Discussion:
[ntp:questions] Authentication problem
Dennis Hilberg, Jr.
2008-02-26 19:29:58 UTC
Permalink
I've had this issue with authentication for a while, but decided to finally
ask as it's bugging me.

I use ntpdc to add/remove servers on the fly so I don't have to restart the
server. It works fine using addserver and unconfig as long as I don't quit
ntpdc.

saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
MD5 Password:
done!
ntpdc> unconfig 63.240.161.99
done!

However, if I quit ntpdc, start ntpdc, issue the unconfig command and put in
the proper password when prompted, it won't be accepted. addserver works
fine though.

ntpdc> quit
saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
MD5 Password:
done!
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> readkeys
***Permission denied

The only way I've found to get it to work is to quit again and issue the
readkeys command. The readkeys command won't be accepted until I quit and
restart ntpdc again.

ntpdc> quit
saturn:$ ntpdc
ntpdc> readkeys
Keyid: 1
MD5 Password:
done!
ntpdc> unconfig 63.240.161.99
done!

Am I doing something wrong, is there a bug, or is that the correct behavior
of ntpdc?

I have the following in my ntp.conf:

# Authentication

keys /etc/ntp/keys

trustedkey 1
requestkey 1
controlkey 1

And my keys file looks like this:

1 M somepassword


Thanks,

Dennis
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
David L. Mills
2008-02-26 21:16:26 UTC
Permalink
Dennis,

The ntpdc program has not been actively maintained for some time. The
principal problem is that the ntpdc remote configuration commands are
incompatible with the pool and manycast schemes.

The ntpq program can now generate configuration file commands, but the
command set is incomplete. For instance, there is no demobilize command.
If ntpdc works, even if buggy, use it. It would be helpful if you could
wiggle the ntpq facilities and speak up about what you think it should
and should not do.

Dave
Post by Dennis Hilberg, Jr.
I've had this issue with authentication for a while, but decided to
finally ask as it's bugging me.
I use ntpdc to add/remove servers on the fly so I don't have to restart
the server. It works fine using addserver and unconfig as long as I
don't quit ntpdc.
saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
done!
ntpdc> unconfig 63.240.161.99
done!
However, if I quit ntpdc, start ntpdc, issue the unconfig command and
put in the proper password when prompted, it won't be accepted.
addserver works fine though.
ntpdc> quit
saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
done!
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> readkeys
***Permission denied
The only way I've found to get it to work is to quit again and issue the
readkeys command. The readkeys command won't be accepted until I quit
and restart ntpdc again.
ntpdc> quit
saturn:$ ntpdc
ntpdc> readkeys
Keyid: 1
done!
ntpdc> unconfig 63.240.161.99
done!
Am I doing something wrong, is there a bug, or is that the correct
behavior of ntpdc?
# Authentication
keys /etc/ntp/keys
trustedkey 1
requestkey 1
controlkey 1
1 M somepassword
Thanks,
Dennis
Dennis Hilberg, Jr.
2008-02-27 05:23:30 UTC
Permalink
Post by David L. Mills
Dennis,
The ntpdc program has not been actively maintained for some time. The
principal problem is that the ntpdc remote configuration commands are
incompatible with the pool and manycast schemes.
The ntpq program can now generate configuration file commands, but the
command set is incomplete. For instance, there is no demobilize command.
If ntpdc works, even if buggy, use it. It would be helpful if you could
wiggle the ntpq facilities and speak up about what you think it should
and should not do.
I looked through the ntpq documentation on the UDel website, but could not
find anything regarding runtime configuration commands. Only for ntpdc.

If you could point me to some documentation concerning ntpq runtime
configuration commands, I'd be happy to mess around with it.
Post by David L. Mills
Dave
Dennis
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
David L. Mills
2008-02-28 18:07:00 UTC
Permalink
Dennis,

The ntpq remote configuration is a work in progress. The original author
got pulled off on another project before the documentation was complete.
However, a little poking reveals that a ntpq command beginning with
":config" sends the rest of the line to the server, which interpets it
as a vanilla configuration file command. This of course requires
authentication as in ntpdc.

As I said, the implementation is incomplete and very likely additional
commands will be useful in future. Your comments are invited.

Dave
Post by Dennis Hilberg, Jr.
Post by David L. Mills
Dennis,
The ntpdc program has not been actively maintained for some time. The
principal problem is that the ntpdc remote configuration commands are
incompatible with the pool and manycast schemes.
The ntpq program can now generate configuration file commands, but the
command set is incomplete. For instance, there is no demobilize
command. If ntpdc works, even if buggy, use it. It would be helpful if
you could wiggle the ntpq facilities and speak up about what you think
it should and should not do.
I looked through the ntpq documentation on the UDel website, but could
not find anything regarding runtime configuration commands. Only for ntpdc.
If you could point me to some documentation concerning ntpq runtime
configuration commands, I'd be happy to mess around with it.
Post by David L. Mills
Dave
Dennis
Harlan Stenn
2008-02-27 00:51:10 UTC
Permalink
Dennis> I've had this issue with authentication for a while, but decided to
Dennis> finally ask as it's bugging me.

