[ntp:questions] NTP 4.2.8 :"Autokey" problem faced with IFF scheme for client/server pair: Request your inputs
Sowmya Manapragada
skoganty at gmail.com
Tue Aug 11 18:19:54 UTC 2015
Hi All,
Request your help/suggestions on the below problem i am facing, i am
relatively new to NTP and request your inputs
Problem:
I am trying to configure an ntp server/client pair to use the IFF identity
scheme
I followed the directions precisely that were on the following ntp page:(
http://support.ntp.org/bin/view/Support/ConfiguringAutokey)
Both machines running on windows-7 /Ntp version: 4.2.8p2.
Problem is client never sync's with server and always rejects it(
authentication:OK, condition :reject, reach:0)
Please see details below
*************************************************
server machine:>
*************************************************
<server5672N -ntp.conf>
restrict default kod nomodify notrap noquery
# Authentication
statsdir "D:\ntp\stats\"
statistics cryptostats
filegen cryptostats file cryptostats type none enable
server BLRK05A iburst #timesource
crypto ident iff
crypto pw spassword
keysdir "D:\ntp\keys\"
****************************************************
server-step-1)
#Generate the IFF parameters
D:\ntp\keys> ntp-keygen -T -I -p spassword
server-step-2)
#Export the IFF Group Key
D:\ntp\keys> ntp-keygen -e -p spassword
#o/p on the console
Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015
Using host server5672N group server5672N
Using host key ntpkey_host_server5672N
Using host key as sign key
Using IFF keys ntpkey_iffkey_server5672N
Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout
# ntpkey_iffpar_server5672N.3648303779
# Tue Aug 11 23:13:27 2015
-----BEGIN PRIVATE KEY-----
MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w
z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0
q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy
mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB
-----END PRIVATE KEY-----
Generating new certificate server5672N RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N
.3648303779 failed: Cannot create a file when that file already exists.
RSA-MD5cert: Unknown error
Generating new cert file and link
ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779
#end o/p
server-step-3)
copied the IFFkey text (from above starting with #
ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and
pasted into a editor(notepad).
Named this file as ntpkey_iffpar_server5672N.3648303779
copied this file onto client machine into keys dir and created a
sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648303779)
**********************************************************
clientmachine:>
**********************************************************
<client-ntp.conf>
restrict default kod nomodify notrap nopeer noquery
crypto ident iff
crypto pw spassword
server server5672N autokey iburst #prefer to connect to this source
************************************************************
//client
------------------------------------------------------------
client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword
//Obtain the IFF group key, exported above (in server machine)copy the key
file to the keysdir, and create the standard sym-link
client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N
ntpkey_iffpar_server5672N.3648213639
****************************************************************************************************************************************************************
Results:>
--------------------------------------------------------------
server:
start ntp service on server :
everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync
with its timesource)
-------------------------------------------------------
problem is with client:> o/p given below -- client keeps rejecting server
and never sysnc with its server peer.
ntpq> ass
ind assid status conf reach auth condition last_event cnt
===========================================================
1 4167 e011 yes no ok reject mobilize 1
ntpq> rv 4167 flags
flags=0x85301
ntpq> rv 4167
associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize,
srcadr=server146572n, srcport=123,
dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10,
rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175,
reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911,
rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000,
unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0,
flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000,
delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000,
filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00,
filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,
host="server6572N", flags=0x85301, signature="md5WithRSAEncryption"
------------------------------------------------------------------------------
cryptostats o/p i see this in client machine:
57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified
57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified
57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified
----------------------------------------------------------
thanks a lot,
Shyam
More information about the questions
mailing list