Peter Pramberger schrieb: > I'm currently trying to implement public key authentication on a NTP testlab, > > NTP is version 4.2.0a-20040617 on RHEL4/CentOS4.
Finally I got TC and even IFF working, but it took me a lot of trial and error: 1) When running ntpd as non-root user (RedHat included the droproot patch in their package), "/etc/ntp" has to be owned by "ntp:ntp". Don't try to set something like "root:ntp", it won't work (it seems the EGID isn't set correctly). 2) When the driftfile doesn't exist at daemon startup, you can wait until end of universe, authentication would never complete. 3) For some reason the IFF scheme (and maybe others too) isn't working while running as non-root user. The cryptostats file shows the repeated loading of the other host's IFF key, but authentication would never complete. Run ntpd as root and it works perfectly (don't forget "chown root:root /etc/ntp"). Maybe a too restrictive capability set. I've reported this to RedHat. 4) As soon as I put the current leapseconds file (ftp://time.nist.gov/pub/leap-seconds.3331497600) on one or both hosts, I get errors in the log, and the authentication fails. When I remove them, authentication is working again. -------------------------------------------------------------------------- Feb 3 22:32:22 dns ntpd[4953]: receive: fatal error 608 for 192.168.20.20 Feb 3 22:35:38 dns ntpd[4953]: crypto_iff: invalid filestamp 3347979197 -------------------------------------------------------------------------- 53769 77738.911 192.168.20.20 error 103 opcode 82070000 ts 3347991338 fs 3347979197 -------------------------------------------------------------------------- Where is the right place (host) to put the leapseconds file? Regards, Peter _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
