[ntp:questions] Autokey IFF

Fabien greenboww at gmail.com
Mon Jun 19 14:16:08 UTC 2017


Hello,

I’m trying to set a NTP infrastructure using the Autokey feature in IFF mode, but I have difficulties to understand how it work. I’m using NTP 4.2.6p5. I’ve set up a virtual machine lab:

https://docs.google.com/drawings/d/1-Di-8ih915ti5jIhDmQgS7T3BVmnAJJPkRyAGwZ64Cg/edit?usp=sharing

00 is a physical ntp server.
01 and 02 are the Trusted Hosts (TH). 01 is the Trusted Agent (TA).
03 and 04 are the clients.

On 01, I generated the group keys with:
        ntp-keygen –T –I –p azerty –i mongroup
and I have distributed the group parameters to the clients (and then created a symlink on them) with:
        ntp-keygen –e –p azerty
His ntp.conf contains:
        …
restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
        …
crypto pw azerty ident mongroup
keysdir /etc/ntp/crypto

On 03 and 04 (the clients) I’ve generated their certificates with:
        ntp-keygen –H –p client –i mongroup
Their ntp.conf are:
        …
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //XXX… is the 01 address
        …
        crypto pw client
        keysdir /etc/ntp/crypto

I can verify this configuration works by checking the association flags with: ntpq –c “rv ASSOCID flags”
(Also, my flags are 5 digits long, but 4 digits long in the support guide: http://support.ntp.org/bin/view/Support/ConfiguringAutokey why?)

I want 02 in the same group and in IFF mode too but I can not make it work. I think I have to use the command:
        ntp-keygen –p azerty –q root
on 01 (root is the password on 02) and share with 02 the private group key ?

I did several tests; and on 02 I generate another group keys (but with the same group name as 01) without distribute his parameters to the clients.
On 02:
        ntp-keygens –T –I –i mongroup –p root
ntp.conf:
        …
restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
        …
crypto pw root ident mongroup
keysdir /etc/ntp/crypto

On 03 and 04, ntp.conf are:
…
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 01 address
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 02 address
        …
        crypto pw client
        keysdir /etc/ntp/crypto

When I start ntpd on 02 and 03,04 the clients are able to synchronize with 02, and in IFF mode! How it-is possible ? They doesn’t share anything.
I think someone could do some MITM attack and take the place of 02 (correct me if im wrong).

I read the documentation on https://www.eecis.udel.edu/~mills/ntp/html/index.html but this is a bit confusing.

Plus, I can not make the symmetric link between 03 and 04 work in IFF mode. But here I do not know if that’s possible.

Let me know if I didn't make it clear.

Thanks (and excuse my English).
Fabien



More information about the questions mailing list