Excerpt from NTP website: http://support.ntp.org/bin/view/Support/ConfiguringAutokey
6.7. Autokey Configuration for NTP stable releasesThis topic provides a step-by-step guide for setting the NTP Autokey authentication for NTP stable release versions 4.2.6 a nd later. The material contained in this topic is not being applicable to releases in the Ntp-dev series.
Users of NTP-4.2.4, or earlier, should consult Autokey Configuration for NTP 4.2.4
Users of Ntp-dev should consult Configuringautokeydev for Errata and notes pertaining to the Ntp-dev series of releases.
See the NTP Authentication specification and the Briefing Slides on the Network Time synchronization Project page for in-d Epth information about NTP authentication.
There is three Identity schemes available in the NTP Reference Implemenation:iff, GQ, and MV. See the Identity Scheme documentation-detailed information about the identity schemes. Although examples of server parameter generation and client parameter installation is provided for all available Identity Schemes, it is not necessary to use all of the them.
Enforcement of NTP authentication (with restrict statements) are beyond the scope of this topic
6.7.2.2.1. Broadcast and multicast Autokey is configured on the server side. 6.7.3.2.1. Unicast Autokey is configured on the client side
Read 6.7.1. How to use this guide before starting
This guide currently only addresses the IFF identity scheme.
6.7.2. Server Set-upThis section, pertains only to systems, is the NTP servers for an NTP Trust Group; See 6.7.3. Client set-up for systems, that'll is only being NTP clients. Trusted NTP servers which also operate as clients of other NTP servers could need to 6.7.3.4. Install group/client Keys.
6.7.2.1. Create the NTP Keys directoryCreate a directory for the NTP Keys (e.g /etc/ntp .)
Add the following lines to ntp.conf :
Crypto PW SERVERPASSWORDKEYSDIR/ETC/NTP
Need to add the following line to ntp.conf if dies with ntpd a crypto_setup: random seed file not found error:
6.7.2.2.1. Broadcast and multicast AutokeyCrypto Randfile/dev/urandom
Append to the line in for the autokey broadcast ntp.conf broadcast/multicast address so want to authenticate with Autokey:
Broadcast My.broadcast.or.multicast.address AutoKey
The assigned NTP multicast address is 224.0.1.1, but other valid multicast addresses could be used.
6.7.2.3. Generate Server ParametersThis section covers Server Parameter generation for the IFF Identity Scheme.
The server key and certificate would be generated if they is missing when a set of parameters is generated. The server certificate is updated when existing parameters is updated or additional parameters is generated.
The -T option for Ntp-keygen should is used by a Trusted authority (e.g Time-server) for the NTP Trust Group.
The IFF parameter generation process produces a server key which should not being distributed to other members of the NTP Tru St Group.
Generate the IFF parameters with the following commands:
Cd/etc/ntpntp-keygen-t-i-p Serverpassword
You must export a IFF group Key for use by the members of the Trust Group. This Group Key was unencrypted and may handled in the same manner as a PGP/GPG public Key.
Export the IFF Group Key with the following commands:
CD/ETC/NTPNTP-KEYGEN-E-P Serverpassword
The IFF Group Key is directed to STDOUT unless you redirect it to a file. The target name of the IFF Group Key file is on one of the first lines of the output.
This exported IFF Group Key is used in 6.7.3.4.1. IFF Group Keys
IFF Group Keys is distributed in any convenient manner (e.g. on a Web page or even by pasting them across terminal win dows).
IFF Group Keys may also is extracted and mailed with the following commands:
6.7.2.4. Restart ntpdCD/ETC/NTPNTP-KEYGEN-E-P Serverpassword | mail [email protected]
Restart ntpd . Watch the output of to make sure, the ntpq -p server is able to start.
