[ntp:questions] IFF identity scheme on an intermediate server

Bartholome, Alain alain.bartholome at eads.com
Mon May 11 09:31:16 UTC 2009


Hi,
Hi,
I am confused with your client/server definition.
(I copied the iffpar file to the "intermediate server", it is OK).

II would like to have an example of use of the iff server key file.

For example, in the authentication options documentation, about the green
server, I read:

>where yyy is the password for howland files. It generates GREEN files using
>the commands

>ntp-keygen -p yyy -T -G -i green
>ntp-keygen -p yyy -e >ntpkey_gqpar_green
>ntp-keygen -p yyy -q zzz >zzz_ntpkey_gqkey_green

>The first two lines serve the same purpose as the preceeding examples. The
>third line generate a copy of the private GREEN server file for use on
>another server in the same group, but encrypted with the zzz pasword.

If my "intermediate server" is a client, what are the characteristics your
definition of "another server in the same group"? 

Alain BARTHOLOMÉ


-----Message d'origine-----
De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
part de David Mills
Envoyé : jeudi 7 mai 2009 21:08
À : 'questions at lists.ntp.org'
Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server

Alain,

Was my message confusing? I understand you have a trusted host, an 
intermediate server and a client. You know how to configure the TH and 
client. Configure the intermediate server in the same way as the client. 
Then read my reply again.

Dave

Bartholome, Alain wrote:

>Hi,
>In the final configuration there is a third system  named client which ntp
>server is int_server.
>In the first step, I want to have iff working for trustedhost and
>int_server.
>
>Regards,
>Alain.
>
>
>-----Message d'origine-----
>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>part de David Mills
>Envoyé : jeudi 7 mai 2009 17:34
>À : 'questions at lists.ntp.org'
>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>
>Alain,
>
>In your terms an intermediate server is an ordinary client in the same 
>group as the TH. The only difference is that it has the server keys 
>generated by the TH with the -q option. See the ntp-keygen page.
>
>Dave
>
>Bartholome, Alain wrote:
>
>  
>
>>Hi,
>>
>>With my testing of iff, I get protocol_error.
>>
>>The following is extracted from the authentications options documentation:
>>
>>
>> 
>>
>>    
>>
>>>When an identity scheme is included, for example IFF, the TH generates
>>>      
>>>
>host
>  
>
>>>key, trusted certificate and private server identity files using the
>>>   
>>>
>>>      
>>>
>>ntp->keygen -T -I -i group command, where group is the group name. The
>> 
>>
>>    
>>
>>>reemaining group hosts use the same command as above. The client identity
>>>files are obtained separately. All hosts use the crypto ident group
>>>configuration command.
>>>   
>>>
>>>      
>>>
>>The intermediate server should use ntp->keygen -T -I -i group ?
>>
>>For the intermediate server I made the 2 following tests:
>>(Int_server is not trusted, so I dropped  the -T option)
>>
>>ntp-keygen -p little -i secgroup
>>ntp-keygen -I -p little -i secgroup
>>
>>I get protocol_error with both.
>>-------------------------------------------
>>Hereafter are the ntp.conf files and the ntp_keygen commands 
>>
>>On the trusted host trustedhost of the group  secgroup:
>>
>>The ntp.conf file:
>>
>>
>>keysdir "D:\appli\ntp\etc"
>>autokey  
>>crypto pw little ident secgroup
>>leapfile  "D:\appli\ntp\etc\ntpkey_leap" 
>>server 127.127.1.0  
>>fudge 127.127.1.0 stratum 7
>>
>>#end of file
>>
>>the following commands have been executed on trustedhost:
>>
>>ntp-keygen -T -I -p trusted -i secgroup
>>
>>ntp-keygen -e -p trusted -q little >ntpkey_iffpar_secgroup
>>this file is copied to the clients
>>
>>ntp-keygen   -p trusted -q little >ntpkey_iffkey_secgroup
>>this file uses ntpkey_iffkey_secgroup created by " ntp-keygen -T -I -p
>>trusted -i secgroup" and generates a new ntpkey_iffkey_secgroup copied to
>>int_server
>>
>>-------------------------
>>-------------------------
>>intermediate server int_server
>>
>>The ntp.conf file:
>>
>>keysdir "D:\appli\ntp\etc"
>>autokey  
>>crypto pw little ident secgroup
>>enable stats auth
>>server trustedhost autokey iburst
>> 
>>#end of file
>>
>>the following commands have been executed on int_server:
>>
>>ntp-keygen -p little -i secgroup
>>
>>ntpkey_iffkey_secgroup have been copied to int_server
>>
>>
>>Regards,
>>Alain.
>>
>>
>>-------------------------------------
>>
>>-----Message d'origine-----
>>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>>part de David Mills
>>Envoyé : mercredi 6 mai 2009 18:44
>>À : 'questions at lists.ntp.org'
>>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>>
>>Alain,
>>
>>See the Authentication Options and ntp-keygen pages in the curtent 
>>online documentation. I've rewritten some of that text withexamples. 
>>Hosts with dependent clients need the keys file, while client need only 
>>the paramters file. The ntp-keygen page has examples showing how these 
>>files can be generated and distributed.
>>
>>Dave
>>
>>Bartholome, Alain wrote:
>>
>> 
>>
>>    
>>
>>>Hi,
>>>
>>>I am using NTP version 4.2.5p158 on windows sever 2003.
>>>
>>>I would like to know what iff files, in addition to the host key and the
>>>certificate  files,  must exist on an intermediate NTP server.
>>>According to what I have read, the documentation describes the
>>>   
>>>
>>>      
>>>
>>configuration
>> 
>>
>>    
>>
>>>on the trusted host server of the group and on the clients but not  for
>>>servers in between them.
>>>
>>>Regards,
>>>Alain.
>>>
>>>_______________________________________________
>>>questions mailing list
>>>questions at lists.ntp.org
>>>https://lists.ntp.org/mailman/listinfo/questions
>>>
>>>
>>>   
>>>
>>>      
>>>
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>> 
>>
>>    
>>
>
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>


_______________________________________________
questions mailing list
questions at lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions



More information about the questions mailing list