Re: [ntp:questions] NTP Autokey - who is actively using it?
Antonio M. Moreiras schrieb: We were using autokey at our public ntp servers(1) since 2011. We are now in the middle of a process to deactivate it, since 4.2.8 is broken (we could not make autokey work with 4.2.8 on Linux, it seems to be some issue related to the version 1.0.x of openssl). Which NTP version have you been using before? There has been a bug which could be the reason for the problem: Bug 1243 - MD5auth_setkey zero-fills key from first zero octet https://bugs.ntp.org/show_bug.cgi?id=1243 This has been fixed before 4.2.6, but unfortunately the fix break compatibilty between versions of ntpd which have it and versions which don't. See comment #22: https://bugs.ntp.org/show_bug.cgi?id=1243#c22 In 4.2.6 and newer there is a configuration option which can be used to force the old behavior: --enable-bug1243-fix+ use unmodified autokey session keys So this may also depend on how the earlier versions of ntpd have been built. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Harlan Stenn wrote:
Antonio,
"Antonio M. Moreiras" writes:
We were using autokey at our public ntp servers(1) since 2011. We are
now in the middle of a process to deactivate it, since 4.2.8 is broken
(we could not make autokey work with 4.2.8 on Linux, it seems to be some
issue related to the version 1.0.x of openssl).
Probably we will let it deactivated. Maybe we are going back to
symmetric keys (at least between the servers), even if the issue is
fixed. We fostered our users to try and adopt autokey, but it seems
there was no interest in the feature.
[]s
Moreiras.
[1] {a,b,c,a.st1,b.st1,c.st1,d.st1,gps}.ntp.br
Thanks for the info. I wasn't aware of any new problems with autokey in
4.2.8 and Martin Burnicki tested a number of cases - all worked for him.
Especially I've tested the interoperability between 4.2.8 and a newer
beta version. I havent't checked with pairs of 4.2.8 and 4.2.6 nodes,
though.
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Antonio,
"Antonio M. Moreiras" writes:
> We were using autokey at our public ntp servers(1) since 2011. We are
> now in the middle of a process to deactivate it, since 4.2.8 is broken
> (we could not make autokey work with 4.2.8 on Linux, it seems to be some
> issue related to the version 1.0.x of openssl).
>
> Probably we will let it deactivated. Maybe we are going back to
> symmetric keys (at least between the servers), even if the issue is
> fixed. We fostered our users to try and adopt autokey, but it seems
> there was no interest in the feature.
>
> []s
> Moreiras.
>
> [1] {a,b,c,a.st1,b.st1,c.st1,d.st1,gps}.ntp.br
Thanks for the info. I wasn't aware of any new problems with autokey in
4.2.8 and Martin Burnicki tested a number of cases - all worked for him.
Unless we find real interest in fixing some known issues with autokey, I
think the best thing to do is what you describe - stop using it. We
expect to have Network Time Security (the IETF specification) up and
running in the next 6 months' time (more or less), and that should be a
much better solution.
H
--
> On 15/01/15 00h06m, Harlan Stenn wrote:
> > I'm trying to figure out if anybody is actively using autokey, in a
> > production deployment.
> >
> > If you are, please let me know - I have some questions for you.
> >
> ___
> questions mailing list
> questions@lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
We were using autokey at our public ntp servers(1) since 2011. We are
now in the middle of a process to deactivate it, since 4.2.8 is broken
(we could not make autokey work with 4.2.8 on Linux, it seems to be some
issue related to the version 1.0.x of openssl).
Probably we will let it deactivated. Maybe we are going back to
symmetric keys (at least between the servers), even if the issue is
fixed. We fostered our users to try and adopt autokey, but it seems
there was no interest in the feature.
[]s
Moreiras.
[1] {a,b,c,a.st1,b.st1,c.st1,d.st1,gps}.ntp.br
On 15/01/15 00h06m, Harlan Stenn wrote:
> I'm trying to figure out if anybody is actively using autokey, in a
> production deployment.
>
> If you are, please let me know - I have some questions for you.
>
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Magnus Danielson wrote: Hi, On 01/15/2015 03:06 AM, Harlan Stenn wrote: I'm trying to figure out if anybody is actively using autokey, in a production deployment. If you are, please let me know - I have some questions for you. We use it to pull leap-second info off the NTP servers. It took some effort to get it running, and well, it hasn't been painless but we now got the process debugged anyway. Did the authkey-less distribution of leap-second info ever got implemented? I do know there was an I-D essentially interprenting the existing RFCs in such a way. The new tzdist protocol will support getting leap second information from a tzdist server. This uses the http protocol, so it can also fetched via https to make sure the information is authentic. I'm expecting that once the tzdist standardization process has finished time servers will serve both NTP or PTP, and tzdist. This could be used to update the local TZDB including the leap second file, so the "right" timezones can also be updated automatically, and also programs like ntpd or ptpd could use this information, if the glue logic is available. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Hi, On 01/15/2015 03:06 AM, Harlan Stenn wrote: I'm trying to figure out if anybody is actively using autokey, in a production deployment. If you are, please let me know - I have some questions for you. We use it to pull leap-second info off the NTP servers. It took some effort to get it running, and well, it hasn't been painless but we now got the process debugged anyway. Did the authkey-less distribution of leap-second info ever got implemented? I do know there was an I-D essentially interprenting the existing RFCs in such a way. What kind of questions do you have? Cheers, Magnus ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Hal Murray writes: > Is there a reasonable HOWTO type document describing how to set things > up? > > Several years ago, Dave announced that one of the machines at UDel was > ready for testers. I got as far as discovering that Autokey doesn't > work through NAT boxes. Since I'm behind a NAT box, I gave up. > > I should be able to help testing by setting up a couple of local > machines to use Autokey. So the recipe I'm looking for has to cover > both client and server in case there are any differences. We have some information on support.ntp.org, but I'm not looking to cause people to want to start using autokey. The IETF working group is discussing the follow-on authentication protocol, NTS (Network Time Security) and that's where our current effort is focused. -- Harlan Stenn http://networktimefoundation.org - be a member! ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
Is there a reasonable HOWTO type document describing how to set things up? Several years ago, Dave announced that one of the machines at UDel was ready for testers. I got as far as discovering that Autokey doesn't work through NAT boxes. Since I'm behind a NAT box, I gave up. I should be able to help testing by setting up a couple of local machines to use Autokey. So the recipe I'm looking for has to cover both client and server in case there are any differences. -- These are my opinions. I hate spam. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
On 15/01/15 03:06, Harlan Stenn wrote: > I'm trying to figure out if anybody is actively using autokey, in a > production deployment. > > If you are, please let me know - I have some questions for you. > That's in my TO-DO list since at least 2011. When I tried to configure it at the time and on the ntpd version that was bundled with Debian Lenny it didn't work properly. Whether it was because I f* it up or because it wasn't properly implemented, I couldn't tell honestly. In short: using now, no; will use in the future, definitely yes! Ciao -- bronto ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP Autokey - who is actively using it?
In article , Harlan Stenn wrote: >I'm trying to figure out if anybody is actively using autokey, in a >production deployment. > >If you are, please let me know - I have some questions for you. For what it's worth, I tried, but Dave's documentation wasn't enough for me to understand how it was supposed to work, or indeed to make it work without understanding it, and eventually I gave up. I don't think I ever quite figured out the scenario that the various types of authentication were intended to work on, and the whole goofy let's-use-the-X.509-data-structures-even-though-we're-not-really-doing-PKI business left a sour taste. -GAWollman -- Garrett A. Wollman| What intellectual phenomenon can be older, or more oft woll...@bimajority.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