Dennis> I use ntpdc to add/remove servers on the fly so I don't have to
Dennis> restart the server. It works fine using addserver and unconfig as
Dennis> long as I don't quit ntpdc.

Dennis> saturn:$ ntpdc
Dennis> ntpdc> addserver 63.240.161.99
Dennis> Keyid: 1 MD5 Password: done!
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> done!

Dennis> However, if I quit ntpdc, start ntpdc, issue the unconfig command
Dennis> and put in the proper password when prompted, it won't be
Dennis> accepted. addserver works fine though.

Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> addserver 63.240.161.99
Dennis> Keyid: 1 MD5 Password: done!
Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
Dennis> ntpdc> readkeys
Dennis> ***Permission denied

I think this is because you have not respecified the keyid.

Try giving the 'keyid' command after you restart ntpdc to be sure.

I'm not sure why you were not asked for it though...

And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
quite a while now, and the new config parsing code does not have an
"unconfig" command yet (near as I can remember).

I am aware of two obvious solutions to this problem (as well as many others)
but since I mention these two solutions Frequently I'll refrain from
repeating them at this time.
--
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org - be a member!
Dennis Hilberg, Jr.
2008-02-27 05:17:19 UTC
Permalink
Post by Harlan Stenn
I think this is because you have not respecified the keyid.
That solves the issue just fine. I'll just have to remember to say 'keyid 1'
whenever I start ntpdc.
Post by Harlan Stenn
Try giving the 'keyid' command after you restart ntpdc to be sure.
It does say no keyid defined.
Post by Harlan Stenn
I'm not sure why you were not asked for it though...
I found that odd. When I issue the addserver command, I get prompted for the
keyid, but not when I issue the unconfig command. That's the problem.
Post by Harlan Stenn
And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
quite a while now, and the new config parsing code does not have an
"unconfig" command yet (near as I can remember).
Sorry, I'm not a very accomplished programmer. Otherwise I'd be glad to help
out, time permitting.
Post by Harlan Stenn
I am aware of two obvious solutions to this problem (as well as many others)
but since I mention these two solutions Frequently I'll refrain from
repeating them at this time.
Like I mentioned, specifying 'keyid 1' right after starting ntpdc solves the
problem. Although I'd be interested in other solutions, or at least point me
to where you've talked about them before. I use ntpdc regularly for
adding/removing servers and fudging refclock values, etc. It's useful as I
don't have to restart the server all the time.

Not that it matters, as no one is maintaining ntpdc currently, but I think I
found a bug while messing with it:

saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> keyid
keyid is 134682920

It seems to randomly generate a keyid and specify it for use, and then
prompt for a password for that keyid even though it doesn't exist. And if I
do it again:

saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> keyid
keyid is 134686616

A different keyid is generated.

Anyway, thanks for the help!
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
Harlan Stenn
2008-02-27 05:53:09 UTC
Permalink
Harlan> I think this is because you have not respecified the keyid.

Dennis> That solves the issue just fine. I'll just have to remember to say
Dennis> 'keyid 1' whenever I start ntpdc.

I suspect one of your command choices *requires* a key and for the other it
is optional. That's just a guess though...

Harlan> I am aware of two obvious solutions to this problem (as well as many
Harlan> others) but since I mention these two solutions Frequently I'll
Harlan> refrain from repeating them at this time.

Dennis> Like I mentioned, specifying 'keyid 1' right after starting ntpdc
Dennis> solves the problem. Although I'd be interested in other solutions,
Dennis> or at least point me to where you've talked about them before.

The solutions I alluded to all boil down to the same thing - getting
somebody to work on it.

One way is to find a volunteer. The other way is for "enough" companies (or
a bunch more individuals) to join the NTP Forum, as that will generate cash
to pay somebody to fix these things. Another way I just realized is for
folks to either straight out donate money to the project, or see if we can
start using the "bounty" idea to get these fixed.

