On 2007-05-11, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > This is my first post to the ntp list.
Please keep in mind that your messages are also being posted to the comp.protocols.time.ntp news-group on Usenet. >I've been googling around for answers regarding autokey with ntp as >I've only ever setup a non encrypted/secured ntp configuration. It's authenticated, not encrypted/secured. NTP Authentication makes it possible for a client to be sure that the NTP packets that is is receiving from an arbitrary server _are_ from that server (and not from a bad actor). NTP Authentication does not encrypt the NTP packets. > I've been tasked with setting up autokey in the environment and > thought I had IFF working, I'm not so sure now, since reading some of > the other posts regarding the TC scheme. TC is the default when the participants do not have the IFF/GQ/MV Identity Scheme parameters. You can "easily" tell what Identity Scheme is being use by examining the flags for a particular association. Use ntpq -cas to retrive the list of association IDs. Then ntpq -c"rv AssnID flags" to view the flags for that association. The flag that indicates the Indentity Scheme is: #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ flags=0x87f03 indicates that TC is being used flags=0x87f23 indicates that IFF is being used Here are all of the flags: #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ #define CRYPTO_FLAG_VALID 0x0100 /* public key verified */ #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ #define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */ #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ #define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */ > Is ntpd and ntp-keygen's non-use of /dev/random considered a bug? Will > ntpd and ntp-keygen ever support /dev/random? Add this line to your ntp.conf and it will: crypto randfile /dev/random -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
