I spent several hours trying to get broadcast NTP to work properly
with authentication enabled using private keys. I was also seeing
'Transmit: no encryption key found', and despite reading the included
documentation, the ntp online web documentation, and the source
code, the answer did not leap out at me.

    I am posting here in case other people having the same problem do
a web search as I did and hopefully find this information useful.

    For both 'broadcast' (broadcast server) and 'broadcastclient', I
had to also include 'trustedkey N' in my config for private key
authentication to work. Of course, the same key text must be present on
both the client and server, plus the 'broadcast' statement on the
server must say which specific key to use. Yes, the documentation
implicitly explains that trustedkey is needed for a key to be valid,
but there is no private key broadcastclient example to show simply that
trustedkey is needed in that case, so it took me a while to connect the
dots. The autokey scheme definitely appears superior, and I would use
it if I had rsaref installed. So my server ntp.conf contains:

	server server1.xyz.com iburst
	server server2.abc.edu iburst
	requestkey 15
	controlkey 15
	trustedkey 1 2 15
	keys /etc/ntp.keys
	broadcast 192.168.255.255 key 1
	driftfile /etc/ntp.drift

and /etc/ntp.keys contains only MD5 keys that were generated by
ntp-genkeys. A client configuration contains:

	broadcastclient
	keys /etc/ntp.keys
	trustedkey 1 2 15
	driftfile /etc/ntp.drift

and /etc/ntp.keys on the client is a duplicate of the server copy.

    I was previously running with authentication disabled, but I do not
want remote ntpq or ntpdc clients to alter any of my server settings,
and wasn't sure if I would be protected from that when invoking ntpd
with the -A option. Turning on authentication caused regular time
synchronization to cease until I changed my configs as above.

    Many thanks to David Mills for all his work on NTP!

-Marc

------------------------------------------------------------------------

On Mon Aug 4 14:37:38 UTC 2003, David Mills wrote:
> Bernhard,
> 
> As you will see in the documentation, the pps and authenticate statments 
> are deprecated. The best way to debug things like this is using the 
> debug trace.
> 
> Folks bitch at me about the volume of icky detail in the NTPv4 
> documentation pages. Those pages are intended primarily as reference 
> documentation and somebody else gets to write the touchy feely faq. But, 
> it's all there in the authentication options page and ntp_keygen program 
> manual page. I just checked carefull that the specific questions you 
> raise are in fact prominent in the prose, although you do have to slog 
> through a couple of dreary background before getting to the answers. 
> That's done on purpose.
> 
> Be careful to use the latest NTP version. I'm completely confused as to 
> the state of the release and development versions now at www.ntp.org, as 
> the release version is later than the development version.
> 
> Dave
> 
> Bernhard Dobbels wrote:
> 
> > I have two stratum 1 servers and 10 stratum 2 servers. There should
> > exist authentication between the peers and also between the stratum 2
> > and 1 servers.
> > 
> > I'll start with using MD5, but in the end would like to use Autokey
> > protocol.
> > 
> > I always get the error 'Transmit: no encryption key found', while
> > updates with ntpdate and encryption do work.

mafn@enginet.com (Marc) wrote in message news:<mailman.17.1072986139.1757.questions@ntp.org>...
> I spent several hours trying to get broadcast NTP to work properly
> with authentication enabled using private keys. I was also seeing
> 'Transmit: no encryption key found', and despite reading the included
> documentation, the ntp online web documentation, and the source
> code, the answer did not leap out at me.
> 
>     I am posting here in case other people having the same problem do
> a web search as I did and hopefully find this information useful.
> 
>     For both 'broadcast' (broadcast server) and 'broadcastclient', I
> had to also include 'trustedkey N' in my config for private key
> authentication to work. Of course, the same key text must be present on
> both the client and server, plus the 'broadcast' statement on the
> server must say which specific key to use. Yes, the documentation
> implicitly explains that trustedkey is needed for a key to be valid,
> but there is no private key broadcastclient example to show simply that
> trustedkey is needed in that case, so it took me a while to connect the
> dots. The autokey scheme definitely appears superior, and I would use
> it if I had rsaref installed. So my server ntp.conf contains:
> 
> 	server server1.xyz.com iburst
> 	server server2.abc.edu iburst
> 	requestkey 15
> 	controlkey 15
> 	trustedkey 1 2 15
> 	keys /etc/ntp.keys
> 	broadcast 192.168.255.255 key 1
> 	driftfile /etc/ntp.drift
> 
> and /etc/ntp.keys contains only MD5 keys that were generated by
> ntp-genkeys. A client configuration contains:
> 
> 	broadcastclient
> 	keys /etc/ntp.keys
> 	trustedkey 1 2 15
> 	driftfile /etc/ntp.drift
> 
> and /etc/ntp.keys on the client is a duplicate of the server copy.
> 
>     I was previously running with authentication disabled, but I do not
> want remote ntpq or ntpdc clients to alter any of my server settings,
> and wasn't sure if I would be protected from that when invoking ntpd
> with the -A option. Turning on authentication caused regular time
> synchronization to cease until I changed my configs as above.
> 
>     Many thanks to David Mills for all his work on NTP!
> 
> -Marc

Broadcast client was broken in 4.2.0 for some systems, particularly Solaris,
if it had IPv6 capability. I just fixed it. If that's what you are running
you will need to wait for the fix. If not, make sure that the client is
receiving the broadcast packets.

Danny

Marc,

Please consider adding this info to twiki.ntp.org so it can be more
easily found and maintained.

H