NTP with authentication
James Browning
jamesb192 at jamesb192.com
Fri Jun 14 19:40:44 UTC 2024
> On 06/14/2024 9:35 AM PDT G H via users <users at ntpsec.org> wrote:
>
> I am unable to get NTP peering working with authentication. I ran ntpkeygen to generate ntp.keys and added that file to ntp.conf. I copied the file contents to another host and ran a test with ntpdig. According to tcpdump, the host is not sending a response packet. ntpdig works fine if I do not use the -a or --keyfile arguments.
>
> Anyone have any ideas? Thank you.
>
> On my NTP client host:
>
> $ ntpdig --version
> ntpdig ntpsec-1.2.2
> $ ntpdig --debug --keyfile=/tmp/ntp.keys -a 1 ntp
> ntpdig: querying 10.10.10.10 (ntp)
> ntpdig: authenticating with AES-128 key 1
> ntpdig: no eligible servers
>
> On my NTP server host:
>
> $ cat ntp.keys
> 1 AES L`y1he4AK=1-\+vD
> 2 AES E at EiFG6H;gL>9ES3
> 3 AES ?_Mp2QH:2uj5ytmV
> ...
>
> $ cat ntp.conf
> driftfile /var/lib/ntpsec/ntp.drift
> leapfile /usr/share/zoneinfo/leap-seconds.list
> keys /etc/ntpsec/ntp.keys
> tos maxclock 11
> tos minclock 4 minsane 3
> pool 0.debian.pool.ntp.org iburst
> restrict default kod nomodify nopeer noquery limited
> restrict 127.0.0.1
> restrict ::1
I would add a controlkey line to all your NTPsec servers so you can
reconfigure the server without having to kill and then restart it.
NTPsec does not use the nopeeer restrict option or anything related
to peering. ntpdig and ntpq are easier to use if you add a trustedkey
line with a single key number as the second token.
Beyond that I can not say anything useful.
More information about the users
mailing list