[ntp:questions] Could some one help in pointing out the error here

catherine.wei1989 at gmail.com catherine.wei1989 at gmail.com
Mon Mar 2 08:03:03 UTC 2015


On Saturday, April 21, 2007 at 9:50:48 PM UTC+8, Steve Kostecke wrote:
> On 2007-04-21, Remo <madhu_mepco at yahoo.co.uk> wrote:
> 
> > I was not able to set a remote server's leap. It looks like the NTP
> > packets from the query is not generated at all. Though the  "sendpkt"
> > procedure is being called "sendrequest", I am not able to see the
> > packet reaching the other side. I guess that I am missing something as
> > there is a error reported with authentication.
> 
> I believe that the real issue is that you can't use writevar to set the
> leap.
> 
> > ntpq> asso
> > ind assID status  conf reach auth condition  last_event cnt
> >===========================================================
> >   1 17284  f614   yes   yes   ok   sys.peer   reachable  1
> >   2 17285  c000   yes   yes   bad    reject
> > ntpq> writevar 17284 leap=1
> > Keyid: 64
> > MD5 Password:
> > ***Server disallowed request (authentication?)
> 
> I have flock of systems that are set up to allow remote modification
> and have a working symmetric key set. When I tried to set the leap on
> another ntpd I see the same message:
> 
> steve at stasis:~$ ntpq
> ntpq> as
> ...
>   2 20879  7014    no   yes   ok     reject   reachable  1
> ...
> ntpq> writevar 20879 leap=1
> Keyid: 1
> MD5 Password: 
> ***Server disallowed request (authentication?)
> 
> I've also tried setting the local ntpd leap and that fails, too:
> 
> ntpq> rv 0 leap
> assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
> leap=00
> ntpq> writevar 0 leap=1
> ***Server returned an unspecified error
> ntpq> rv 0 leap
> assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
> leap=00
> 
> > trustedkey 1234
> > requestkey 61
> > controlkey 64
> 
> All of the keys must be listed on the 'trustedkey' line. This tells ntpd
> to trust those keys; the default is to trust these keys to authenticate
> time service. Subsets of the trusted keys may also be specified on the
> 'trustedkey' and 'requestkey' lines if you wish to allow the use of
> certain keys by ntpdc and ntpq.
> 
> This is discussed in the distribution documentation at
> http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis
> is mine):
> 
> "When ntpd is first started, it reads the key file specified in the keys
> configuration command and installs the keys in the key cache. HOWEVER,
> INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE
> USE. This allows, for instance, the installation of possibly several
> batches of keys and then activating or deactivating each batch remotely
> using ntpdc. This also provides a revocation capability that can be used
> if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY
> USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND
> SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY."
> 
> This is also documented in section 6.1.3.3 at
> http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm
> 
> > Is this possible to work without authentication. Please help.
> 
> You could disable authentication when ntpd is started, but this will
> leave your ntpd open to being remotely modified by anyone who can
> connect to it.
> 
> -- 
> Steve Kostecke <kostecke at ntp.isc.org>
> NTP Public Services Project - http://ntp.isc.org/

Hi Steve,
When I start the ntpd process and disabled ntpd authentication using command:
ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log

and then execute the command (eg):
ntpq -c ":config server 10.172.161.16 minpoll 3 maxpoll 4 burst"

it still asks for keyid and md5 password.
By the way, my ntp version is 4.2.8p1. Is the ntpd authentication a must in the new ntp version ?
Thank you.



More information about the questions mailing list