[ntp:questions] Re: symmetric-active mode (peer) and autokey

Steve Kostecke kostecke at ntp.isc.org
Thu Feb 9 03:54:45 UTC 2006


On 2006-02-04, Peter Pramberger <peter.pramberger at 1012surf.net> wrote:
> Peter Pramberger schrieb:

> Update: It seems I've done the IFF part wrong. According to
> http://www.eecis.udel.edu/~mills/ntp/html/keygen.html ...
>
> "For the IFF scheme proceed as in the TC scheme to generate keys and
> certificates for all group hosts, then for every trusted host in the group,
> generate the IFF parameter file. On trusted host alice run ntp-keygen -T -I -p
> password to produce her parameter file ntpkey_IFFpar_alice.filestamp, which
> includes both server and client keys. Copy this file to all group hosts that
> operate as both servers and clients and install a soft link from the generic
> ntpkey_iff_alice to this file."
>
> ... instead of running "ntp-keygen -T -I -p somepass" on all trusted servers
> peering with each other in the trust group I had to create the IFFpar only on
> one of them and just copy it to the other trusted servers, create the link,
> and then create their host certificates ("ntp-keygen -T -q somepass").

I've tried that (a shared IFFpar) in that past and couldn't get it to
work. Both of my authenticated peers have their own unique IFFpar file
and have exchanged IFFkey files.

I'm currently testing the lastest ntp-dev snapshot on Peer1.

> Then I can put the leapseconds file on one (only!) of the trusted servers and
> it will get distributed among the trust group.

Which is then dependent on that particular ntpd staying up.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list