[ntp:questions] Re: Crypto iffpar

Steve Kostecke kostecke at ntp.isc.org
Sat Dec 10 01:44:39 UTC 2005


On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
>  On Friday, December 9, 2005 at 14:32:38 +0000, Steve Kostecke wrote:
>
>> On 2005-12-09, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:
>>> You *do* have a ntpkey_iff_stasis
>> No, I don't.
>
> You have one.

No. I really don't

Let's review, shall we?

Test client: stasis
Test server: ntp0

In the client ntp.conf we have:

crypto pw <password>
keysdir /etc/ntp
server ntp0.kostecke.net iburst autokey

In the client keysdir we have:

ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910
ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910

Note that there is NO ntpkey_iff_client.

After restarting stasis we see:

stasis:~$ ntpq -pcas
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp0.kostecke.n .GPS.            1 u   52   64   17    0.800   -0.113   0.082

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 16052  f614   yes   yes   ok   sys.peer   reachable  1

and the association flags are correct:

stasis:~$ ntpq -c"rv 16052 flags,hostname"
assID=16052 status=f614 reach, conf, auth, sel_sys.peer, 1 event, event_reach,
flags=0x83f21, hostname="ntp0.kostecke.net"

and we see in the log:

53714 4726.021 192.168.19.4 newpeer 16052
53714 4726.053 ntpkey_RSAkey_stasis.3342803910 mod 512
53714 4726.055 ntpkey_RSA-MD5cert_stasis.3342803910 0x2 len 333
53714 4726.931 refresh ts 0
53714 4726.934 192.168.19.4 flags 0x80021 host ntp0.kostecke.net \
	signature md5WithRSAEncryption
53714 4728.935 192.168.19.4 cert ntp0.kostecke.net 0x3 \
	md5WithRSAEncryption (8) fs 3315100165
53714 4730.935 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
53714 4730.978 192.168.19.4 iff fs 3315100165
53714 4732.961 192.168.19.4 cook 86e55a98 ts 3343166332 fs 3343140882
53714 4733.944 update ts 3343166333
53714 4734.999 update ts 3343166334
53714 4734.999 192.168.19.4 sign ntp0.kostecke.net 0x3 \
	md5WithRSAEncryption (8) fs 3342803910

> [ntpkey_iff_stasis] loading at startup is visible in the cryptostats
> you posted in previous mail. iffpar?

Where's the ntpkey_iff_client shown above? I don't see it.

You may be confused by the fact the one of my sets of results was
generated while stasis was configured to serve authenticated time to a
third host.

>> you can't create an ntpkey_*_client symlink to each of your
>> ntpkey_*_server.xxxxxxxx files.
>
> Fortunately you need only one client symlink at startup to trigger one
> ident scheme, then used for as many servers as needed.

Perhaps you do. I don't.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list