[ntp:questions] Re: ntp authentication problems

David L. Mills mills at udel.edu
Mon Aug 4 14:37:38 UTC 2003


Bernhard,

As you will see in the documentation, the pps and authenticate statments 
are deprecated. The best way to debug things like this is using the 
debug trace.

Folks bitch at me about the volume of icky detail in the NTPv4 
documentation pages. Those pages are intended primarily as reference 
documentation and somebody else gets to write the touchy feely faq. But, 
it's all there in the authentication options page and ntp_keygen program 
manual page. I just checked carefull that the specific questions you 
raise are in fact prominent in the prose, although you do have to slog 
through a couple of dreary background before getting to the answers. 
That's done on purpose.

Be careful to use the latest NTP version. I'm completely confused as to 
the state of the release and development versions now at www.ntp.org, as 
the release version is later than the development version.

Dave

Bernhard Dobbels wrote:

> I have two stratum 1 servers and 10 stratum 2 servers. There should
> exist authentication between the peers and also between the stratum 2
> and 1 servers.
> 
> I'll start with using MD5, but in the end would like to use Autokey
> protocol.
> 
> I always get the error 'Transmit: no encryption key found', while
> updates with ntpdate and encryption do work.
> 
> Some details of the setup:
> 
> Config server:
> 	#  ***  LAN TIME  ***
> 	# NTP.CONF for GPS167 with UNI ERLANGEN(do not modify)
> 
> 	pps /dev/refclock-0 assert hardpps   # PPS device
> 
> 	server  127.127.1.0                  # local clock
> 	fudge   127.127.1.0 stratum 11       # local stratum
> 
> 	server  127.127.8.0 mode 135 prefer  # Meinberg GPS OCXO UNI Erlangen PPS
> 	server  127.127.22.0                 # ATOM (PPS)
> 	fudge   127.127.22.0 flag3 1         # enable PPS API
> 
> 	enable stats
> 	statsdir /var/log/
> 	statistics loopstats
> 	driftfile /etc/ntp.drift
> 
> 	authenticate yes
> 	keys /etc/ntp/keys
> 	trustedkey 1
> 
> 	logfile /var/log/ntpd.log
>  
> Config client:
> 	server	192.168.151.16 key 1 prefer 	# stratum 1 server cik
> 	server	127.127.1.0                	# local clock
> 	fudge	127.127.1.0 stratum 12
> 
> 	driftfile /etc/ntp/drift
> 	broadcastdelay	0.008
> 
> 	authenticate yes
> 	keys		/etc/ntp/keys
> 
> 	logfile	/var/log/ntp/ntp.log
> 
> 	statsdir /var/log/ntp/
> 	statistics loopstats 
> 	statistics peerstats
> 	statistics rawstats
> 
> 
> Keys file /etc/ntp/keys (mode 600) on both server and client:
> 1 M ~rfi%=?/PN2pgu&z   # MD5 key
> 3 M ;f4Bz02]s%v{TQxt   # MD5 key 
> 
> Ntpdate:
> /usr/sbin/ntpdate -dddd -s -a 1 -k /etc/ntp/keys -b -p 1 -u 192.168.151.16 >ntpdate.log
> 
> 	receive: rpkt keyid=1 sys_authkey=1 decrypt=1
> 	receive: authentication passed
> 	offset: 0.003616, delay 0.00069
> 	transmit(192.168.151.16)
> 	server 192.168.151.16, port 123
> 	stratum 1, precision -18, leap 00, trust 000
> 	refid [PPS], delay 0.02631, dispersion 0.00000
> 	transmitted 1, in filter 1
> 	reference time:    c2d8be1a.bb3892ee  Mon, Aug  4 2003 13:12:26.731
> 	originate timestamp: c2d8be2a.c8694034  Mon, Aug  4 2003 13:12:42.782
> 	transmit timestamp:  c2d8be2a.c750f40e  Mon, Aug  4 2003 13:12:42.778
> 	filter 	delay:  0.02631  0.00000  0.00000  0.00000 
>         		 0.00000  0.00000  0.00000  0.00000 
> 	 filter offset: 0.003616 0.000000 0.000000 0.000000
> 	 	         0.000000 0.000000 0.000000 0.000000
> 	  delay 0.02631, dispersion 0.00000
> 	  offset 0.003616 
> 
> Logfile on Client:
>  4 Aug 12:54:25 ntpd[887]: running as uid(38)/gid(38) euid(38)/egid(38).
>  4 Aug 12:54:38 ntpd[887]: transmit: no encryption key found
>  4 Aug 12:57:39 ntpd[887]: kernel time discipline status change 41
>    
> 
> I do not understand why authentication for ntpdate works and not for
> ntpd. Any suggestions are welcome.
> 
> 
> If someone could explain to me how to use autokey (generate keys), I would be gratefull. (and yes, I've read most of the docs about it.)
> 
> Bernhard Dobbels
> Network engineer.
> 




More information about the questions mailing list