[ntp:questions] IFF identity scheme on an intermediate server

David Mills mills at udel.edu
Mon May 11 17:14:29 UTC 2009


Alain,

I've been as clear as I can. There are examples on the authentication 
options page, more examples on the ntp-keygen page and my previous 
messages. There are more examples and much more detailed description on 
the Autokey and Identity Schemes pages in the background documentation. 
There is a definitive specification and description in the 1996 Autokey 
report and later ID.  I apologize if the details remain obscure to you, 
but there is not much more I can say. Other folks on this list have IFF 
working; perhaps they can speak up.

Dave

Brtholome, Alain wrote:

>Hi,
>Hi,
>I am confused with your client/server definition.
>(I copied the iffpar file to the "intermediate server", it is OK).
>
>II would like to have an example of use of the iff server key file.
>
>For example, in the authentication options documentation, about the green
>server, I read:
>
>  
>
>>where yyy is the password for howland files. It generates GREEN files using
>>the commands
>>    
>>
>
>  
>
>>ntp-keygen -p yyy -T -G -i green
>>ntp-keygen -p yyy -e >ntpkey_gqpar_green
>>ntp-keygen -p yyy -q zzz >zzz_ntpkey_gqkey_green
>>    
>>
>
>  
>
>>The first two lines serve the same purpose as the preceeding examples. The
>>third line generate a copy of the private GREEN server file for use on
>>another server in the same group, but encrypted with the zzz pasword.
>>    
>>
>
>If my "intermediate server" is a client, what are the characteristics your
>definition of "another server in the same group"? 
>
>Alain BARTHOLOMÉ
>
>
>-----Message d'origine-----
>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>part de David Mills
>Envoyé : jeudi 7 mai 2009 21:08
>À : 'questions at lists.ntp.org'
>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>
>Alain,
>
>Was my message confusing? I understand you have a trusted host, an 
>intermediate server and a client. You know how to configure the TH and 
>client. Configure the intermediate server in the same way as the client. 
>Then read my reply again.
>
>Dave
>
>Bartholome, Alain wrote:
>
>  
>
>>Hi,
>>In the final configuration there is a third system  named client which ntp
>>server is int_server.
>>In the first step, I want to have iff working for trustedhost and
>>int_server.
>>
>>Regards,
>>Alain.
>>
>>
>>-----Message d'origine-----
>>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>>part de David Mills
>>Envoyé : jeudi 7 mai 2009 17:34
>>À : 'questions at lists.ntp.org'
>>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>>
>>Alain,
>>
>>In your terms an intermediate server is an ordinary client in the same 
>>group as the TH. The only difference is that it has the server keys 
>>generated by the TH with the -q option. See the ntp-keygen page.
>>
>>Dave
>>
>>Bartholome, Alain wrote:
>>
>> 
>>
>>    
>>
>>>Hi,
>>>
>>>With my testing of iff, I get protocol_error.
>>>
>>>The following is extracted from the authentications options documentation:
>>>
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>When an identity scheme is included, for example IFF, the TH generates
>>>>     
>>>>
>>>>        
>>>>
>>host
>> 
>>
>>    
>>
>>>>key, trusted certificate and private server identity files using the
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>ntp->keygen -T -I -i group command, where group is the group name. The
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>reemaining group hosts use the same command as above. The client identity
>>>>files are obtained separately. All hosts use the crypto ident group
>>>>configuration command.
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>The intermediate server should use ntp->keygen -T -I -i group ?
>>>
>>>For the intermediate server I made the 2 following tests:
>>>(Int_server is not trusted, so I dropped  the -T option)
>>>
>>>ntp-keygen -p little -i secgroup
>>>ntp-keygen -I -p little -i secgroup
>>>
>>>I get protocol_error with both.
>>>-------------------------------------------
>>>Hereafter are the ntp.conf files and the ntp_keygen commands 
>>>
>>>On the trusted host trustedhost of the group  secgroup:
>>>
>>>The ntp.conf file:
>>>
>>>
>>>keysdir "D:\appli\ntp\etc"
>>>autokey  
>>>crypto pw little ident secgroup
>>>leapfile  "D:\appli\ntp\etc\ntpkey_leap" 
>>>server 127.127.1.0  
>>>fudge 127.127.1.0 stratum 7
>>>
>>>#end of file
>>>
>>>the following commands have been executed on trustedhost:
>>>
>>>ntp-keygen -T -I -p trusted -i secgroup
>>>
>>>ntp-keygen -e -p trusted -q little >ntpkey_iffpar_secgroup
>>>this file is copied to the clients
>>>
>>>ntp-keygen   -p trusted -q little >ntpkey_iffkey_secgroup
>>>this file uses ntpkey_iffkey_secgroup created by " ntp-keygen -T -I -p
>>>trusted -i secgroup" and generates a new ntpkey_iffkey_secgroupcopied to
>>>int_server
>>>
>>>-------------------------
>>>-------------------------
>>>intermediate server int_server
>>>
>>>The ntp.conf file:
>>>
>>>keysdir "D:\appli\ntp\etc"
>>>autokey  
>>>crypto pw little ident secgroup
>>>enable stats auth
>>>server trustedhost autokey iburst
>>>
>>>#end of file
>>>
>>>the following commands have been executed on int_server:
>>>
>>>ntp-keygen -p little -i secgroup
>>>
>>>ntpkey_iffkey_secgroup have been copied to int_server
>>>
>>>
>>>Regards,
>>>Alain.
>>>
>>>
>>>-------------------------------------
>>>
>>>-----Message d'origine-----
>>>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>>>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>>>part de David Mills
>>>Envoyé : mercredi 6 mai 2009 18:44
>>>À : 'questions at lists.ntp.org'
>>>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>>>
>>>Alain,
>>>
>>>See the Authentication Options and ntp-keygen pages in the curtent 
>>>online documentation. I've rewritten some of that text withexamples. 
>>>Hosts with dependent clients need the keys file, while client need only 
>>>the paramters file. The ntp-keygen page has examples showing how these 
>>>files can be generated and distributed.
>>>
>>>Dave
>>>
>>>Bartholome, Alain wrote:
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>Hi,
>>>>
>>>>I am using NTP version 4.2.5p158 on windows sever 2003.
>>>>
>>>>I would like to know what iff files, in addition to the host key and the
>>>>certificate  files,  must exist on an intermediate NTP server.
>>>>According to what I have read, the documentation describes the
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>configuration
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>on the trusted host server of the group and on the clients but not  for
>>>>servers in between them.
>>>>
>>>>Regards,
>>>>Alain.
>>>>
>>>>_______________________________________________
>>>>questions mailing list
>>>>questions at lists.ntp.org
>>>>https://lists.ntp.org/mailman/listinfo/questions
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>_______________________________________________
>>>questions mailing list
>>>questions at lists.ntp.org
>>>https://lists.ntp.org/mailman/listinfo/questions
>>>_______________________________________________
>>>questions mailing list
>>>questions at lists.ntp.org
>>>https://lists.ntp.org/mailman/listinfo/questions
>>>
>>>
>>>   
>>>
>>>      
>>>
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>> 
>>
>>    
>>
>
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>





More information about the questions mailing list