.se -> ntpkey_RSAkey_perl.sp.se.3455258405
-rw-r--r--   1 root root   530 2009-06-29 12:00 ntpkey_IFFpar_perl.3455258405
lrwxrwxrwx   1 root root    29 2009-06-29 12:00 ntpkey_iff_perl -> ntpkey_IFFpar_perl.3455258405
-rw-r--r--   1 root root   621 2009-06-29 12:00 ntpkey_RSAkey_perl.sp.se.3455258405
-rw-r--r--   1 root root   579 2009-06-29 12:00 ntpkey_RSA-MD5cert_perl.sp.se.3455258405

and apparently names the parameter file different from the key/cert 
files. First line content matches the filenames of the respective file.

groupkey export does nothing with the -s switch:
ntp-keygen -s perl.sp.se -e -q "a_proper_passwd" -p "client_pw"

but produces a stdout output when used without:
ntp-keygen -e -q "a_proper_passwd" -p "client_pw"

using a matching ntp.conf:

logfile /var/log/ntp
driftfile /etc/ntp.drift

fudge stratum 10

##### ak_tool starts messing with your ntp.conf ##########
# ak_tool crypto setup
crypto host ntpkey_host_perl.sp.se
crypto cert ntpkey_cert_perl.sp.se
crypto ident iff
crypto pw a_proper_passwd
crypto randfile /root/.rnd
keysdir /etc/ntp.keys

Running ntp with this setup fails with:

root at perl:/etc/ntp.keys# ntpd  -D 1
ntpd 4.2.4p5 at 1.1541-o Thu Jun 11 14:49:14 UTC 2009 (3)
addto_syslog: precision = 1.000 usec
addto_syslog: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
addto_syslog: Listening on interface #0 wildcard, Disabled
addto_syslog: Listening on interface #1 wildcard, ::#123 Disabled
addto_syslog: Listening on interface #2 lo, ::1#123 Enabled
addto_syslog: Listening on interface #3 eth0, fe80::223:54ff:fed4:52eb#123 Enabled
addto_syslog: Listening on interface #4 lo, Enabled
addto_syslog: Listening on interface #5 eth0, Enabled
local_clock: time 0 offset 0.000000 freq 0.000 state 0
addto_syslog: kernel time sync status 0040
addto_syslog: frequency initialized -69.250 PPM from /etc/ntp.drift

peer_crypto_clear: at 0 next 0 assoc ID 13875
key_expire: at 0
peer_clear: at 0 next 1 assoc ID 13875 refid INIT
newpeer:> mode 3 vers 4 poll 6 10 flags 0x1021 0x1 ttl 0 key 00000000
local_clock: time 0 offset 0.000000 freq -69.250 state 1
crypto_setup: OpenSSL version 90807f random seed file /root/.rnd bytes read 1024
crypto_key: ntpkey_RSAkey_perl.sp.se.3455258405 mod 512
crypto_key: ntpkey_IFFpar_perl.3455258405 mod 384
cert_parse: X509v3 Extended Key Usage: Trust Root
crypto_cert: ntpkey_RSA-MD5cert_perl.sp.se.3455258405 0x1 len 335
addto_syslog: crypto_setup: certificate ntpkey_cert_perl.sp.se not for this host

Cert regeneration works well with
ntp-keygen -s perl.sp.se -T -q a_proper_passwd

A key-generation without -s option and a relevant ntp.conf  and ntpd 
works well.

I wonder if someone has experience with these kind of problems.

Thank you, with best regards
Carsten Rieck

Carsten Rieck
SP Technical Research Institute of Sweden
Measurement Technology / MTk, Time and Frequency
Box 857, SE-501 15 Boras Sweden
Tel: +46 10 516 54 40 Cel: +46 703 170705 fax: +46 10 516 56 20

the dirty dozen: \|()[{^$*+?. 

More information about the questions mailing list