[ntp:questions] Autokey IFF

girino66 at gmail.com girino66 at gmail.com
Tue Jun 20 05:11:35 UTC 2017


Le lundi 19 juin 2017 16:16:09 UTC+2, Fabien a écrit :
> Hello,
> 
> I’m trying to set a NTP infrastructure using the Autokey feature in IFF mode, but I have difficulties to understand how it work. I’m using NTP 4.2.6p5. I’ve set up a virtual machine lab:
> 
> https://docs.google.com/drawings/d/1-Di-8ih915ti5jIhDmQgS7T3BVmnAJJPkRyAGwZ64Cg/edit?usp=sharing
> 
> 00 is a physical ntp server.
> 01 and 02 are the Trusted Hosts (TH). 01 is the Trusted Agent (TA).
> 03 and 04 are the clients.
> 
> On 01, I generated the group keys with:
>         ntp-keygen –T –I –p azerty –i mongroup
> and I have distributed the group parameters to the clients (and then created a symlink on them) with:
>         ntp-keygen –e –p azerty
> His ntp.conf contains:
>> restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
>> crypto pw azerty ident mongroup
> keysdir /etc/ntp/crypto
> 
> On 03 and 04 (the clients) I’ve generated their certificates with:
>         ntp-keygen –H –p client –i mongroup
> Their ntp.conf are:
>> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //XXX… is the 01 address
>>         crypto pw client
>         keysdir /etc/ntp/crypto
> 
> I can verify this configuration works by checking the association flags with: ntpq –c “rv ASSOCID flags”
> (Also, my flags are 5 digits long, but 4 digits long in the support guide: http://support.ntp.org/bin/view/Support/ConfiguringAutokey why?)
> 
> I want 02 in the same group and in IFF mode too but I can not make it work. I think I have to use the command:
>         ntp-keygen –p azerty –q root
> on 01 (root is the password on 02) and share with 02 the private group key ?
> 
> I did several tests; and on 02 I generate another group keys (but with the same group name as 01) without distribute his parameters to the clients.
> On 02:
>         ntp-keygens –T –I –i mongroup –p root
> ntp.conf:
>> restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
>> crypto pw root ident mongroup
> keysdir /etc/ntp/crypto
> 
> On 03 and 04, ntp.conf are:
>> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 01 address
> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 02 address
>>         crypto pw client
>         keysdir /etc/ntp/crypto
> 
> When I start ntpd on 02 and 03,04 the clients are able to synchronize with 02, and in IFF mode! How it-is possible ? They doesn’t share anything.
> I think someone could do some MITM attack and take the place of 02 (correct me if im wrong).
> 
> I read the documentation on https://www.eecis.udel.edu/~mills/ntp/html/index.html but this is a bit confusing.
> 
> Plus, I can not make the symmetric link between 03 and 04 work in IFF mode. But here I do not know if that’s possible.
> 
> Let me know if I didn't make it clear.
> 
> Thanks (and excuse my English).
> Fabien

Hi Fabien,

I've created peers sharing symmetric keys. That was the only "crypto" mode that I was able to set ...

Perhaps switching to ntp 4.2.8p10 could help.

Good luck



More information about the questions mailing list