Re: [ntp:questions] new driver development
Dave, David L. Mills wrote: Bruce Co., You may not be aware that all Spectracom devices are supported with one driver, all TrueTime devices are supported with one driver, all telephone modem services are supported with one driver, all Austron devices are supported with one driver, all Heath devices are supported with one driver and most GPS receivers are supported with one driver. This happened with many hours of dedicated effort on the part of refclock developers. You can appreciate the serious pushback in creating a new driver if a similar one is already available. An appropriate plan is [common interface code] #ifdef POSIX ... #else ... #endif How do you know which application is feeding the SHM driver, and whether that application supports the Posix or the non-Posix (legacy) SHM mode? IMO the legacy SHM mode should always be compiled in, and the POSIX mode in addition, if that Posix SHM is supported by the target OS. Whether addressing of either mode is done by separate driver numbers (which I still find a good idea in this case, since SHM is a generic driver), or by a mode number for the existing SHM driver, is a totally different question. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
On Mon, Mar 28, 2011 at 11:11:28PM +, Dave Hart wrote: Autokey is very clever in dealing with some unique challenges other PKI OpenSSL client code doesn't have to. Anyone attempting to configure it should be on payroll, if not time and a half. (insert series of profanities here) I had a similar feeling when I was expanding my NTP test suite to test basic Autokey functionality and compatibility between 4.2.2, 4.2.4 and 4.2.6 version. I eventually got most of it working, but I'm not sure if it's working as intended or accidentaly by misplacing a private key, etc. I wasn't able to get the MV scheme working though. I have read the official ntp-keygen page and the wiki document. -- Miroslav Lichvar ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
Dave, I didn't mean to cause Steve problems, but something did need to be changed, particularly the binding between the trusted host name and the group name. Besides fixing the vulnerability, it makes use of non-keygen certificates less of a bother. Also, this allows more than one secure group to share the same broadcast network. This is the third more-or-less trivial change in syntax in fifteen years (frm Autokey Version 1). The -l option was added in order to change the certificate expiration time for test and to allow users to make long-lived certificates. Dave Dave Hart wrote: On Tue, Mar 29, 2011 at 12:53 AM, David L. Mills mi...@udel.edu mailto:mi...@udel.edu wrote: I sent you a message requesting to test this before deployment. I was referring to docs galore as I thrashed about earlier. Â I don't doubt each of your changes was an improvement, but each one also made Steve's 4.2.4 step-by-step guide less useful. Â I was looking at: http://www.eecis.udel.edu/~mills/ntp/html/autokey.html http://www.eecis.udel.edu/%7Emills/ntp/html/autokey.html http://www.eecis.udel.edu/~mills/ntp/html/keygen.html http://www.eecis.udel.edu/%7Emills/ntp/html/keygen.html http://support.ntp.org/bin/view/Support/ConfiguringAutokey http://bugs.ntp.org/1864 https://bugs.ntp.org/show_bug.cgi?id=1864Â BTW keygen.html mentions a -l days option which ntp-keygen doesn't understand, do you want me to fix the options processing so it does? Â Or get rid of that item from the docs? I'm not the dimmest bulb on the block, but when I was interested in reproducing the crash reported in bug 1864 and 1840, I didn't manage to. Â And I spent several hours trying. Â The crash may be a bug I introduced in ntp_config generic FIFO code that replaced the degenerate use of priority queues as FIFOs in Sachim's original ntp.conf parser rewrite. Â I was focused on getting past the configuration issues to debug the configuration code, not on setting up a working Autokey. That said, Steve has kindly dove in head first and is extracting me from my confusion one step at a time. Â I never forgot that you wanted me to test pool + autokey operation, I just feared and loathed the idea of setting up autokey again from scratch and have had other things to keep me busy. Â I'm optimistic Steve will be able to help me get a working setup to test pool + autokey and also to see if ntp_crypto.c:2984 really is unneeded. Cheers, Dave Hart ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
