[ntp:questions] Autokey IFF
girino66 at gmail.com
girino66 at gmail.com
Tue Jun 20 05:11:35 UTC 2017
Le lundi 19 juin 2017 16:16:09 UTC+2, Fabien a écrit :
> Hello,
>
> I’m trying to set a NTP infrastructure using the Autokey feature in IFF mode, but I have difficulties to understand how it work. I’m using NTP 4.2.6p5. I’ve set up a virtual machine lab:
>
> https://docs.google.com/drawings/d/1-Di-8ih915ti5jIhDmQgS7T3BVmnAJJPkRyAGwZ64Cg/edit?usp=sharing
>
> 00 is a physical ntp server.
> 01 and 02 are the Trusted Hosts (TH). 01 is the Trusted Agent (TA).
> 03 and 04 are the clients.
>
> On 01, I generated the group keys with:
> ntp-keygen –T –I –p azerty –i mongroup
> and I have distributed the group parameters to the clients (and then created a symlink on them) with:
> ntp-keygen –e –p azerty
> His ntp.conf contains:
> …
> restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
> …
> crypto pw azerty ident mongroup
> keysdir /etc/ntp/crypto
>
> On 03 and 04 (the clients) I’ve generated their certificates with:
> ntp-keygen –H –p client –i mongroup
> Their ntp.conf are:
> …
> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //XXX… is the 01 address
> …
> crypto pw client
> keysdir /etc/ntp/crypto
>
> I can verify this configuration works by checking the association flags with: ntpq –c “rv ASSOCID flags”
> (Also, my flags are 5 digits long, but 4 digits long in the support guide: http://support.ntp.org/bin/view/Support/ConfiguringAutokey why?)
>
> I want 02 in the same group and in IFF mode too but I can not make it work. I think I have to use the command:
> ntp-keygen –p azerty –q root
> on 01 (root is the password on 02) and share with 02 the private group key ?
>
> I did several tests; and on 02 I generate another group keys (but with the same group name as 01) without distribute his parameters to the clients.
> On 02:
> ntp-keygens –T –I –i mongroup –p root
> ntp.conf:
> …
> restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
> …
> crypto pw root ident mongroup
> keysdir /etc/ntp/crypto
>
> On 03 and 04, ntp.conf are:
> …
> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 01 address
> server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 02 address
> …
> crypto pw client
> keysdir /etc/ntp/crypto
>
> When I start ntpd on 02 and 03,04 the clients are able to synchronize with 02, and in IFF mode! How it-is possible ? They doesn’t share anything.
> I think someone could do some MITM attack and take the place of 02 (correct me if im wrong).
>
> I read the documentation on https://www.eecis.udel.edu/~mills/ntp/html/index.html but this is a bit confusing.
>
> Plus, I can not make the symmetric link between 03 and 04 work in IFF mode. But here I do not know if that’s possible.
>
> Let me know if I didn't make it clear.
>
> Thanks (and excuse my English).
> Fabien
Hi Fabien,
I've created peers sharing symmetric keys. That was the only "crypto" mode that I was able to set ...
Perhaps switching to ntp 4.2.8p10 could help.
Good luck
More information about the questions
mailing list