[ntp:questions] autokey IFF client setup

David Mills mills at udel.edu
Fri May 8 20:15:37 UTC 2009


Victor,

See the cryptotype table on the Authentication Options page. If a client 
needs IFF identity, all it needs is the IFF parameters file; the rest is 
automatic.

Dave

Victor Jesus Angus wrote:

>Further reading Authentication Options and stime.pdf, is it safe to say that given the setup below and using the Schnorr/IFF scheme, 
>
>1. the group name is not needed on the clients ?
>2. there's no need to send any server files/keys to the client and still IFF will work as designed ?
>
>Again how else do you know that the scheme is working other than being able to receive the time?
>
>                server
>                ------
>                  |
>           +------+-----+-----+
>        client1   |  client3  |
>               client2    client4
>
>Thanks.
>
>Victor
>
>--- On Thu, 5/7/09, Victor Jesus Angus <shurvic at yahoo.com> wrote:
>
>  
>
>>From: Victor Jesus Angus <shurvic at yahoo.com>
>>Subject: [ntp:questions] autokey IFF client setup
>>To: questions at lists.ntp.org
>>Date: Thursday, May 7, 2009, 12:08 PM
>>
>>NTP client was not able to detect the IFF config files
>>because the crypto_flags in crypto_setup() shows the
>>following line
>>
>>crypto_setup: setup 0x80001 host myclient
>>md5WithRSAEncryption
>>
>>I'm using 4.2.5p158 and have the following configurations.
>>
>>$ cat /etc/ntp.conf
>>server myserver.domain.com autokey
>>crypto pw myclientpass
>>crypto randfile /dev/urandom
>>keysdir /etc/ntp
>>
>>$ ls /etc/ntp
>>ntpkey_cert_myclient ->
>>ntpkey_RSA-MD5cert_myclient.3445412414
>>ntpkey_host_myclient ->
>>ntpkey_RSAkey_myclient.3445412414
>>ntpkey_iff_myclient -> ntpkey_host_myclient
>>ntpkey_iffkey_myserver
>>ntpkey_RSAkey_myclient.3445412394
>>ntpkey_RSAkey_myclient.3445412414
>>ntpkey_RSA-MD5cert_myclient.3445412394
>>ntpkey_RSA-MD5cert_myclient.3445412414
>>
>>It was able to transmit the request though and receive a
>>response from the server but not sure if it is really using
>>the IFF scheme. 
>>How to accurately verify this? 
>>
>>As for the flag, I checked the defines and bit 0x0020
>>should have been set during loading of key files, right?
>>In http://support.ntp.org/bin/view/Support/ConfiguringAutokey
>>6.7.2, there is a note, "Trusted ntp servers which also
>>operate as clients of other ntp servers may need to 6.7.3.4.
>>Install Group/Client Keys." If I have a client only setup,
>>then I don't need to install the group keys?
>>What is really the purpose of the group keys? If the group
>>keys are optional, what are the downside if it is not
>>installed?
>>
>>Thanks.
>>
>>Victor
>>
>>
>>
>>      
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>>
>>    
>>
>
>
>      
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>




More information about the questions mailing list