Dennis> Not that it matters, as no one is maintaining ntpdc currently, but I
Dennis> think I found a bug while messing with it:

Dennis> saturn:$ ntpdc
ntpdc> keyid
Dennis> no keyid defined
ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
ntpdc> keyid
Dennis> keyid is 134682920

Feel free to open a bug report on this. While there is little chance
somebody will fix it, there is *no* chance it will be fixed if nobody
remembers it.
--
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org - be a member!
Dennis Hilberg, Jr.
2008-02-27 08:05:22 UTC
Permalink
Post by Harlan Stenn
Dennis> Not that it matters, as no one is maintaining ntpdc currently, but I
Dennis> saturn:$ ntpdc
ntpdc> keyid
Dennis> no keyid defined
ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
ntpdc> keyid
Dennis> keyid is 134682920
Feel free to open a bug report on this. While there is little chance
somebody will fix it, there is *no* chance it will be fixed if nobody
remembers it.
I just did, bug 1003.

https://support.ntp.org/bugs/show_bug.cgi?id=1003

Hopefully someone will get to it, but if not at least it's documented.
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
Serge Bets
2008-02-27 14:30:23 UTC
Permalink
Hello Harlan,
Post by Harlan Stenn
I suspect one of your command choices *requires* a key and for the
other it is optional. That's just a guess though...
Both "addserver" and "unconfig" require a keyid/password pair.

Some confusion may come from the fact that "addserver" can have to deal
with 2 different keyids, one to authenticate the sent ntpdc command, and
another to authenticate the added server.

- In "addserver <ip> <keyid>", the keyid is to be used by the added
association. No prompt for a password, the remote client and its server
have identical ntp.keys values for this keyid, and they will use it in
usual mode 3 and 4 packets (client/server mode).

- When you enter "keyid <keyid>", or reply to the "Keyid:" prompt, this
should be used only for the sent mode 7 commands. You are prompted for
a password, and the remote client you attempt to reconfigure has the
trusted-request-keyid/password in its ntp.keys.

This was the original design. However the patch in bug 401 messed-up
this clear separation. Solution: remove this harmful patch. And keep bug
401 open, waiting for its own rethinked solution. Removing the patch
will also automagically fix bug 1003, AFAICS.


Serge.
--
Serge point Bets arobase laposte point net
Dennis Hilberg, Jr.
2008-02-27 20:03:25 UTC
Permalink
Post by Serge Bets
This was the original design. However the patch in bug 401 messed-up
this clear separation. Solution: remove this harmful patch. And keep bug
401 open, waiting for its own rethinked solution. Removing the patch
will also automagically fix bug 1003, AFAICS.
It does. I removed the 401 patch code and replaced it with the original
code, and now addserver and unconfig both prompt for a keyid when one isn't
specified.

I created a unified diff patch and attached it to the bug report for those
interested. It works with ntp 4.2.4p4.

http://bugs.ntp.org/1003
Post by Serge Bets
Serge.
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
Danny Mayer
2008-02-29 20:48:52 UTC
Permalink
Post by Dennis Hilberg, Jr.
Not that it matters, as no one is maintaining ntpdc currently, but I think I
saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> keyid
keyid is 134682920
It seems to randomly generate a keyid and specify it for use, and then
prompt for a password for that keyid even though it doesn't exist. And if I
saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> keyid
keyid is 134686616
A different keyid is generated.
Anyway, thanks for the help!
it's using an uninitialized variable so the value is random junk. We
probably should set it to 0 assuming that you cannot use 0 for a keyid.

Danny
Serge Bets
2008-02-27 12:18:01 UTC
Permalink
Hello Dennis,
start ntpdc, issue the unconfig command and put in the proper password
when prompted, it won't be accepted.
It is a bug, introduced three years ago by a wrong fix for another bug.
Previously "unconfig" was prompting for both a keyid and a password, as
it should. Since then, it prompts for a password only, which is not
enough. Full story at <http://bugs.ntp.org/401>.
addserver works fine though.
It may fail too, if the requestkey-id and the symmetric keyid used to
authenticate the added server are not the same.


An easy workaround is to preset the requestkey-id:

| ntpdc> keyid 1
| ntpdc> unconfig 63.240.161.99
| MD5 Password: somepassword
| done!

But even that could fail with the current ntp-dev: "attempt to remove
configure bit is invalid".


