[ntp:questions] Question on ntp authentication problem: "crypto_setup: host key file ntpkey_host_xxx not found or corrupt"

Terry.Lemons at dell.com Terry.Lemons at dell.com
Tue Dec 10 21:52:55 UTC 2019


Hi

I'm using ntp-4.2.8p13-85.1.x86_64 on SLES 12 SP4. I'm trying to learn how to set up authenticated ntp.

Since 'man ntp-keygen' mentioned, "If compatibility with FIPS 140-2 is required, either the DSA-SHA or DSA-SHA1 scheme must be used", I'm trying to use DSA-SHA1 in my testing.

I used the command 'ntp-keygen --certificate=DSA-SHA1 --sign-key=DSA' to create the key files; I created the directory '/usr/local/etc' on my system, and did a 'cd' to that directory before executing the command. After ntp-keygen ran, I saw three files and three links to the files:

lava93141:~ # ls -l /usr/local/etc
total 24
-rw-r----- 1 root root 731 Dec  6 08:45 ntpkey_DSA-SHA1cert_lava93141.3784635947
-rw-r----- 1 root root 522 Dec  6 08:45 ntpkey_DSAsign_lava93141.3784635947
-rw-r----- 1 root root 709 Dec  6 08:45 ntpkey_RSAhost_lava93141.3784635947
lrwxrwxrwx 1 root root  40 Dec  6 08:45 ntpkey_cert_lava93141 -> ntpkey_DSA-SHA1cert_lava93141.3784635947
lrwxrwxrwx 1 root root  35 Dec  6 08:45 ntpkey_host_lava93141 -> ntpkey_RSAhost_lava93141.3784635947
lrwxrwxrwx 1 root root  35 Dec  6 08:45 ntpkey_sign_lava93141 -> ntpkey_DSAsign_lava93141.3784635947
lava93141:~ #

I attached the following lines to my /etc/ntp.conf file:

server [servername] iburst autokey
crypto

When I started the ntpd service, I saw the following messages in /var/log/messages:

2019-12-09T12:12:09.796427-07:00 lava93141 systemd[1]: ntpd.service: Service RestartSec=11min expired, scheduling restart.
2019-12-09T12:12:09.797208-07:00 lava93141 systemd[1]: Stopped NTP Server Daemon.
2019-12-09T12:12:09.799117-07:00 lava93141 systemd[1]: Starting NTP Server Daemon...
2019-12-09T12:12:09.820692-07:00 lava93141 ntpd[20180]: ntpd 4.2.8p13 at 1.3847-o Wed Mar 13 12:24:30 UTC 2019 (1): Starting
2019-12-09T12:12:09.821180-07:00 lava93141 ntpd[20180]: Command line: /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf
2019-12-09T12:12:09.826622-07:00 lava93141 ntpd[20181]: proto: precision = 0.075 usec (-24)
2019-12-09T12:12:09.827583-07:00 lava93141 ntpd[20181]: basedate set to 2019-03-01
2019-12-09T12:12:09.827981-07:00 lava93141 ntpd[20181]: gps base set to 2019-03-03 (week 2043)
2019-12-09T12:12:09.830579-07:00 lava93141 ntpd[20181]: crypto_setup: host key file ntpkey_host_lava93141 not found or corrupt
2019-12-09T12:12:09.830881-07:00 lava93141 systemd[1]: Started NTP Server Daemon.
2019-12-09T12:12:09.831200-07:00 lava93141 start-ntpd[20175]: Starting network time protocol daemon (NTPD)
2019-12-09T12:12:09.833718-07:00 lava93141 systemd[1]: ntpd.service: Main process exited, code=exited, status=255/n/a
2019-12-09T12:12:09.834047-07:00 lava93141 systemd[1]: ntpd.service: Unit entered failed state.
2019-12-09T12:12:09.834368-07:00 lava93141 systemd[1]: ntpd.service: Failed with result 'exit-code'.

I'm trying to understand the error message, "crypto_setup: host key file ntpkey_host_lava93141 not found or corrupt". The file is clearly there; my 'ls -l' command above shows that.  I even tried to change ntp.conf to use explicit parameters and file paths:

crypto cert /usr/local/etc/ntpkey_cert_lava93141 host /usr/local/etc/ntpkey_host_lava93141 sign /usr/local/etc/ntpkey_sign_lava93141

but there was no change in behavior. So, I'm now assuming that the file IS found, but is thought to be corrupt.  I'm not sure how this could be, since I used ntp-keygen to generate the files.

Thoughts, please.

Thanks!
tl

Terry Lemons
terry.lemons at dell.com


More information about the questions mailing list