Miroslav, Unfortunately, while things were in flux, snapshots continued to be produced, which was counterproductive. I have no direct say in that. The best advice is: 1. Produce a working version of the configuration without Autokey. 2. Roll keys for all group members using ntp-keygen with no options other than the -T option for the trusted hosts. Add the crypto command with no options to all configuration files. Add the autokey option to the server command for all clients of the trusted hosts. Verify the TC scheme works. 3. Make the group keys with the -I option on a trusted host or trusted agent. 4. Make the client keys from the group keys and distribute as in the original directions. Use an arbitray file name, preferably the name of the group. 5. Add the ident option to the client server command with name the same as the client keys installed. 6. For broadcast clients, use the same files, but use the ident option in the crypto command instead. All this is in the autokey.html page along with a detailed description of the operations. Note also the relevant white pages at the NTP project page www.eecis.udel.edu/~ntp.html, especially the security analysis and the simulation and analysis of the on-wire protocol. In contrast with the previous version, no options are required on the crypto command other than cited above. Note that the -s option is not required on the ntp-keygen program. These options can be added for special circumstances. Dave Miroslav Lichvar wrote: On Mon, Mar 28, 2011 at 11:11:28PM +, Dave Hart wrote: Autokey is very clever in dealing with some unique challenges other PKI OpenSSL client code doesn't have to. Anyone attempting to configure it should be on payroll, if not time and a half. (insert series of profanities here) I had a similar feeling when I was expanding my NTP test suite to test basic Autokey functionality and compatibility between 4.2.2, 4.2.4 and 4.2.6 version. I eventually got most of it working, but I'm not sure if it's working as intended or accidentaly by misplacing a private key, etc. I wasn't able to get the MV scheme working though. I have read the official ntp-keygen page and the wiki document. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
On 2011-03-29, Dave Hart h...@ntp.org wrote: On Tue, Mar 29, 2011 at 12:53 AM, David L. Mills mi...@udel.edu wrote: I sent you a message requesting to test this before deployment. I was referring to docs galore as I thrashed about earlier. I don't doubt each of your changes was an improvement, but each one also made Steve's 4.2.4 step-by-step guide less useful. I was looking at: I've moved the legacy Autokey Configuration to http://support.ntp.org/bin/view/Support/ConfiguringAutokeyFourTwoFour http://support.ntp.org/bin/view/Support/ConfiguringAutokey is being updated for the current Autokey configuration scheme. It currently only covers IFF and it does not address any of the ident/group name features. At the moment I have ntp-dev-4.2.7p142 Autokey+IFF running between psp-fb1 (trust group server) and psp-os1. Here's the view from the client: ntpq rv 6 assID=29118 \ status=f63a reach, conf, auth, sel_sys.peer, 3 events, event_10, srcadr=psp-fb1.ntp.org, srcport=123, dstadr=2001:4f8:fff7:1::26, dstport=123, leap=00, stratum=2, precision=-20, rootdelay=0.626, rootdisp=16.495, refid=209.81.9.7, reftime=d13c56aa.cc4f74b3 Tue, Mar 29 2011 13:01:30.798, rec=d13c588e.76244c5b Tue, Mar 29 2011 13:09:34.461, reach=377, unreach=0, hmode=3, pmode=4, hpoll=6, ppoll=6, headway=176, flash=00 ok, keyid=2472358740, offset=-1.346, delay=0.194, dispersion=5.554, jitter=0.605, xleave=0.028, filtdelay=0.28 0.25 0.34 0.29 0.25 0.26 0.19 0.22, filtoffset= -0.96 -0.85 -0.72 -0.69 -0.80 -0.97 -1.35 -0.39, filtdisp= 0.00 1.02 2.04 3.03 4.05 5.06 6.06 7.05, host=psp-fb1.ntp.org, flags=0x87f21, signature=md5WithRSAEncryption The flags decode as: #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ #define CRYPTO_FLAG_VALID 0x0100 /* public key verified */ #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ #define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */ #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ #define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */ I also have Autokey+IFF running between a 4.7.7p142 (amd64) client and a 4.2.6p2 (686) server on my home LAN. I appreciate Dave Hart's patience with me on IRC while getting this up and running. -- Steve Kostecke koste...@ntp.org NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Venting steam: Autokey in 4.2.6/4.2.7
David L. Mills wrote: Miroslav, Unfortunately, while things were in flux, snapshots continued to be produced, which was counterproductive. I have no direct say in that. Insert a compiler error on absence/presence of a private environment variable that produces an adequately informative message. If people remove it or otherwise brush past they are on their own. They Have Been Warned. uwe ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
