NTPsec on OpenSwitch

Srivatsan, Srinivasan srinivasan.srivatsan at hpe.com
Mon Jan 11 23:02:15 UTC 2016 

Thanks Hal,

Hal/Amar,
Regarding the issue with ‘waf configure’. Is there a way to bypass the configure step ? And  provide a default configuration to work with ?

Thanks
Srinivasan


On 1/5/16, 2:30 PM, "Hal Murray" <hmurray at megapathdsl.net> wrote:

>
>srinivasan.srivatsan at hpe.com said:
>> *  I have enabled a control key but was unable to configure a server through
>> a single ntpq command because it keeps on asking for keyid and password for
>> configuration through ntpq. But it would be helpful to add a server with a
>> single ntpq command with all the options on it, including the keyid and
>> password. Have you used it this way ?  
>
>I haven't tried that.  I just edit the config file and restart ntpd.  If that 
>isn't convenient in your environment, it's probably simpler to debug things 
>on a pair of PCs.
>
>Read the shared key stuff.  The keyid is the slot number in the server's 
>shared key file.  The password is the corresponding password.  Or something 
>like that.
>
>> *  I see that the password is set using 'crypto pw??? and its all plain text.
>> Is there a way to save the password differently or configure the password
>> during runtime ? 
>
>I think that's a different password.  It's for decoding the autokey stuff 
>which hasn't been tested and isn't generally used.
>
>
>
>srinivasan.srivatsan at hpe.com said:
>> *  Could you share the configuration and commands which you used for your
>> tests ?
>> *  I have not tested authentication scenario, what is the server
>> configuration which you used for testing authentication.  
>
>For the shared key stuff, use ntpkeygen -M to make a batch of keys.  It will 
>make 10 MD5 keys.  If you have the openssl libraries (and headers) installed, 
>it will also make 10 more SHA1 keys.
>
>Put the file on both server and client.  You need something like this in your 
>config file on both client and server:
>  keys      /etc/ntp/ntp.keys
>  trustedkey (1 ... 20)
>
>The 20 assumes you have SSL.  If not, use 10.
>
>Then on the client, you say something like:
>  server 1.2.3.4 key 3
>
>The important idea is that the slot you pick (3 above) has to have the same 
>line in the keys file on both machines - both systems use the same slot 
>number as well as the same key.
>
>If you run tcpdump, the length of the packet changes depending on if you have 
> none, MD5, or SHA1 keys.
>
>I don't know of any easy way to debug the authentication stuff.  None of the 
>log files nor ntpq tell you anything helpful.  If it works, ntpq will show 
>you the same stuff as it does without authentication.
>
>Actually, there are a few syslog messages and a few counters but I forget 
>where they are.
>
>
>
>
>-- 
>These are my opinions.  I hate spam.
>
>
>

More information about the devel mailing list