[ntp:questions] IFF identity scheme on an intermediate server

Bartholome, Alain alain.bartholome at eads.com
Thu May 7 15:47:35 UTC 2009


Hi,
In the final configuration there is a third system  named client which ntp
server is int_server.
In the first step, I want to have iff working for trustedhost and
int_server.

Regards,
Alain.


-----Message d'origine-----
De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
part de David Mills
Envoyé : jeudi 7 mai 2009 17:34
À : 'questions at lists.ntp.org'
Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server

Alain,

In your terms an intermediate server is an ordinary client in the same 
group as the TH. The only difference is that it has the server keys 
generated by the TH with the -q option. See the ntp-keygen page.

Dave

Bartholome, Alain wrote:

>Hi,
>
>With my testing of iff, I get protocol_error.
>
>The following is extracted from the authentications options documentation:
>
>
>  
>
>>When an identity scheme is included, for example IFF, the TH generates
host
>>key, trusted certificate and private server identity files using the
>>    
>>
>ntp->keygen -T -I -i group command, where group is the group name. The
>  
>
>>reemaining group hosts use the same command as above. The client identity
>>files are obtained separately. All hosts use the crypto ident group
>>configuration command.
>>    
>>
>
>The intermediate server should use ntp->keygen -T -I -i group ?
>
>For the intermediate server I made the 2 following tests:
>(Int_server is not trusted, so I dropped  the -T option)
>
>ntp-keygen -p little -i secgroup
>ntp-keygen -I -p little -i secgroup
>
>I get protocol_error with both.
>-------------------------------------------
>Hereafter are the ntp.conf files and the ntp_keygen commands 
>
>On the trusted host trustedhost of the group  secgroup:
>
>The ntp.conf file:
>
>
>keysdir "D:\appli\ntp\etc"
>autokey  
>crypto pw little ident secgroup
>leapfile  "D:\appli\ntp\etc\ntpkey_leap" 
>server 127.127.1.0  
>fudge 127.127.1.0 stratum 7
>
>#end of file
>
>the following commands have been executed on trustedhost:
>
>ntp-keygen -T -I -p trusted -i secgroup
>
>ntp-keygen -e -p trusted -q little >ntpkey_iffpar_secgroup
>this file is copied to the clients
>
>ntp-keygen   -p trusted -q little >ntpkey_iffkey_secgroup
>this file uses ntpkey_iffkey_secgroup created by " ntp-keygen -T -I -p
>trusted -i secgroup" and generates a new ntpkey_iffkey_secgroup copied to
>int_server
>
>-------------------------
>-------------------------
>intermediate server int_server
>
>The ntp.conf file:
> 
>keysdir "D:\appli\ntp\etc"
>autokey  
>crypto pw little ident secgroup
>enable stats auth
>server trustedhost autokey iburst
>  
>#end of file
>
>the following commands have been executed on int_server:
>
>ntp-keygen -p little -i secgroup
>
>ntpkey_iffkey_secgroup have been copied to int_server
>
>
>Regards,
>Alain.
>
>
>-------------------------------------
>
>-----Message d'origine-----
>De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
>[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
>part de David Mills
>Envoyé : mercredi 6 mai 2009 18:44
>À : 'questions at lists.ntp.org'
>Objet : Re: [ntp:questions] IFF identity scheme on an intermediate server
>
>Alain,
>
>See the Authentication Options and ntp-keygen pages in the curtent 
>online documentation. I've rewritten some of that text withexamples. 
>Hosts with dependent clients need the keys file, while client need only 
>the paramters file. The ntp-keygen page has examples showing how these 
>files can be generated and distributed.
>
>Dave
>
>Bartholome, Alain wrote:
>
>  
>
>>Hi,
>>
>>I am using NTP version 4.2.5p158 on windows sever 2003.
>>
>>I would like to know what iff files, in addition to the host key and the
>>certificate  files,  must exist on an intermediate NTP server.
>>According to what I have read, the documentation describes the
>>    
>>
>configuration
>  
>
>>on the trusted host server of the group and on the clients but not  for
>>servers in between them.
>>
>>Regards,
>>Alain.
>>
>>_______________________________________________
>>questions mailing list
>>questions at lists.ntp.org
>>https://lists.ntp.org/mailman/listinfo/questions
>> 
>>
>>    
>>
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>


_______________________________________________
questions mailing list
questions at lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions



More information about the questions mailing list