On Monday, December 5, 2005 at 14:25:37 +0000, Steve Kostecke wrote:
The correct sym-link for client members of an NTP Trust Group is
ln -s ntpkey_IFFkey_server.XXXXXXXXXX ntpkey_iff_server
Without an ntpkey_iff_Client on Client to activate IFF scheme
negociation, I get succesfull TC authentication.
This has worked on every NTP Trust Group client member that I've ever
set up.
What is the best way to know for sure which scheme is in use? Could you
please check:
| $ ntpq -p Client
| remote refid st t when poll reach delay offset jitter
| ==============================================================================
| *Server .DCF. 1 u 990 1024 377 2.291 1.078 0.056
|
| $ ntpq -c rv Client
| assID=0 status=4654 leap_add_sec, sync_ntp, 5 events, event_peer/strat_chg,
| version="ntpd [EMAIL PROTECTED] Oct 19 14:18:48 (UTC+02:00) 2005 (3)",
| processor="unknown", system="WINDOWS/NT", leap=01, stratum=2,
| precision=-17, rootdelay=2.291, rootdispersion=47.807, peer=25165,
| refid=192.168.7.10,
| reftime=c73ff06c.dba53b7d Tue, Dec 6 2005 12:11:40.857, poll=10,
| clock=c73ff84b.98778541 Tue, Dec 6 2005 12:45:15.595, state=4,
| offset=1.078, frequency=-20.771, jitter=0.083, noise=0.350,
| stability=0.013, hostname="Client", signature="md5WithRSAEncryption",
| flags=0x80003, update=200511060130, leapsec=200506280000, tai=32,
| cert="Client Server 0x6", expire=200611060128, cert="Server Server 0x7",
| expire=200610111252, cert="Client Client 0x6", expire=200611052220
|
| $ ntpq -c as Client
| ind assID status conf reach auth condition last_event cnt
| ===========================================================
| 1 25165 f624 yes yes ok sys.peer reachable 2
|
| $ ntpq -c "rv 25165" Client
| assID=25165 status=f624 reach, conf, auth, sel_sys.peer, 2 events,
event_reach,
| srcadr=Server, srcport=123, dstadr=192.168.7.12, dstport=123, leap=01,
| stratum=1, precision=-18, rootdelay=0.000, rootdispersion=1.617,
| refid=DCF, reach=377, unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10,
| flash=00 ok, keyid=561218861, ttl=0, offset=1.078, delay=2.291,
| dispersion=18.661, jitter=0.056,
| reftime=c73ff45f.a0d20969 Tue, Dec 6 2005 12:28:31.628,
| org=c73ff46d.4f4e0543 Tue, Dec 6 2005 12:28:45.309,
| rec=c73ff46d.4f5659c3 Tue, Dec 6 2005 12:28:45.309,
| xmt=c73ff46d.4ea5dbe4 Tue, Dec 6 2005 12:28:45.307,
| filtdelay= 2.30 2.29 2.30 1.59 1.58 1.58 2.29 2.25,
| filtoffset= 1.02 1.08 1.00 0.68 0.75 0.75 1.09 1.02,
| filtdisp= 0.01 15.36 30.70 46.09 61.45 76.83 92.22 107.56,
| hostname="Server", signature="md5WithRSAEncryption", flags=0x87f03,
| trust="Server"
|
| $ cat //Client/ntpstats/cryptostats.20051205
| 53709 80480.680 192.168.7.10 newpeer 25165
| 53709 80482.495 ntpkey_RSAkey_Client.3342810008 mod 512
| 53709 80482.504 ntpkey_RSA-MD5cert_Client.3342810008 0x0 len 309
| 53709 80482.539 update ts 3342810082
| 53709 80482.540 refresh ts 3342810082
| 53709 80484.398 192.168.7.10 flags 0x80003 host Server signature
md5WithRSAEncryption
| 53709 80486.418 update ts 3342810086
| 53709 80486.420 192.168.7.10 cert Server 0x7 md5WithRSAEncryption (8) fs
3340702253
| 53709 80488.410 192.168.7.10 cook 37fe7690 ts 3342810088 fs 3342755357
| 53709 80490.573 update ts 3342810090
| 53709 80490.573 192.168.7.10 sign Server 0x6 md5WithRSAEncryption (8) fs
3342810008
| 53709 80492.444 update ts 3342810092
| 53709 80492.445 192.168.7.10 leap 96 ts 3342755357 fs 3331497600
| 53709 80529.449 update ts 3342810129
|
| $ ls -l //Client/c\$/Program\ Files/NTP/etc/ntp.keysdir/
| total 3
| -rw-r--r-- 1 Administ None 538 Dec 5 23:20 ntpkey_cert_Client
| -rw-r--r-- 1 Administ None 616 Dec 5 23:20 ntpkey_host_Client
| -rw-r--r-- 1 Administ None 507 Dec 5 23:15 ntpkey_iff_Server
To me, this clearly looks like TC scheme.
Serge.
