[ntp:questions] How to verify Autokey Identity Schemes?

Joe Smithian joe.smithian at gmail.com
Thu Dec 15 15:18:14 UTC 2011


Hi Steve,

Thank you for your comments. I tried ntpq -c "rv assID flags" command, it
shows the
Identity Scheme that the server supports regardless of what identity scheme
has been installed on the client.
Here are the result of my experiments:

Server Identity scheme    | ntpq -c "rv assID flags"
-------------------------------------|----------------------------------
IFF                                |  0x417f21
GQ                                |  0x417f41
IFF and GQ                    |  0x417f61

"rv assID flags" returns the same value whether I install IFF parameters,
or GQ parameters or none on the client. So my question again is that how
can I verify that IFF or GQ schemes are actually working?

Association flag shows auth is 'ok' whether I install an Identity Scheme on
the client or not, so it's not an indication that IFF or GQ is actually
being used.

BTW, I found two problems in this document:
http://support.ntp.org/bin/view/Support/ConfiguringAutokey<http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.4>

In sections 6.7.2.5 and 6.7.3.6:
    ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`

      '-q' option for updatuing keys doesn't work, '-p'works; is this a
typo in the document?

[root at myserver]# ntp-keygen -T -q `awk '/crypto pw/ { print $3 }'
</etc/ntp.conf`
Using OpenSSL version 90802f
Using host myserver group myserver
Corrupt file ntpkey_host_myserver or wrong key myserver
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

Regards

Joe


On Tue, Dec 13, 2011 at 10:55 AM, Steve Kostecke <kostecke at ntp.org> wrote:

> On 2011-12-12, Joe Smithian <joe.smithian at gmail.com> wrote:
>
> > I have configured my NTP server and client to use Autokey with IFF
> > Identity scheme and it's working, client synchronizes to my servers.
> > It synchronizes with and without copying the IFF parameter to the
> > client. So I'm wondering if IFF identity scheme is actually being
> > used; How can I verify that?
>
> By checking the association flags.
>
> Please see
> http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.4.
>
> --
> Steve Kostecke <kostecke at ntp.org>
> NTP Public Services Project - http://support.ntp.org/
>
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>


More information about the questions mailing list