I just ran a quick test of Autokey/IFF between a 4.2.5p118 server and a 4.2.2p4 client and am pleased to report that the new server paramter scheme is backwards compatible.
The Autokey HOWTO at http://support.ntp.org/Support/ConfiguringAutokey was written for versions up to 4.2.4, so it does not correctly address all of the details for setting up the new server parameter scheme. Here are the steps that I followed (starting with empty keys directories). *** On the Server: 1. Prepare the keysdir and ntp.conf as shown at http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.2. 2. Generate the server's host cert/key and private IFF key with: ntp-keygen -T -I -p server_password 3. Export the server's public IFF parameters with ntp-keygen -e -p server_password > ntpkey_iffpar_servername The complete suggested name for this file is shown on its first line. The difference here is that we are no longer encrypting the server's public IFF parameters for each client. These public IFF parameters may be safely distributed just like a PGP/GPG public key (e.g. on a web-page, via un-encrypted e-mail or finger or ftp or ..., etc.) *** On the Client: The client configuration is actually unchanged from what is shown at http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.3. 1. Prepare the keysdir and ntp.conf as shown at http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.3. 2. Generate the client's host cert/key with: ntp-keygen -p server_password 3. Obtain the server's public IFF parameters and save them in a file. The suggested file name is on the first line of the parameters. Either save the parameters file using this name and create the standard sym-link or, for OSes which don't support symlinks, just save the file with the standard name (i.e. ntpkey_iff_servername). ln -s ntpkey_iffpar_servername.XXXXXXXX ntpkey_iff_servername 4. Activate IFF on the client by creating the following sym-link ln -s ntpkey_host_clientname ntpkey_iff_clientname On OSes which do not support symlinks just create a file named ntpkey_iff_clientname. The sym-link target and file contents are not important beacuse ntpd just checks for the existence of the sym-link/file; the contents of the sym-link/file are not actually used. *** Running and Troubleshooting Restart both ntpds. Use ntpdc to view the certs and flags to confirm proper Autokey/IFF operation. The 0x20 in the flags indicates IFF On the server ntpq -c"rv 0 flags,cert" should show something like: flags=0x80021, cert="servername servername 0x1", until=200907011232 where the "until" date is 1 year from the time the server's cert/key were generated. On the client ntpq -c"rv 0 flags,cert" should show something like this: flags=0x80021, cert="clientname servername 0x6", expire=200907011251, cert="servername servername 0x7", expire=200907011232, cert="clientname clientname 0x2", expire=200907011236 To view the association flags on the client you will have to use ntpq -pcas to determine the association ID (assID) of the server then ntpq -c"rv assID flags" should return flags=0x83f21 (for a working Autokey/IFF association.) The Crypto Association Flags are documented in ./include/ntp_crypto.h in the distribution and at http://support.ntp.org/bin/view/Support/ConfiguringAutokey#Section_6.7.4.1. -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://support.ntp.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
