[ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7

David L. Mills mills at udel.edu
Tue Mar 29 14:23:20 UTC 2011


Unfortunately, while things were in flux, snapshots continued to be 
produced, which was counterproductive. I have no direct say in that.

The best advice is:

1. Produce a working version of the configuration without Autokey.
2. Roll keys for all group members using ntp-keygen with no options 
other than the -T option for the trusted hosts. Add the crypto command 
with no options to all configuration files. Add the autokey option to 
the server command for all clients of the trusted hosts. Verify the TC 
scheme works.
3. Make the group keys with the -I option on a trusted host or trusted 
4. Make the client keys from the group keys and distribute as in the 
original directions. Use an arbitray file name, preferably the name of 
the group.
5. Add the ident option to the client server command with name the same 
as the client keys installed.
6. For broadcast clients, use the same files, but use the ident option 
in the crypto command instead.

All this is in the autokey.html page along with a detailed description 
of the operations. Note also the relevant white pages at the NTP project 
page www.eecis.udel.edu/~ntp.html, especially the security analysis and 
the simulation and analysis of the on-wire protocol.

In contrast with the previous version, no options are required on the 
crypto command other than cited above. Note that the -s option is not 
required on the ntp-keygen program. These options can be added for 
special circumstances.


Miroslav Lichvar wrote:

>On Mon, Mar 28, 2011 at 11:11:28PM +0000, Dave Hart wrote:
>>Autokey is very clever in dealing with some unique challenges other
>>PKI OpenSSL client code doesn't have to.  Anyone attempting to
>>configure it should be on payroll, if not time and a half.
>>(insert series of profanities here)
>I had a similar feeling when I was expanding my NTP test suite to test
>basic Autokey functionality and compatibility between 4.2.2, 4.2.4 and
>4.2.6 version. I eventually got most of it working, but I'm not sure
>if it's working as intended or accidentaly by misplacing a private
>key, etc.
>I wasn't able to get the MV scheme working though. I have read the
>official ntp-keygen page and the wiki document.

More information about the questions mailing list