[ntp:questions] autokey IFF client setup
mills at udel.edu
Fri May 8 23:46:34 UTC 2009
Apparently, you are following advice on other than the
online/development documentation, but I can only speak from the latter.
I reread the authentication options and ntp-keygen pages looking for
possibly misleading directions and believe the prose is correct. The
colorful example on the options page is definitive if overkill. It may
be easier to describe the process than a bunch of detailed instructions.
1. TH: The ident option of the crypto command is the name of the group
and the names used for the host certificate. The default is the DNS name
of the host.
2. otheres: The host option of the crypto command is the names used for
the host certificate. The default is the DNS name of the host.
3. All hosts must have host public/private encryption keys, optional
sign keys and matching certifivate.
4. The TH generates IFF server keys, which happen to contain client
parameters as well. These must be securely transmitted to other hosts
that have dependent clients, but not to the clients themselves.
5. The TH extracts client parameters from the server keys and posts in a
public place. The clients are responxible for retrieval, installation
and renaming them.
All the above, except the actual transmittion, is done by the ntp-keygen
The ident option of the crypto command is not strictly necessary, as the
name of the group is found from the TH certificate at the end of the
certificate trail when the client parameters file is loaded.. The bits
you found in the status word are set during the setup phase when the as
the server keys files are or are not found, so the client should not see
When debugging things like this, it is good practice to use the
cryptostats and protostats monitoring files. They show the blow by blow
progress of the state machine and especially what errors might be found.
In extreme cases the debug trace shows evidence of every packet send and
received and every crypto extension field transmtted and received.
Victor Jesus Angus wrote:
>NTP client was not able to detect the IFF config files because the crypto_flags in crypto_setup() shows the following line
>crypto_setup: setup 0x80001 host myclient md5WithRSAEncryption
>I'm using 4.2.5p158 and have the following configurations.
>$ cat /etc/ntp.conf
>server myserver.domain.com autokey
>crypto pw myclientpass
>crypto randfile /dev/urandom
>$ ls /etc/ntp
>ntpkey_cert_myclient -> ntpkey_RSA-MD5cert_myclient.3445412414
>ntpkey_host_myclient -> ntpkey_RSAkey_myclient.3445412414
>ntpkey_iff_myclient -> ntpkey_host_myclient
>It was able to transmit the request though and receive a response from the server but not sure if it is really using the IFF scheme.
>How to accurately verify this?
>As for the flag, I checked the defines and bit 0x0020 should have been set during loading of key files, right?
>In http://support.ntp.org/bin/view/Support/ConfiguringAutokey 6.7.2, there is a note, "Trusted ntp servers which also operate as clients of other ntp servers may need to 22.214.171.124. Install Group/Client Keys." If I have a client only setup, then I don't need to install the group keys?
>What is really the purpose of the group keys? If the group keys are optional, what are the downside if it is not installed?
>questions mailing list
>questions at lists.ntp.org
More information about the questions