[ntp:questions] NTP 4.2.8 :"Autokey" problem faced with IFF scheme for client/server pair: Request your inputs

Sowmya Manapragada skoganty at gmail.com
Tue Aug 11 18:19:54 UTC 2015


Hi All,

Request your help/suggestions on the below problem i am facing, i am
relatively new to NTP and request your inputs

Problem:

I am trying to configure an ntp server/client pair to use the IFF identity
scheme

I followed the directions precisely that were on the following ntp page:(
http://support.ntp.org/bin/view/Support/ConfiguringAutokey)

Both machines running on windows-7 /Ntp version: 4.2.8p2.

Problem is client never sync's with server and always rejects it(
authentication:OK, condition :reject, reach:0)

Please see details below

*************************************************

server machine:>

*************************************************

<server5672N -ntp.conf>

restrict default kod nomodify notrap noquery

# Authentication

statsdir "D:\ntp\stats\"

statistics cryptostats

filegen cryptostats file cryptostats type none enable

server BLRK05A iburst #timesource

crypto ident iff

crypto pw spassword

keysdir "D:\ntp\keys\"

****************************************************

server-step-1)

#Generate the IFF parameters

D:\ntp\keys> ntp-keygen -T -I -p spassword

server-step-2)

#Export the IFF Group Key

D:\ntp\keys> ntp-keygen -e -p spassword

#o/p on the console

Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015

Using host server5672N group server5672N

Using host key ntpkey_host_server5672N

Using host key as sign key

Using IFF keys ntpkey_iffkey_server5672N

Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout

# ntpkey_iffpar_server5672N.3648303779

# Tue Aug 11 23:13:27 2015

-----BEGIN PRIVATE KEY-----

MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w

z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0

q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy

mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB

-----END PRIVATE KEY-----

Generating new certificate server5672N RSA-MD5

X509v3 Basic Constraints: critical,CA:TRUE

X509v3 Key Usage: digitalSignature,keyCertSign

X509v3 Extended Key Usage: trustRoot

Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N

.3648303779 failed: Cannot create a file when that file already exists.

RSA-MD5cert: Unknown error

Generating new cert file and link

ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779

#end o/p

server-step-3)

copied the IFFkey text (from above starting with #
ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and
pasted into a editor(notepad).

Named this file as ntpkey_iffpar_server5672N.3648303779

copied this file onto client machine into keys dir and created a
sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648303779)

**********************************************************

clientmachine:>

**********************************************************

<client-ntp.conf>

restrict default kod nomodify notrap nopeer noquery

crypto ident iff

crypto pw spassword

 server server5672N autokey iburst  #prefer to connect to this source

************************************************************

//client

------------------------------------------------------------

client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword

//Obtain the IFF group key, exported above (in server machine)copy the key
file to the keysdir, and create the standard sym-link

client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648213639

****************************************************************************************************************************************************************

Results:>

--------------------------------------------------------------

server:

start ntp service on server :

everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)

-------------------------------------------------------

problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.

ntpq> ass

ind assid status conf reach auth condition last_event cnt

===========================================================

1 4167 e011 yes no ok reject mobilize 1

ntpq> rv 4167 flags

flags=0x85301

ntpq> rv 4167

associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,

srcadr=server146572n, srcport=123,

dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,

rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,

reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,

rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,

unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,

flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,

delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,

filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,

filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,

host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"

------------------------------------------------------------------------------

cryptostats o/p i see this in client machine:

57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified

57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified

57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified
----------------------------------------------------------

thanks a lot,
Shyam


More information about the questions mailing list