[ntp:questions] Autokey sequence error

Martin.Gerdes at directbox.com Martin.Gerdes at directbox.com
Thu Mar 10 15:18:50 UTC 2011


I'm trying to set up an authenticated ntp server using the IFF identification scheme.
IP server: 192.168.0.36
IP client: 192.168.0.100 (same subnet)

On the server, I generetad the necessary key files:
cd /etc/ntp
ntp-keygen -T -I -p <serverpw>
ntp-keygen -e -q <serverpw> -p none > iff_pubkey_$HOSTNAME.<timestamp>
chown ntp /etc/ntp -R

On the client, I generated the client key, and copied the iff_pubkey_$HOSTNAME.<timestamp> file (I verified the md5 sums, so the copy is correct):
ntp-keygen -H -p none
mcedit iff_pubkey_<server>.<timestamp>
ln -s iff_pubkey_<server>.<timestamp> ntpkey_iff_server
chown ntp /etc/ntp -R

Relevant server config (/etc/ntp.conf):
restrict -4 default ignore
restrict -6 default ignore
restrict -4 192.168.0.0 mask 255.255.255.0 kod notrap nomodify limited notrust #ip range of clients
server 127.127.1.0
fudge 127.127.1.0 stratum 2 #give ourselves stratum 3...
restrict -4 127.0.0.1 kod nomodify #answer so we can query ourselves (ntpq)

Relevant client config:
restrict -4 default ignore
restrict -6 default ignore
server 192.168.0.36 autokey
restrict -4 192.168.0.36 kod notrap nomodify limited notrust
restrict -4 127.0.0.1 mask 255.0.0.0 kod nomodify #answer so we can query ourselves (ntpq)

After restarting server and client, and waiting a few minutes, I get the following
result (all commands executed on the client):
/var/log/syslog:
Mar 10 15:06:09 adminTestVM ntpd[28801]: ntpd 4.2.4p4 at 1.1520-o Sun Nov 22 16:14:34 UTC 2009 (1)
Mar 10 15:06:09 adminTestVM ntpd[28802]: precision = 1.000 usec
Mar 10 15:06:09 adminTestVM ntpd[28802]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Mar 10 15:06:09 adminTestVM ntpd[28802]: Listening on interface #1 lo, 127.0.0.1#123 Enabled
Mar 10 15:06:09 adminTestVM ntpd[28802]: Listening on interface #2 eth0, 192.168.0.100#123 Enabled
Mar 10 15:06:09 adminTestVM ntpd[28802]: kernel time sync status 0040
Mar 10 15:06:09 adminTestVM ntpd[28802]: frequency initialized 27.260 PPM from /var/cache/ntp/ntp.drift
Mar 10 15:10:29 adminTestVM ntpd[28802]: crypto_ident: no compatible identity scheme found [this line repeats once every 3 Minutes]

ntpdc -p
     remote           local      st poll reach  delay   offset    disp
=======================================================================
=192.168.0.36   192.168.0.100    3   64    0 0.00000  0.000000 3.99217

ntpq -c as
ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 33888  e000   yes   yes   ok     reject

ntpq -c"rv 33888 flags"
assID=33888 status=e000 unreach, conf, auth, no events,
flags=0x80121 [->crypto enable,IFF identity scheme,public key verified]

ntpdc -c 'showpeer sdbiTestLenny.dser.local'
remote 192.168.0.36, local 192.168.0.100
hmode client, pmode unspec, stratum 3, precision -20
leap 00, refid [127.127.1.0], rootdistance 0.00000, rootdispersion 0.01154
ppoll 6, hpoll 6, keyid 2725112007, version 4, association 33888
reach 000, unreach 10, flash 0x0080, boffset 0.00400, ttl/mode 0
timer 0s, flags config, auth, bclient
reference time:      d1235b4e.cb15dfda  Thu, Mar 10 2011 15:14:38.793
originate timestamp: d1235b77.1708a94a  Thu, Mar 10 2011 15:15:19.089
receive timestamp:   d1235b78.c1456ca3  Thu, Mar 10 2011 15:15:20.754
transmit timestamp:  d1235b78.c11f8e20  Thu, Mar 10 2011 15:15:20.754
filter delay:  0.00000  0.00000  0.00000  0.00000
               0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
               0.000000 0.000000 0.000000 0.000000
filter order:  0        1        2        3
               4        5        6        7
offset 0.000000, delay 0.00000, error bound 3.99217, filter error 0.00000

Translation of flash variable content 0x0080: "Autokey sequence error"

At that point my search ends: I can't find even a hint of what "Autokey sequence error" might mean anywhere.
In the debugging checklist (http://www.eecis.udel.edu/~mills/ntp/html/debug.html) I got till point 6:
"If both the sent and received counters do increment" (they do) ", but the reach values in the pe billboard with ntpq continues to show zero" (it does)
"received packets are probably being discarded for some reason." (obviously they are discarded because they can not be authenticated)
"If this is the case, the cause should be evident from the flash variable as discussed above and on the ntpq page."
-> Well no, it actually isn't evident, as I still can't tell why client and server do not understand each other.

Versions: System is debian Lenny, ntp is version '1:4.2.4p4+dfsg-8lenny3'

I've followed the rabbit hole as far as I can. Can someone point me in the right direction from here?





More information about the questions mailing list