[ntp:questions] ntp-keygen -s

David Mills mills at udel.edu
Mon Jun 29 21:04:51 UTC 2009


There are examples in the documentation. Note that the -s option is only 
for nontrusted hosts. Note also that the Autokey names have nothing to 
do with DNS names with the exception that the default name is the string 
returned by the gethostname() system call, whatever that might be. There 
is in general no need to specify an Autokey name for a nontrusted host.


Carsten Rieck wrote:

>I hope someone can advice me some guidelines for the following:
>Lets say I have have a couple of primary servers at different domains 
>that are all called "ntp[123].whateverXdomain". These servers I want to 
>configure for IFF autokey all forming there own (domain wise) auth/trus 
>group. Sym-links for the particular group keys of these servers are by 
>default all need to be called "ntpkey_iff_ntp[123]" at a clients 
>locations. This makes it impossible (?) to use several of these servers 
>at the same time, i.e. group names have to be distinct from each other. 
>At first glans this should be a client (configuration) problem. On the 
>client it seems to me that the naming of the generic link: 
>ntpkey_iff_server only works for with the short hostname of the server.
>Nevertheless, on the server (maybe unrelated):
>(4.2.4p5) ntp-keygen/ntpd by default seem to use the short hostname 
>(versus  long hostname fqdn) when creating/searching for keys and 
>Using ntp-keygen with the -s option and "crypto host" and "crypto cert" 
>of ntp.conf suggest that the naming convention can be changed.
>as an example:
>ntp-keygen -s perl.sp.se -T -I -p "a_proper_passwd"
>lrwxrwxrwx   1 root root    40 2009-06-29 12:00 ntpkey_cert_perl.sp.se -> ntpkey_RSA-MD5cert_perl.sp.se.3455258405
>lrwxrwxrwx   1 root root    35 2009-06-29 12:00 ntpkey_host_perl.sp.se -> ntpkey_RSAkey_perl.sp.se.3455258405
>-rw-r--r--   1 root root   530 2009-06-29 12:00 ntpkey_IFFpar_perl.3455258405
>lrwxrwxrwx   1 root root    29 2009-06-29 12:00 ntpkey_iff_perl -> ntpkey_IFFpar_perl.3455258405
>-rw-r--r--   1 root root   621 2009-06-29 12:00 ntpkey_RSAkey_perl.sp.se.3455258405
>-rw-r--r--   1 root root   579 2009-06-29 12:00 ntpkey_RSA-MD5cert_perl.sp.se.3455258405
>and apparently names the parameter file different from the key/cert 
>files. First line content matches the filenames of the respective file.
>groupkey export does nothing with the -s switch:
>ntp-keygen -s perl.sp.se -e -q "a_proper_passwd" -p "client_pw"
>but produces a stdout output when used without:
>ntp-keygen -e -q "a_proper_passwd" -p "client_pw"
>using a matching ntp.conf:
>logfile /var/log/ntp
>driftfile /etc/ntp.drift
>fudge stratum 10
>##### ak_tool starts messing with your ntp.conf ##########
># ak_tool crypto setup
>crypto host ntpkey_host_perl.sp.se
>crypto cert ntpkey_cert_perl.sp.se
>crypto ident iff
>crypto pw a_proper_passwd
>crypto randfile /root/.rnd
>keysdir /etc/ntp.keys
>Running ntp with this setup fails with:
>root at perl:/etc/ntp.keys# ntpd  -D 1
>ntpd 4.2.4p5 at 1.1541-o Thu Jun 11 14:49:14 UTC 2009 (3)
>addto_syslog: precision = 1.000 usec
>addto_syslog: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
>addto_syslog: Listening on interface #0 wildcard, Disabled
>addto_syslog: Listening on interface #1 wildcard, ::#123 Disabled
>addto_syslog: Listening on interface #2 lo, ::1#123 Enabled
>addto_syslog: Listening on interface #3 eth0, fe80::223:54ff:fed4:52eb#123 Enabled
>addto_syslog: Listening on interface #4 lo, Enabled
>addto_syslog: Listening on interface #5 eth0, Enabled
>local_clock: time 0 offset 0.000000 freq 0.000 state 0
>addto_syslog: kernel time sync status 0040
>addto_syslog: frequency initialized -69.250 PPM from /etc/ntp.drift
>peer_crypto_clear: at 0 next 0 assoc ID 13875
>key_expire: at 0
>peer_clear: at 0 next 1 assoc ID 13875 refid INIT
>newpeer:> mode 3 vers 4 poll 6 10 flags 0x1021 0x1 ttl 0 key 00000000
>local_clock: time 0 offset 0.000000 freq -69.250 state 1
>crypto_setup: OpenSSL version 90807f random seed file /root/.rnd bytes read 1024
>crypto_key: ntpkey_RSAkey_perl.sp.se.3455258405 mod 512
>crypto_key: ntpkey_IFFpar_perl.3455258405 mod 384
>cert_parse: X509v3 Extended Key Usage: Trust Root
>crypto_cert: ntpkey_RSA-MD5cert_perl.sp.se.3455258405 0x1 len 335
>addto_syslog: crypto_setup: certificate ntpkey_cert_perl.sp.se not for this host
>Cert regeneration works well with
>ntp-keygen -s perl.sp.se -T -q a_proper_passwd
>A key-generation without -s option and a relevant ntp.conf  and ntpd 
>works well.
>I wonder if someone has experience with these kind of problems.
>Thank you, with best regards
>Carsten Rieck

More information about the questions mailing list