On Mi, Nov 27, 2019 at 09:06:58 -0600, Richard Laager wrote:
Use of ntp.keys is a scenario that doesn't get discussed much.
README.Debian says:
ntpkeygen can be used to generate an MD5 ntp.keys file in /etc. Use
of these keys has not yet been tested; please report success or
failure in using them to the maintainer." I believe that text, or at
least the spirit, is inherited from the ntp package, and both
upstreams are curious to hear from users of this too.
I’m using ntp.keys for years. They are working for most appliances as
well (Cisco, HPE, Fortinet).
Are you using this between your own server and clients, or between your
server and external servers? Do you anticipate NTS replacing your use of
ntp.keys? (If not, why?)
I don’t know any external servers with keys, so I’m using them only in my
own network.
I don’t think that NTS will replace ntp.keys until appliances are
supporting NTS. And it will take time even between linux servers because
the new ntpsec version must be available. SLES 12 doesn’t even have
a package ntpsec, only ntp. So if ntp doesn’t get NTS support, you may
never be able to replace ntp.keys with NTS.
So I think that ntp.keys will stay for years.
Agreed! ntp.conf has an example of the bits that belong there. The
apparmor bit is covered in README.Debian:
When configuring ntpd as an NTS server, if your certificate and key
files are not already covered by
/etc/apparmor.d/abstractions/ssl_certs and ssl_keys, you will need
to add rules to /etc/apparmor.d/local/usr.sbin.ntpd to allow reading
them.
If you have suggested changes to that, please let me know.
No, this sounds fine.
Shade and sweet water!
Stephan
--
| If your life was a horse, you'd have to shoot it. |
