Hello, hopefully someone has some advice. I'm trying to manage a pair of peers using GQ identities and unicast authentication and AutoKey.
The symptom(s) I observe, after the several seconds it takes from the association's 'auth' field to go from 'bad' to 'ok': - the assocation reports the condition as 'reject' - the refid on each node alternates between .AUTH. and .CRYP. - my cryptolog reports 'error 10f opcode 2010000 ts 0 fs 524353', which is regrettably not described here: http://www.eecis.udel.edu/~mills/ntp/html/authopt.html#err - the association claims the other node is 'unreachable'. I can see debug messages flow between the two nodes, so I know there's no connectivity problem. - my debug log shows that the 'flags' setting is 0x80041, even though that's not showing up in the 'rv' command below. I deconstructed that according to ntp_crypto.h, and it's obvious that there are a lot of bits missing... I would definitely appreciate some suggested course of action... I've applied notes according to: http://support.ntp.org/bin/view/Support/ConfiguringAutokey and perhaps more closely, this thread: http://www.mail-archive.com/questi...@lists.ntp.isc.org/msg05140.html Some specifics: I'm using RedHat's ntp RPM: # rpm -q ntp ntp-4.2.2p1-9.el5_3.2 My ntp.conf: driftfile /var/lib/ntp/drift statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats cryptostats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable filegen cryptostats file cryptostats type day enable crypto pw ServerPassword randfile /dev/urandom crypto ident 1950dc1.example.com #crypto ident 1950qc1.example.com keys /etc/ntp/keys keysdir /etc/ntp peer 1950qc1.example.com autokey #peer 1950dc1.example.com autokey Obviously, the 'peer' entry differs on each host, as does the 'crypto ident' entry. On each node, I created GQ keys: cd /etc/ntp ntp-keygen -T -G -p ServerPassword -q ServerPassword I copied the ntpkey_* files to both hosts. I restarted ntpd on both hosts, using the '-g' and -d' flags. # ntpq -npcas remote refid st t when poll reach delay offset jitter ============================================================================== 172.20.166.111 .AUTH. 16 u - 128 0 0.000 0.000 0.000 ind assID status conf reach auth condition last_event cnt =========================================================== 1 44420 e04f yes yes ok reject 4 # ntpq -n -c "rv 44420" assID=44420 status=e04f unreach, conf, auth, 4 events, event_15, srcadr=172.20.166.111, srcport=123, dstadr=172.20.166.101, dstport=123, leap=11, stratum=16, precision=-20, rootdelay=0.000, rootdispersion=21.332, refid=AUTH, reach=000, unreach=123, hmode=1, pmode=1, hpoll=7, ppoll=10, flash=00 ok, keyid=3440123012, ttl=0, offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000, reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, org=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, rec=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, xmt=ce1b3e19.7e040ed8 Wed, Jul 29 2009 21:31:05.492, filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 Dunno if other information may be useful; please let me know... -- Brian Reichert <reich...@numachi.com> 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large _______________________________________________ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
