NTPsec on OpenSwitch

Hal Murray hmurray at megapathdsl.net
Tue Jan 5 22:30:37 UTC 2016

srinivasan.srivatsan at hpe.com said:
> *  I have enabled a control key but was unable to configure a server through
> a single ntpq command because it keeps on asking for keyid and password for
> configuration through ntpq. But it would be helpful to add a server with a
> single ntpq command with all the options on it, including the keyid and
> password. Have you used it this way ?  

I haven't tried that.  I just edit the config file and restart ntpd.  If that 
isn't convenient in your environment, it's probably simpler to debug things 
on a pair of PCs.

Read the shared key stuff.  The keyid is the slot number in the server's 
shared key file.  The password is the corresponding password.  Or something 
like that.

> *  I see that the password is set using 'crypto pw’ and its all plain text.
> Is there a way to save the password differently or configure the password
> during runtime ? 

I think that's a different password.  It's for decoding the autokey stuff 
which hasn't been tested and isn't generally used.

srinivasan.srivatsan at hpe.com said:
> *  Could you share the configuration and commands which you used for your
> tests ?
> *  I have not tested authentication scenario, what is the server
> configuration which you used for testing authentication.  

For the shared key stuff, use ntpkeygen -M to make a batch of keys.  It will 
make 10 MD5 keys.  If you have the openssl libraries (and headers) installed, 
it will also make 10 more SHA1 keys.

Put the file on both server and client.  You need something like this in your 
config file on both client and server:
  keys      /etc/ntp/ntp.keys
  trustedkey (1 ... 20)

The 20 assumes you have SSL.  If not, use 10.

Then on the client, you say something like:
  server key 3

The important idea is that the slot you pick (3 above) has to have the same 
line in the keys file on both machines - both systems use the same slot 
number as well as the same key.

If you run tcpdump, the length of the packet changes depending on if you have 
 none, MD5, or SHA1 keys.

I don't know of any easy way to debug the authentication stuff.  None of the 
log files nor ntpq tell you anything helpful.  If it works, ntpq will show 
you the same stuff as it does without authentication.

Actually, there are a few syslog messages and a few counters but I forget 
where they are.

These are my opinions.  I hate spam.

More information about the devel mailing list