[ntp:questions] NTP server authentication

Discussion:

Vladimir Smotlacha

2005-05-20 10:36:26 UTC

Hi,

I am trying to setup public key authentication of our primary NTP servers
using IFF identity schema. I do not know how to deal with password
(un)protected keys.

I run on server MYSERVER (with hostname and DNS name MYSERVER)

ntp-keygen -T -m 1024 -c RSA-SHA1 -p PASSWD

ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key

I copied iff_key to client keys directory under the name ntpk

ey_iff_MYSERVER

On client, I run:

ntp-keygen -m 1024 -c RSA-SHA1 -p PASSWD

and ntp.conf contains:

crypto pw PASSWD

server MYSERVER autokey

This works very well when I use the same password on both client and server
but it does not work without password (i.e. neither '-p' in ntp-keygen nor
'pw' in ntp.conf) in both server and client. Why?

Using a password avoids applying two or more servers of different
authorities in a client configuration. Doesn't it?

Vladimir Smotlacha, vs at cesnet.cz

CESNET

Martin Burnicki

2005-05-20 12:38:18 UTC

Permalink

Hi,

Post by Vladimir Smotlacha
Hi,
I am trying to setup public key authentication of our primary NTP servers
using IFF identity schema. I do not know how to deal with password
(un)protected keys.
I run on server MYSERVER (with hostname and DNS name MYSERVER)
ntp-keygen -T -m 1024 -c RSA-SHA1 -p PASSWD
ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key
I copied iff_key to client keys directory under the name ntpk
ey_iff_MYSERVER

AFAIK, if you want to use a different password on the server, you must
export the IFF key on the server. If your server password is PASSWD, and
your client password is CLPASSWD, you should run the following command on
the server:

ntp-keygen -e -q PASSWD -p CLPASSWD > ntpkey_iff_hostname

where hostname is the client's hostname. Then copy the file
ntpkey_iff_hostname to the client, AFTER you have generated the cert and
host files on the client.

In order to verify that authentication works, please test running ntpd in
the foreground using the option -ddd.

In ntpd versions after ntpd 4.2.0a at 1.1345 things have been messed up a bit.
If you run "ntpq -c as" as suggested in the docs, the output reports "auth
bad" even if authentication works OK. For details, please refer to
http://bugs.ntp.isc.org/show_bug.cgi?id=431

Hope this helps.

Best regards,

Martin

--
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany

Steve Kostecke

2005-05-20 12:50:22 UTC

Permalink

Post by Vladimir Smotlacha
I am trying to setup public key authentication of our primary NTP
servers using IFF identity schema. I do not know how to deal with
password (un)protected keys.

There is a step-by-step guide to configuring Autokey Authentication at
http://ntp.isc.org/Support/ConfiguringAutokey. The author of that topic
is often on #ntp at irc.freenode.net.

Post by Vladimir Smotlacha
I run on server MYSERVER (with hostname and DNS name MYSERVER)

<snip>

Post by Vladimir Smotlacha
ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key

This should be:

ntp-keygen -e -q server_password -p client_password > output_file

Post by Vladimir Smotlacha
I copied iff_key to client keys directory under the name
ntpkey_iff_MYSERVER

You should also create a sym-link to that file. For example, on one of
my Autokey clients the client key file is named:

ntpkey_IFFkey_ntp0.kostecke.net.3315100165

and the symlink is: ntpkey_iff_ntp0.kostecke.net

The first line of the exported client key contains the file-name, BTW.
<snip>

An unrelated point: you can speed up the initial synchronization
with MYSERVER (to ~15 seconds) by adding 'iburst' to the server line:

server MYSERVER iburst autokey

Post by Vladimir Smotlacha
This works very well when I use the same password on both client and
server but it does not work without password (i.e. neither '-p' in
ntp-keygen nor 'pw' in ntp.conf) in both server and client. Why?

I've seen reports that it is possible to not use a server or client
password, but have not confirmed this myself.

Post by Vladimir Smotlacha
Using a password avoids applying two or more servers of different
authorities in a client configuration. Doesn't it?

In the case of the IFF Identity Scheme, the server must posess the
IFFpar file from which the IFFkey file was exported to be trusted. The
password is just used to encrypt the IFFpar and IFFkey files.

You can use different passwords for every member of your NTP Trust Group
(i.e. the server and each client) *or* you could use a server password and
one shared client password *or* you could just share one password for
all members.

--
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

Vladimir Smotlacha

2005-05-20 15:57:43 UTC

Permalink

Post by Steve Kostecke
ntp-keygen -e -q server_password -p client_password > output_file

Thank you for the suggestion. I tested this method of password change and it
works. But it does not solve my problem as it requires to generate the key
for every particular client password.
I'd like to arrange authentication for public ntp server without taking care
for each individual client.

Post by Steve Kostecke
I've seen reports that it is possible to not use a server or client
password, but have not confirmed this myself.

I found and tested server time.pre-secure.de. The IFF-key is at
http://www.ecsirt.net/tools/crypto-ntp.html.
I checked that it works with any (or without) client password.
My goal is just to find how to make such IFF-key.

I didn't succeed to generate IFFpar (or IFFkey) without password. If I omit
-p in ntp-keygen, hostname is used as default. If I tried
-p '', I got an empty file.

Post by Steve Kostecke

Post by Vladimir Smotlacha
Using a password avoids applying two or more servers of different
authorities in a client configuration. Doesn't it?

In the case of the IFF Identity Scheme, the server must posess the
IFFpar file from which the IFFkey file was exported to be trusted. The
password is just used to encrypt the IFFpar and IFFkey files.
You can use different passwords for every member of your NTP Trust Group
(i.e. the server and each client) *or* you could use a server password and
one shared client password *or* you could just share one password for
all members.

But how to solve this arrangemet:

Two or more independent NTP Trust Groups operating authenticated NTP
servers. A client likes to use servers from two groups but they deny
generating IFF keys with specific client password.

The solution can be password independent IFF-keys (like time.pre-secure.de).

Best regards,

Vladimir

----------------------------------------------------------------------------Vladimir Smotlacha CESNET z.s.p.oE-Mail: vs at cesnet.cz Zikova 4Phone: +420 2 24352915 160 00 Prague 6Fax: +420 2 24313211 Czech Republic----------------------------------------------------------------------------

Steve Kostecke

2005-05-20 19:26:52 UTC

Permalink

Post by Vladimir Smotlacha

Post by Steve Kostecke
ntp-keygen -e -q server_password -p client_password > output_file

Thank you for the suggestion. I tested this method of password change and it
works. But it does not solve my problem as it requires to generate the key
for every particular client password.

You can use something like https://ntp.isc.org/crypto.php to solve this
problem.

Post by Vladimir Smotlacha
I'd like to arrange authentication for public ntp server without taking care
for each individual client.

A shared client key with a shared password forces all clients of your
time-server to use the same crypto password.

A shared client key without a password forces all clients of your
time-server to not use any crypto password.

Neither of these choices are good.

The best solution is to export the client keys on the fly using an SSL
web-page (see the URL shown above).

--
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/