[ntp:questions] Re: Crypto iffpar

David L. Mills mills at udel.edu
Sun Dec 25 00:52:29 UTC 2005


Serve,

I beg to differ. The recent crypto ident command is in ntp-dev and the 
related online documented. The reason this was done is to allow a host 
to belong to one group and scheme and have its clients belong to a 
different group and scheme.

Dave

Serge Bets wrote:
>  On Wednesday, December 21, 2005 at 13:54:56 +0000, Steve Kostecke wrote:
> 
> 
>>Perhaps _you_ need to use an ntpkey_iffkey_client sym-link, or a
>>'crypto iff...' directive, to force _your_ ntpd to use the IFF
>>Identity Scheme. I, on the other hand, don't.
> 
> 
> According to the source code, it must be ntpkey_iff_client, and
> "crypto ident iff". The symlink variant with "key" (as
> "ntpkey_mvkey_client") is a typo in the keygen.html doc. And the
> commands "crypto iff|gq|mv" don't exist, they are also doc typos, in
> authopt.html this time. In doc versions live from the web.
> 
> 
> 
>>This suggests to me that something on your end is broken. Perhaps it's
>>your OS or perhaps it's the version of ntpd that you're using.
> 
> 
> Unlikely, but possible: I'm investigating. BTW I upgraded both versions:
> Now Linux Server runs ntp-dev-4.2.0b-20051208.tar.gz, while Win2k Client
> runs ntp-dev-4.2.0b-20051105-nt.zip from Terje Mathisen. IIANM you run
> 4.2.0a at 1:4.2.0a+stable-2-r (Debian Sarge?) on server ntp0, and what on
> client Stasis?
> 
> 
> 
>>>This 3rd cryptostats doesn't look like anything I ever saw.
>>
>>I did add some in-line commentary.
> 
> 
> Odd not about certs. But about "newpeer" line only coming after 30
> seconds, instead of startup. And the "auto" line. Never had this with
> "server Server autokey". What is it? Incoming broadcast, incoming
> symmetric active packet, ...?
> 
> 
> 
>>I know what works on all of the systems that I've configured to use
>>Autokey+IFF/GQ/MV.
> 
> 
> You keep repeating that all is well in ConfiguringAutokey, and that it's
> hands on experience. Without really looking at the contrary arguments.
> Unfortunately this closed position makes you miss the flaw.
> 
> Another argument about GQ identity scheme. The official documentation
> http://www.eecis.udel.edu/~mills/ntp/html/keygen.html states:
> 
> | On trusted host alice run ntp-keygen -T -G -p password to produce her
> | parameter file ntpkey_GQpar_alice.filestamp, which includes both
> | server and client keys.
> | Copy this file to all group hosts and install a soft link from the
> | generic ntpkey_gq_alice to this file.
> | In addition, on each host bob install a soft link from generic
> | ntpkey_gq_bob to this file.
> 
> While ConfiguringAutokey on the Twiki states:
> 
> | Obtain the GQ group key, generated in 6.6.1.3.2. GQ Parameters via a
> | secure means, copy the key file to the keysdir, and create the
> | standard sym-link:
> |
> | cd /etc/ntp
> | ln -s ntpkey_GQpar_server.3301145293 ntpkey_gq_server
> 
> There is one lacking symlink:
> 
> | ntpkey_gq_client -> ntpkey_GQpar_server.3301145293
> 
> Why this difference with The Only True Official Docs?
> 
> 
> Serge.




More information about the questions mailing list