On 2005-12-07, Serge Bets <[EMAIL PROTECTED]> wrote:
> On Wednesday, December 7, 2005 at 14:53:41 +0000, Steve Kostecke wrote:
>
>> I see messages like this in my cryptostats file:
>>
>> 53711 46391.640 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
>> 53711 46391.686 192.168.19.4 iff fs 3315100165
>
> Good. IIUC this is a sure proof that IFF key was loaded and used. Was
> IFFkey or something else also loaded at startup, between host key and
> cert? What are flags of this association, and default flags?
Test Server: ntp0
Test Client: stasis
With the following files in the client's /etc/ntp:
ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910
ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910
And autokey specified on the server line in the client's ntp.conf:
server 192.168.19.4 iburst autokey
ntpq on the client shows:
$ ntpq -pcas
remote refid st t when poll reach delay offset jitter
=======================================================================
*ntp0.kostecke.n .CHU1. 1 u 63 64 177 0.846 -1.117 0.384
ind assID status conf reach auth condition last_event cnt
===========================================================
1 11468 f614 yes yes ok sys.peer reachable 1
$ ntpq -c"rv 11468 flags" | tail -n1
flags=0x83f21
And cryptostats on the client shows (the default flags are in this
extract):
53712 65898.541 192.168.19.4 newpeer 11468
53712 65898.557 ntpkey_RSAkey_stasis.3342803910 mod 512
53712 65898.557 ntpkey_IFFpar_stasis.3342803910 mod 384
53712 65898.559 ntpkey_RSA-MD5cert_stasis.3342803910 0x2 len 333
53712 65899.447 refresh ts 0
53712 65899.449 192.168.19.4 flags 0x80021 host ntp0.kostecke.net \
signature md5WithRSAEncryption
53712 65901.450 192.168.19.4 cert ntp0.kostecke.net 0x3 \
md5WithRSAEncryption (8) fs 3315100165
53712 65903.447 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
53712 65903.491 192.168.19.4 iff fs 3315100165
53712 65905.477 192.168.19.4 cook b7b21c32 ts 3343054705 fs 3343009811
53712 65908.461 update ts 3343054708
53712 65909.510 update ts 3343054709
53712 65909.510 192.168.19.4 sign ntp0.kostecke.net 0x3 \
md5WithRSAEncryption (8) fs 3342803910
If I remove the symlink, I don't see the IFF key lines in cryptostats.
ntpq on the client shows:
$ ntpq -p
remote refid st t when poll reach delay offset jitter
=======================================================================
ntp0.kostecke.n .CRYP. 16 u - 64 0 0.000 0.000 4000.00
$ ntpq -cas
ind assID status conf reach auth condition last_event cnt
===========================================================
1 4828 e000 yes yes ok reject
$ ntpq -c"rv 4828 flags" | tail -n1
No information returned for association 4828
Replacing the ntpkey_iff_server symlink with an ntpkey_iff_client
symlink does allow the Autokey/IFF authentication to occur. So does
using both symlinks at the same time.
In one sense you're correct: it is _possible_ to use an
ntpkey_iff_client symlink. But, is not _necessary_ to to so.
One of the features of NTP Authentication is that any ntpd may belong to
more than one Trust Group. Using an ntpkey_iff_client symlink (or file)
breaks this feature.
--
Steve Kostecke <[EMAIL PROTECTED]>
NTP Public Services Project - http://ntp.isc.org/
_______________________________________________
questions mailing list
[email protected]
https://lists.ntp.isc.org/mailman/listinfo/questions
