Dear Richard,
I received yesterday a mail with a possible solution to configure Autokey with
the NTP version 4.2.0b (see http://ntp.isc.org/Support/ConfiguringAutokey).
But I have some troubles to configure Autokey on my Windows machine.
When I use the nt-keygen on my test server, it creates 2 files: -
C:\WINDOWS\system32\drivers\etc\ntpkey_cert_wdmcswxp001
- C:\WINDOWS\system32\drivers\etc\ntpkey_host_wdmcswxp001
Use the ntpd service this 2 files to transmit a secure NTP package to the
public time servers?
I generate a crypto file from the website https://ntp.isc.org/crypto.php. The
file size is 0KB and it contains nothing. Is that correct?
NTP.log file:
20 Mar 23:39:11 ntpd.exe[4412]: logging to file C:\Program
Files\NTP\etc\ntp.log
20 Mar 23:39:11 ntpd.exe[4412]: precision = 0.798 usec
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface wildcard, 0.0.0.0#123
Disabled
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface IP Interface 1,
192.168.1.135#123 Enabled
20 Mar 23:39:11 ntpd.exe[4412]: Listening on interface Loopback Interface 2,
127.0.0.1#123 Enabled
20 Mar 23:39:11 ntpd.exe[4412]: frequency initialized 10.211 PPM from
C:\Program Files\NTP\etc\ntp.drift
20 Mar 23:39:11 ntpd.exe[4412]: frequency initialized 10.211 PPM from
C:\Program Files\NTP\etc\ntp.drift
20 Mar 23:39:11 ntpd.exe[4412]: crypto_key error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
20 Mar 23:39:11 ntpd.exe[4412]: crypto_setup: host key file
ntpkey_host_wdmcswxp001 not found or corrupt 20 Mar 23:39:11 ntpd.exe[4412]:
The Network Time Protocol Service has stopped.
NTP.conf file:
# NTP Network Time Protocol
# Configuration File created by Windows Binary Distribution Installer Rev.:
1.16 mbg # please check http://www.ntp.org for additional documentation and
background information crypto pw Cindy33Patrice keysdir
"C:\Windows\System32\Drivers\etc"
# Use drift file
driftfile "C:\Program Files\NTP\etc\ntp.drift"
# your local system clock, should be used as a backup
# (this is only useful if you need to distribute time no matter how good or bad
it is)
#server 127.127.1.0
# but it operates at a high stratum level to let the clients know and force
them to
# use any other timesource they may have.
#fudge 127.127.1.0 stratum 12
# Use a NTP server from the ntp pool project (see http://www.pool.ntp.org)
# Please note that you need at least four different servers to be at least
protected against
# one falseticker. If you only rely on internet time, it is highly recommended
to add
# additional servers here.
# The 'iburst' keyword speeds up initial synchronization, please check the
documentation for more details!
server be.pool.ntp.org autokey
server nl.pool.ntp.org autokey
server fr.pool.ntp.org autokey
# End of generated ntp.conf --- Please edit this to suite your needs
What's wrong with my configuration; Can you help me?
Greetz,
Patrice
"Richard B. Gilbert" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> news.telenet.be wrote:
>> Dear Dr. Mills
>>
>> I installed the NTP version 4.2.0 from the meinberg.de website. This Time
>> syncronization service works fine on a test server. Thank you David for your
>> reply.
>>
>> Unfortunatly, I didn't find information about the configuration of a secure
>> connection to the public time servers with ESP, AH or MD5. You suggest on
>> the website of the University of Delaware to use the Autokey security
>> Architecture, Protocol and Algorithms
>> (http://www.eecis.udel.edu/~mills/database/reports/stime1/stime.pdf).
>> But I'm a bit confused about Autokey! How do I use this application with the
>> NTP version 4.2.0 for Windows to transmit secure NTP requests to the public
>> time servers? Where can I find this application?
>>
>> Best regards,
>>
>> Patrice
>
> I think you may misunderstand Autokey security.
>
> All Autokey, or any of the other encryption systems does for you, is to
> authenticate the server to the client. It gives you some assurance that
> the server sending the packet really is who he claims to be. The packet
> has an encrypted signature. Anybody can read the request packet and
> anybody can read the reply packet. After all, there is nothing secret
> about the correct time, your IP address, the server's IP address, etc.
_______________________________________________
questions mailing list
[email protected]
https://lists.ntp.isc.org/mailman/listinfo/questions