The server key and certificate is valid only for one year and should is updated periodically (e.g. monthly). This could is scripted with the following command:
CD/ETC/NTPNTP-KEYGEN-T-Q ' awk '/crypto pw/{print $} ' </etc/ntp.conf 'This section pertains only to systems, that would be clients of an NTP Trust Group.
6.7.3.1. Create the NTP Keys directoryCreate a directory for the NTP Keys (e.g. /etc/ntp )
Add the following lines to ntp.conf :
Crypto PW CLIENTPASSWORDKEYSDIR/ETC/NTP
Need to add the following line to ntp.conf if dies with ntpd a crypto_setup: random seed file not found error:
6.7.3.2.1. Unicast AutokeyCrypto Randfile/dev/urandom
Append to the server line for the autokey Time-server so want to authenticate with Autokey in a unicast association:
6.7.3.3. Generate Client ParametersServer Ntp.i_have_the_key.for AutoKey
The option for Ntp-keygen on systems is only clients of a -T NTP Trust Group.
Generate the client key/certificate with the following commands:
6.7.3.4. Install group/client KeysCd/etc/ntpntp-keygen-h-P Clientpassword
This section covers the installation of Group/client Keys for all Identity schemes. You have need to install the group/client Keys used by the NTP Trust Group, the This Client would be joining.
6.7.3.4.1. IFF Group KeysObtain the IFF group key, exported in 6.7.2.3.1. IFF Parameters, from your time server operator, copy the key file keysdir to the, and create the standard Sym-link:
6.7.3.5. Restart ntpd
Restart ntpd . Watch the output of the sure that the client was able to start and sync with the ntpq -p server.
The client key and certificate is valid only for one year and should is updated periodically (e.g. monthly) with the Foll Owing command:
Cd/etc/ntpntp-keygen-q ' awk '/crypto pw/{print $} ' </etc/ntp.conf 'It is not a usually necessary to run NTPD in debug mode to troubleshoot authentication problems.
Use to ntpq -c "rv 0 cert" view the Autokey certificates held by ntpd .
Use to the ntpq -c as check the authentication status of NTP associations. Authenticated associations display in the ok auth column:
IND ASSID status conf reach auth condition last_event cnt=================================================== ======== 1 26132 f694 Yes Yes OK sys.peer reachable 9
For detailed information, about a authenticated association use the from in the assID ntpq -cas following command:
Ntpq-c "RV Assid Flags"
An Autokey+iff association without a verified leapseconds table would show the following flags on the client:
Flags=0x83f21
An Autokey+iff association with a verified leapseconds table would show the following flags on the client:
6.7.4.1. Crypto Association FlagsFlags=0x87f21
/* * The following bits is set by the CRYPTO_ASSOC message from * The server and is not a modified by the client. */#define CRYPTO_FLAG_ENAB 0x0001/* CRYPTO Enable */#define CRYPTO_FLAG_TAI 0x0002/* leapseconds table */#define CRYP To_flag_priv 0x0010/* PC identity Scheme */#define CRYPTO_FLAG_IFF 0x0020/* IFF identity Scheme */#define Crypto_flag _gq 0x0040/* GQ identity Scheme */#define CRYPTO_FLAG_MV 0x0080/* MV identity Scheme */#define CRYPTO_FLAG_MASK 0 X00F0/* Identity Scheme Mask */* * The following bits is used by the client during the protocol * Exchange. */#define CRYPTO_FLAG_VALID 0x0100/* Public key verified */#define CRYPTO_FLAG_VRFY 0x0200/* Identity verified */#defin E Crypto_flag_prov 0x0400/* Signature verified */#define CRYPTO_FLAG_AGREE 0x0800/* Cookie verifed */#define CRYPTO_FLA G_auto 0x1000/* autokey verified */#define CRYPTO_FLAG_SIGN 0x2000/* Certificate signed */#define CRYPTO_FLAG_LEAP 0x 4000/* Leapseconds table verified*/
NTP configuration AutoKey feature "excerpt"
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
