|
|
NTP server authentication
Hi,
I am trying to setup public key authentication of our primary NTP servers
using IFF identity schema. I do not know how to deal with password
(un)protected keys.
I run on server MYSERVER (with hostname and DNS name MYSERVER)
ntp-keygen -T -m 1024 -c RSA-SHA1 -p PASSWD
ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key
I copied iff_key to client keys directory under the name ntpk
ey_iff_MYSERVER
On client, I run:
ntp-keygen -m 1024 -c RSA-SHA1 -p PASSWD
and ntp.conf contains:
crypto pw PASSWD
server MYSERVER autokey
This works very well when I use the same password on both client and server
but it does not work without password (i.e. neither '-p' in ntp-keygen nor
'pw' in ntp.conf) in both server and client. Why?
Using a password avoids applying two or more servers of different
authorities in a client configuration. Doesn't it?
Vladimir Smotlacha, vs@cesnet.cz
CESNET
|
|
0
|
|
|
|
Reply
|
 Vladimir
|
5/20/2005 10:36:26 AM |
|
Hi,
Vladimir Smotlacha wrote:
> Hi,
>
> I am trying to setup public key authentication of our primary NTP servers
> using IFF identity schema. I do not know how to deal with password
> (un)protected keys.
>
> I run on server MYSERVER (with hostname and DNS name MYSERVER)
>
> ntp-keygen -T -m 1024 -c RSA-SHA1 -p PASSWD
>
> ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key
>
> I copied iff_key to client keys directory under the name ntpk
>
> ey_iff_MYSERVER
AFAIK, if you want to use a different password on the server, you must
export the IFF key on the server. If your server password is PASSWD, and
your client password is CLPASSWD, you should run the following command on
the server:
ntp-keygen -e -q PASSWD -p CLPASSWD > ntpkey_iff_hostname
where hostname is the client's hostname. Then copy the file
ntpkey_iff_hostname to the client, AFTER you have generated the cert and
host files on the client.
In order to verify that authentication works, please test running ntpd in
the foreground using the option -ddd.
In ntpd versions after ntpd 4.2.0a@1.1345 things have been messed up a bit.
If you run "ntpq -c as" as suggested in the docs, the output reports "auth
bad" even if authentication works OK. For details, please refer to
http://bugs.ntp.isc.org/show_bug.cgi?id=431
Hope this helps.
Best regards,
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
|
|
|
0
|
|
|
|
Reply
|
Martin
|
5/20/2005 12:38:18 PM
|
|
On 2005-05-20, Vladimir Smotlacha <vs@cesnet.cz> wrote:
> I am trying to setup public key authentication of our primary NTP
> servers using IFF identity schema. I do not know how to deal with
> password (un)protected keys.
There is a step-by-step guide to configuring Autokey Authentication at
http://ntp.isc.org/Support/ConfiguringAutokey. The author of that topic
is often on #ntp at irc.freenode.net.
> I run on server MYSERVER (with hostname and DNS name MYSERVER)
<snip>
> ntp-keygen -T -I -e -m 1024 -c RSA-SHA1 -p PASSWD > iff_key
This should be:
ntp-keygen -e -q server_password -p client_password > output_file
> I copied iff_key to client keys directory under the name
> ntpkey_iff_MYSERVER
You should also create a sym-link to that file. For example, on one of
my Autokey clients the client key file is named:
ntpkey_IFFkey_ntp0.kostecke.net.3315100165
and the symlink is: ntpkey_iff_ntp0.kostecke.net
The first line of the exported client key contains the file-name, BTW.
> On client, I run:
<snip>
An unrelated point: you can speed up the initial synchronization
with MYSERVER (to ~15 seconds) by adding 'iburst' to the server line:
server MYSERVER iburst autokey
> This works very well when I use the same password on both client and
> server but it does not work without password (i.e. neither '-p' in
> ntp-keygen nor 'pw' in ntp.conf) in both server and client. Why?
I've seen reports that it is possible to not use a server or client
password, but have not confirmed this myself.
> Using a password avoids applying two or more servers of different
> authorities in a client configuration. Doesn't it?
In the case of the IFF Identity Scheme, the server must posess the
IFFpar file from which the IFFkey file was exported to be trusted. The
password is just used to encrypt the IFFpar and IFFkey files.
You can use different passwords for every member of your NTP Trust Group
(i.e. the server and each client) *or* you could use a server password and
one shared client password *or* you could just share one password for
all members.
--
Steve Kostecke <kostecke@ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
|
|
|
0
|
|
|
|
Reply
|
Steve
|
5/20/2005 12:50:22 PM
|
|
Steve Kostecke wrote:
> This should be:
>
> ntp-keygen -e -q server_password -p client_password > output_file
>
Thank you for the suggestion. I tested this method of password change and it
works. But it does not solve my problem as it requires to generate the key
for every particular client password.
I'd like to arrange authentication for public ntp server without taking care
for each individual client.
>
> I've seen reports that it is possible to not use a server or client
> password, but have not confirmed this myself.
>
I found and tested server time.pre-secure.de. The IFF-key is at
http://www.ecsirt.net/tools/crypto-ntp.html.
I checked that it works with any (or without) client password.
My goal is just to find how to make such IFF-key.
I didn't succeed to generate IFFpar (or IFFkey) without password. If I omit
-p in ntp-keygen, hostname is used as default. If I tried
-p '', I got an empty file.
>
>>Using a password avoids applying two or more servers of different
>>authorities in a client configuration. Doesn't it?
>
>
> In the case of the IFF Identity Scheme, the server must posess the
> IFFpar file from which the IFFkey file was exported to be trusted. The
> password is just used to encrypt the IFFpar and IFFkey files.
>
> You can use different passwords for every member of your NTP Trust Group
> (i.e. the server and each client) *or* you could use a server password and
> one shared client password *or* you could just share one password for
> all members.
But how to solve this arrangemet:
Two or more independent NTP Trust Groups operating authenticated NTP
servers. A client likes to use servers from two groups but they deny
generating IFF keys with specific client password.
The solution can be password independent IFF-keys (like time.pre-secure.de).
Best regards,
Vladimir
----------------------------------------------------------------------------Vladimir Smotlacha CESNET z.s.p.oE-Mail: vs@cesnet.cz Zikova 4Phone: +420 2 24352915 160 00 Prague 6Fax: +420 2 24313211 Czech Republic----------------------------------------------------------------------------
|
|
|
0
|
|
|
|
Reply
|
Vladimir
|
5/20/2005 3:57:43 PM
|
|
On 2005-05-20, Vladimir Smotlacha <vs@cesnet.cz> wrote:
> Steve Kostecke wrote:
>
>> This should be:
>>
>> ntp-keygen -e -q server_password -p client_password > output_file
>>
>
> Thank you for the suggestion. I tested this method of password change and it
> works. But it does not solve my problem as it requires to generate the key
> for every particular client password.
You can use something like https://ntp.isc.org/crypto.php to solve this
problem.
> I'd like to arrange authentication for public ntp server without taking care
> for each individual client.
A shared client key with a shared password forces all clients of your
time-server to use the same crypto password.
A shared client key without a password forces all clients of your
time-server to not use any crypto password.
Neither of these choices are good.
The best solution is to export the client keys on the fly using an SSL
web-page (see the URL shown above).
--
Steve Kostecke <kostecke@ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
|
|
|
0
|
|
|
|
Reply
|
Steve
|
5/20/2005 7:26:52 PM
|
|
|
4 Replies
350 Views
(page loaded in 0.047 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
4288 articles. 
2 followers. 