[ntp:questions] crypto_ident: no compatable identity scheme found

scherniak at stny.rr.com scherniak at stny.rr.com
Mon Mar 26 22:15:22 UTC 2012


Dave,

Thanks for the quick response!

I tried as you recommended, and I still had the same failure.

In other documentation that I have seen on setting up the IFF keys, it was mentioned that it was not necessary to specify the client password. For 4.2.4P8, is it necessary to specify the client password? I tried it anyway by removing the client password from the ntp.conf crypto statement on the client, not using it (-p option) on the ntp-keygen -e command on the server when creating the IFFkey file, and not using the -p command for the ntp-keygen -H command on the client. This produced slightly different results. S-linking the ntpkey_iff_HMC1MCP7 to the ntpkey_host_HMC1MCP7, still resulted in the failure (80021). S-linking ntpkey_iff_HMC1MCP7 to the key file ntpkey_IFFkey_HMCLXRF3.<number> made the ntp connection work as a TC. Which really surprised me that it worked at all. It would seem to me that it would fail without a proper key, or work with a proper key as an IFF.

One thing to mention about my setup: the target server cannot be looked up on a DNS, so I put it in the /etc/hosts file of the client. Could that be a problem for why the server is not using the ntpkey_iff_HMCLXRF3 key?

So has this happened to anyone else? Could I have a bad build? Is there something subtle that I am not doing correctly?

Thanks for you continued help!
Steve


---- Dave Hart <hart at ntp.org> wrote: 
> On Fri, Mar 23, 2012 at 18:35,  <scherniak at stny.rr.com> wrote:
> > [root at HMC1MCP7-/etc/ntp]ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMCLXRF3
> > [root at HMC1MCP7-/etc/ntp]ln -s ntpkey_host_HMC1MCP7 ntpkey_iff_HMC1MCP7
> 
> 4.2.4 crypto_ident() tries to retrieve the IFF group key from filename
> ntpkey_iff_ISSUER first (which I think would be ntpkey_iff_HMCLXRF3
> here), and if that fails, it falls back on ntpkey_iff_HOSTNAME (which
> would be ntpkey_iff_HMC1MCP7 here).  Given that you saw behavior
> change to TC when you removed the client link ntpkey_iff_HMC1MCP7, and
> that ntpkey_IFFkey_HMCLXRF3.3541500807 actually contains the IFF group
> key encrypted using the client password, I suggest you try on the
> client
> 
> ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMC1MCP7
> 
> and see if that allows it to authenticate the server.  It would be
> better if the ntpkey_iff_ISSUER name worked, of course.
> 
> As you can see, configuring Autokey is intricate and troubleshooting
> can be tedious.  The good news is in 4.2.6 and later there's been some
> simplification so that in more cases the client configuration is the
> same across potentially many clients.  The bad news is it's not
> backwards compatible with 4.2.4, so we need a new HOWTO-type document
> for 4.2.6-and-later Autokey configuration.
> 
> Good luck,
> Dave Hart



More information about the questions mailing list