[ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
David L. Mills
mills at udel.edu
Tue Mar 29 14:23:20 UTC 2011
Unfortunately, while things were in flux, snapshots continued to be
produced, which was counterproductive. I have no direct say in that.
The best advice is:
1. Produce a working version of the configuration without Autokey.
2. Roll keys for all group members using ntp-keygen with no options
other than the -T option for the trusted hosts. Add the crypto command
with no options to all configuration files. Add the autokey option to
the server command for all clients of the trusted hosts. Verify the TC
3. Make the group keys with the -I option on a trusted host or trusted
4. Make the client keys from the group keys and distribute as in the
original directions. Use an arbitray file name, preferably the name of
5. Add the ident option to the client server command with name the same
as the client keys installed.
6. For broadcast clients, use the same files, but use the ident option
in the crypto command instead.
All this is in the autokey.html page along with a detailed description
of the operations. Note also the relevant white pages at the NTP project
page www.eecis.udel.edu/~ntp.html, especially the security analysis and
the simulation and analysis of the on-wire protocol.
In contrast with the previous version, no options are required on the
crypto command other than cited above. Note that the -s option is not
required on the ntp-keygen program. These options can be added for
Miroslav Lichvar wrote:
>On Mon, Mar 28, 2011 at 11:11:28PM +0000, Dave Hart wrote:
>>Autokey is very clever in dealing with some unique challenges other
>>PKI OpenSSL client code doesn't have to. Anyone attempting to
>>configure it should be on payroll, if not time and a half.
>>(insert series of profanities here)
>I had a similar feeling when I was expanding my NTP test suite to test
>basic Autokey functionality and compatibility between 4.2.2, 4.2.4 and
>4.2.6 version. I eventually got most of it working, but I'm not sure
>if it's working as intended or accidentaly by misplacing a private
>I wasn't able to get the MV scheme working though. I have read the
>official ntp-keygen page and the wiki document.
More information about the questions