Serge.
--
Serge point Bets arobase laposte point net
c***@gmail.com
2015-02-27 05:17:13 UTC
Permalink
Post by Dennis Hilberg, Jr.
I've had this issue with authentication for a while, but decided to finally
ask as it's bugging me.
I use ntpdc to add/remove servers on the fly so I don't have to restart the
server. It works fine using addserver and unconfig as long as I don't quit
ntpdc.
saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
done!
ntpdc> unconfig 63.240.161.99
done!
However, if I quit ntpdc, start ntpdc, issue the unconfig command and put in
the proper password when prompted, it won't be accepted. addserver works
fine though.
ntpdc> quit
saturn:$ ntpdc
ntpdc> addserver 63.240.161.99
Keyid: 1
done!
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> quit
saturn:$ ntpdc
ntpdc> unconfig 63.240.161.99
***Permission denied
ntpdc> readkeys
***Permission denied
The only way I've found to get it to work is to quit again and issue the
readkeys command. The readkeys command won't be accepted until I quit and
restart ntpdc again.
ntpdc> quit
saturn:$ ntpdc
ntpdc> readkeys
Keyid: 1
done!
ntpdc> unconfig 63.240.161.99
done!
Am I doing something wrong, is there a bug, or is that the correct behavior
of ntpdc?
# Authentication
keys /etc/ntp/keys
trustedkey 1
requestkey 1
controlkey 1
1 M somepassword
Thanks,
Dennis
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
Hi, I'm lately upgrading the ntp from 4.6.5 to 4.8.1p, when I use ntpq to add server, it prompted for a keyid and MD5 password. I don't know how to get this keyid and password. Before the upgrade, the keyid is 0, so it doesn't need authentification. Can you tell me how to get the keyid and password? Thank you.
Martin Burnicki
2015-02-27 08:41:16 UTC
Permalink
Post by Dennis Hilberg, Jr.
# Authentication
keys /etc/ntp/keys
trustedkey 1
requestkey 1
controlkey 1
1 M somepassword
Thanks,
Dennis
--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
Hi, I'm lately upgrading the ntp from 4.6.5 to 4.8.1p, ...
Hm, I guess you mean from 4.2.6p5 to 4.2.8p1, and I hope your spelling
is more accurate in your config files. ;-)
... when I use ntpq to add server, it prompted for a keyid and MD5
password. I don't know how to get this keyid and password. Before the
upgrade, the keyid is 0, so it doesn't need authentification. Can you
tell me how to get the keyid and password? Thank you.
Have you read what Dennis has written, quoted above?

If you are using symmetric key authentication as for use with ntpq then
you have to create a text file containing one or more keys, for example
a file /etc/ntp.keys with these lines:

1 M somepassword
5 M anotherpassword

In ntp.conf you have to specify a path to this file, e.g.:

keys /etc/ntp.keys # path for keys file

and you need to specify which of the keys (1 or 5 in this example)
should be used for which purposes, e.g.

trustedkey 1 5 # define trusted keys
controlkey 5 # this key to be used with ntpq (mode 6 packets)

In NTP 4.2.6p5 you could also specify

requestkey 5 # this key to be used with ntpdc (mode 7 packets)

but the latter should be obsolete in 4.2.8 since the functionality of
ntpdc has been moved to the ntpq utility, and ntpdc isn't used anymore
by default.

When ntpq asks you for a key ID and password you have to enter key ID
"5" (since this is the control key) and the associated password
"anotherpassword", or whatever your file contains.


You can also use the ntp-keygen utility to generate a file with several
keys. For example, ntp_keygen -M generates a file containing lines like
this:

1 MD5 758gBsvq9OEG@;l;niFT # MD5 key
2 MD5 &5oL9nE/"B3![kpc\Tv0 # MD5 key
3 MD5 w5t/1(E@,lGJi^-]3F"h # MD5 key
4 MD5 QzH$eq/yAb;x>38Ga)0^ # MD5 key
5 MD5 *CUj^t)L"0XL;=[L7-KW # MD5 key
6 MD5 x?_q^3Xd:d[im[iBvM%[ # MD5 key
7 MD5 Zd5wky*r;[0e?h2l{%]t # MD5 key
8 MD5 f[N'S7'&***@wd.QU^JpB # MD5 key
9 MD5 =[)AG6WZQK-'gFD&rmNV # MD5 key
10 MD5 -3OB0VbnAV0/O=HT5he) # MD5 key
11 SHA1 9b759ab4409e0e24d3949d07e3cf52c2f0e7e2c4 # SHA1 key
12 SHA1 7335501b2b8fbfe622f4d14ad5636ddbcde648ed # SHA1 key
13 SHA1 67b52deb3ff2b5efdc318da522c0f88403e31f8e # SHA1 key
14 SHA1 c0b539b695002f8ce912d8c7ef2a6caa019b5838 # SHA1 key
15 SHA1 0eba962d966aa1723d679dbec08f0f4bc4cc3afa # SHA1 key
16 SHA1 f46a4b9adec3a11abdeb9e55b50ea7fdb775f951 # SHA1 key
17 SHA1 dc50c6de43b7953a87386e4babd0188e36f74527 # SHA1 key
18 SHA1 2ea2a9237824f9e7098c539604de518b89eee2ad # SHA1 key
19 SHA1 5b835caa6409adf2ead5c6639897c20bcf073c39 # SHA1 key
20 SHA1 3826bb111ab07755d790a8d81bb6139991c87e9c # SHA1 key

However, the name of the created file is somewhat different, so either
you have to copy/rename it to /etc/ntp.keys, or you have to specify the
real file name in ntp.conf.

Martin
--
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany
Continue reading on narkive:
Loading...