[ntp:questions] ntpq authentication problem

catherine.wei1989 at gmail.com catherine.wei1989 at gmail.com
Mon Mar 2 07:40:26 UTC 2015


On Monday, March 2, 2015 at 1:03:47 PM UTC+8, catherin... at gmail.com wrote:
> On Friday, February 27, 2015 at 7:45:03 PM UTC+8, Martin Burnicki wrote:
> > catherine.wei1989 at gmail.com wrote:
> > > On Friday, February 27, 2015 at 5:54:41 PM UTC+8, catherin... at gmail.com wrote:
> > >> On Friday, February 27, 2015 at 4:45:03 PM UTC+8, Martin Burnicki wrote:
> > >>> catherine.wei1989 at gmail.com wrote:
> > >>>> I've upgrading the ntp from 4.6.1 to 4.8.1, and need to change some commands which depend on ntpdc to ntpq since ntpdc has been depreciated in 4.8.1 version. And I met a problem.
> > >>>>
> > >>>> When I first set the keyid to 0, it said "Invalid key identifier", so I set it to 1, but it requires a MD5 Password. I don't quite understand how to get the keyid and password.
> > >>>>
> > >>>> Can you give me some advice? Appreciate your help very much.
> > >>>>
> > >>>>
> > >>>> ~ # ntpq
> > >>>> ntpq> :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
> > >>>> Keyid: 0
> > >>>> Invalid key identifier
> > >>>> ntpq> :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
> > >>>> Keyid: 1
> > >>>> MD5 Password:
> > >>>> ***Server disallowed request (authentication?)
> > >>>> ntpq>
> > >>>>
> > >>>
> > >>> Please see my reply to your other posting. Why do you post basically the
> > >>> same question three times?
> > >>>
> > >>> Martin
> > >>> --
> > >>> Martin Burnicki
> > >>>
> > >>> Meinberg Funkuhren
> > >>> Bad Pyrmont
> > >>> Germany
> > >>
> > >> Hi,appreciate for your kind response. I've generate a file
> > >>   1 MD5 P[G\;5Ob@[\[Ni4PJx3&  # MD5 key
> > >>   2 MD5 z}6`X[cpV%UDktmbghiA  # MD5 key
> > >>   3 MD5 %(4%pM<~(8p[cn,,S/0N  # MD5 key
> > >>   4 MD5 TT_QA;=x*G$4p1-d"1;C  # MD5 key
> > >>   5 MD5 ml~KoJ*<`vM&7fxTeR.@  # MD5 key
> > >>   6 MD5 +wc93d8[~tBRyzd<GL{L  # MD5 key
> > >>   7 MD5 _WMzU`YQpwN&?5TYJ^5i  # MD5 key
> > >>   8 MD5 ~1zzyA.9-fM[|>Zv|mpv  # MD5 key
> > >>   9 MD5 ?N4f+')!S9 at 7.V*G3,xI  # MD5 key
> > >> 10 MD5 <>u;LcQ*cJ8{%yKo`z1?  # MD5 key
> > >> 11 SHA1 591701ab51fd2936651ce6920ffecc3ea5b99dea  # SHA1 key
> > >> 12 SHA1 6fe71721baef0e91c41e23984cf9f663f18ba112  # SHA1 key
> > >> 13 SHA1 bb96c2b73f01659194a94cadc496cedfa12f3832  # SHA1 key
> > >> 14 SHA1 51f5237ef46c99492070deb5a762d7f434794b58  # SHA1 key
> > >> 15 SHA1 21c578d9e5d56a8bdc0560443f96f1047c93a276  # SHA1 key
> > >> 16 SHA1 5c3927c1e05559f5695a353636d4c3ddff6e7e11  # SHA1 key
> > >> 17 SHA1 14321c68317d531e004497bd9b6b0d475630a291  # SHA1 key
> > >> 18 SHA1 89ac3debc33937ba25638ef0fc035d830fea6fe5  # SHA1 key
> > >> 19 SHA1 9f47dda7ae80426c6aa8acac22dc9afef4b900fb  # SHA1 key
> > >> 20 SHA1 80515077771a9e6d5bb70d6985b236008d962f34  # SHA1 key
> > >>
> > >>   I've renamed it to npt.keys, put it /etc/ntp.keys. My /etc/ntp.conf file is like this:
> > >>
> > >> driftfile /etc/ntp.drift
> > >> keys /etc/ntp.keys
> > >> trustedkey 1 5
> > >> controlkey 5
> > >> restrict default ignore
> > >> restrict 127.0.0.1
> > >> broadcastdelay 0.008
> > >> #6000000000s because we start at 1970
> > >> tinker panic 6000000000
> > >> restrict 3.cn.pool.ntp.org nomodify notrap
> > >> server 3.cn.pool.ntp.org minpoll 3 maxpoll 4
> > >>
> > >> However, when I run ntpq :
> > >> ~ # ntpq
> > >> ntpq> :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
> > >> Keyid: 5
> > >> MD5 Password:(password corresponding to keyid 5 in /etc/ntp.keys)
> > >> ***Server disallowed request (authentication?)
> > >>
> > >> I don't know why this happens? Do I need some other configurations? Thank you so much.
> > 
> > Hm, that should work.
> > Can you try it with a simple password first? E.g.:
> > 
> > 1 MD5 passwd1
> > 5 MD5 passwd5
> > 
> > > By the way, how can I define the controlkey for ntpq. In my case, I just define the controlkey to 5 randomly, is there any rule?
> > 
> > AFAIK there is no rule. The keys file is just a list of passwords. If 
> > you have more than one machines running ntpd then every other machine 
> > may have a single, individual trusted key, each with index 1.
> > 
> > If your local ntpd should talk to all the others then of course you 
> > can't add several keys with inde 1 in your local file, so you need to 
> > have a keys fle containing all the keys of the other servers, for time 
> > sync, plus the control key for your local ntpd. The number is just 
> > associated to the entry number of the keys file you are supplying to 
> > your local ntpd.
> > 
> > This is very flexible, but you need to take care to get the keys and 
> > index/ID numbers right.
> > 
> > The third column in /etc/ntp.keys is the password of MD5, right?
> > 
> > Yes.
> > 
> > 
> > Martin
> > -- 
> > Martin Burnicki
> > 
> > Meinberg Funkuhren
> > Bad Pyrmont
> > Germany
> 
> Hi, thank you for your answer, I typed the wrong password. When I changed the complicated password to a simple one say "mypassword" and I tested it again, then authenticate passed, but it's strange why can I change the password ? As it is generated by ntp md5 algorithm, if I change the password, then authenticate should fail and the ntp server can't parse the new password in my understanding.

It seems that the authenticate just happens between  ntpq and ntpd of localhost and it's not related to remote ntp server, right ?



More information about the questions mailing list