Does ntpsec log authentication errors
James Browning
jamesb192 at jamesb192.com
Sun Mar 23 15:47:52 UTC 2025
On Friday, March 21, 2025, at 1:21:46 AM Pacific Daylight Time, Hal Murray, via
users wrote:
> > Is there a way to get ntpsec to log authentication errors?
>
> No.
There are stats for that.
> > even though ntpq shows that the connection failed
>
> That's a bug in ntpd and/or ntpq. It should be saying "no" rather than
> "bad".
ESR added that 2016-12-17T15:42:46-0500 in 53cd4a40e. I suspected it was a
mistake of mine. Although, it makes sense; 'none' is the result of absent
auth, 'ok' is good auth, and 'bad' is failed auth.
> If the client doesn't get a response, it can't tell if that's because the
> network lost a packet or the server didn't like the authentication.
Ack, the auth nack means nothing.
> It would be possible to log actual authentication errors. But then you have
> to add rate limiting so a bad guy doesn't fill up your disk. It all gets
> complicated.
While working on MS-SNTP, I added a rate-limited logger; it does not like a
NULL tracking pointer.
> How remote is the server? Are you debugging a new authentication setup or
> one that stopped working? There is lots of filtering of NTP packets going
> on, leftover from when monlist was used for a giant DDoS. Some of that
> filtering let's 48 byte NTP packets through but drops longer packets. So
> normal NTP works but not when authenticated.
I've only seen that on 3/4 of IPv4 NTS packets to Cloudflare; I am not fielding
symmetric auth past the boundaries of my LAN.
-30-
More information about the users
mailing list