Hi Steven Thanks for sharing this URL. This is an interesting read. But my need is to make authentication work with standard Linux ntpd, and I didn’t see anything in this article (which focuses on NTPsec) that helps me.
Thanks tl From: Steven Sommars <[email protected]> Sent: Thursday, December 19, 2019 5:58 PM To: Lemons, Terry Subject: Re: [ntp:questions] Can't get PKI authentication to work [EXTERNAL EMAIL] There is a nice ntpsec article on https://blog.webernetz.net/setting-up-nts-secured-ntp-with-ntpsec/ that may be useful. On Thu, Dec 19, 2019 at 1:05 PM <[email protected]<mailto:[email protected]>> wrote: Hi I'm trying to enable a NTP client and NTP server in my environment to work using NTP PKI authentication. In the /usr/local/etc directory/folder, I've run 'ntp-keygen -S RSA -c RSA-SHA256 -m 2048' on both my NTP client system and my NTP server system; this created the expected certificate and private key pairs: lava93141:~ # ls -l /usr/local/etc/ total 24 -rw-r----- 1 root root 1098 Dec 12 14:47 ntpkey_RSA-SHA256cert_lava93141.3785176056 -rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAhost_lava93141.3785176056 -rw-r----- 1 root root 1900 Dec 12 14:47 ntpkey_RSAsign_lava93141.3785176056 lrwxrwxrwx 1 root root 42 Dec 12 14:47 ntpkey_cert_lava93141 -> ntpkey_RSA-SHA256cert_lava93141.3785176056 lrwxrwxrwx 1 root root 35 Dec 12 14:47 ntpkey_host_lava93141 -> ntpkey_RSAhost_lava93141.3785176056 lrwxrwxrwx 1 root root 35 Dec 12 14:47 ntpkey_sign_lava93141 -> ntpkey_RSAsign_lava93141.3785176056 lava93141:~ # On my NTP client, I'm using these parameters in /etc/ntp.conf: # # Authentication stuff # #keys /etc/ntp.keys # path for keys file #trustedkey 1 # define trusted keys #requestkey 1 # key (7) for accessing server variables #controlkey 1 # key (6) for accessing server variables keysdir /usr/local/etc server lava93101.dev.local autokey crypto On my NTP server (lava93101.dev.local), I'm using these parameters in /etc/ntp.conf: # # Authentication stuff # #keys /etc/ntp.keys # path for keys file #trustedkey 1 # define trusted keys #requestkey 1 # key (7) for accessing server variables #controlkey 1 # key (6) for accessing server variables server minnie.lss.emc.com<http://minnie.lss.emc.com> iburst keysdir /usr/local/etc crypto When I start ntpd on both ntp client and ntp server, there are no errors reported in /var/log/messages or in /var/log/ntp related to the crypto stuff. When I start ntpd with the '-D2' option, I don't see anything that looks like an obvious error. But I'm seeing these problems: 1. 'ntpq -p' forever shows a refid of .INIT.: lava93141:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== lava93101.dev.l .INIT. 16 u 16 64 0 0.000 0.000 0.000 lava93141:~ # 2. If I use 'date' to set the time on my ntp client to give minutes in the past, the system time is never corrected. If I edit /etc/ntp.conf on my ntp client, comment out the authentication stuff, and restart ntpd, the system time is corrected within seconds of ntpd restarting. This leads me to conclude that ntp is non-functional on my client, at least in its role of maintaining the system time. I've searched the ntp documentation, but don't see what I've done wrong, and I don't see a way to debug this. I'm using ntp-4.2.8p13-85.1.x86_64 on SLES 12 SP4. Thanks for any help! Terry Lemons Dell EMC _______________________________________________ questions mailing list [email protected]<mailto:[email protected]> http://lists.ntp.org/listinfo/questions _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
