[Git][NTPsec/ntpsec][master] 4 commits: Mention no naked IP addresses allowed in config, use FQDN
Hal Murray
gitlab at mg.gitlab.com
Tue Jun 18 01:47:30 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
697e77df by Sanjeev Gupta at 2019-06-17T23:48:58Z
Mention no naked IP addresses allowed in config, use FQDN
- - - - -
22a1f668 by Sanjeev Gupta at 2019-06-18T00:39:56Z
Reread and update the NTS-Quickstart
- - - - -
09d3b3cc by Sanjeev Gupta at 2019-06-18T00:50:42Z
Move to docs/ and beutify NTS-Quickstart
- - - - -
5aa76abe by Sanjeev Gupta at 2019-06-18T01:06:17Z
Update index, and syntax check the asciidoc
- - - - -
2 changed files:
- devel/NTS-QuickStart.adoc → docs/NTS-QuickStart.adoc
- docs/index.adoc
Changes:
=====================================
devel/NTS-QuickStart.adoc → docs/NTS-QuickStart.adoc
=====================================
@@ -1,4 +1,15 @@
-== Quick way to get NTS working
+= Quick way to get NTS working
+include::html.include[]
+
+[cols="10%,90%",frame="none",grid="none",style="verse"]
+|==============================
+|image:pic/beaver.gif[]|
+{millshome}pictures.html[from 'Pogo', Walt Kelly]
+
+For putting out compiler fires.
+
+|==============================
+
This is a recipe, useful during the development and
stabilization phase of NTS landing, to get your NTPsec
@@ -8,24 +19,24 @@ This will get dated quite fast, and is neither the best
way to setup, nor the more conformant, but should be enough
to get you up.
-=== Get git head
-This has been tested with NTPsec_1_1_3-437-g2bb7f8fb9 .
-As the NTS implementation continues, this
-may no longer work. YMMV.
+== Get git head
+This has been tested with NTPsec_1_1_3-482-g09896eff3 .
+NTS support should be stable, and the configuration commands
+should not change; internals and the output of `ntpq` may.
-=== Ensure you have the right dependencies
+== Ensure you have the right dependencies
You need a very recent version of Openssl, 1.1.1a is known
to work. Earlier versons may work, depending on
distributions. You can check with the following:
`openssl version`
-=== ntp.conf (you are a client)
+== ntp.conf (you are a client)
Append the keyword `nts` to the end of your `server`
lines. Do these only for servers that speak NTS. As of
-late March, the following should work:
+late March 2019, the following should work:
-```
+------------------------------------------------------------
server ntpmon.dcs1.biz nts
server pi3.rellim.com nts
server kong.rellim.com nts
@@ -34,7 +45,7 @@ server ntp2.glypnod.com nts
server zoo.weinigel.se:4447 nts
server nts-test.strangled.net:443 nts
server nts3-e.ostfalia.de:443 nts noval
-```
+------------------------------------------------------------
Note that these are development machines, so uptime is
poor. The last three are servers not running NTPsec, which
@@ -44,7 +55,14 @@ is because its certificate is not issued by a trusted root.
Restart ntpd, and skip to <<Verification>>, below.
-=== ntp.conf (you are a server)
+=== Pending caveats
+
+Do not use IP addresses in _server_ lines with _nts_, even
+if you use _noval_ . You can use _/etc/hosts_ to name
+such IP addresses.
+
+
+== ntp.conf (you are a server)
Being an NTS server requires a well-formed SSL cert. The
easiest way to do this is if your server has a FQDN, using
LetsEncrypt. Please see the Certbot client site
@@ -58,6 +76,7 @@ Add the line:
to your conf file.
Locate the following two files:
+
* Your Cert Private Key
* Your Cert Public Key, fully chained up
@@ -66,18 +85,19 @@ with your pathnames.
Example, for my server:
-```
+------------------------------------------------------------
nts key /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
nts cert /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
-```
+------------------------------------------------------------
Restart your server, and skip to <<Verification>>, below.
-=== Verification
+
+== Verification
Check your log file. You should see lines like this:
-```
+------------------------------------------------------------
2019-03-22T08:06:32 ntpd[12915]: NTSs: starting NTS-KE server listening on port 123
2019-03-22T08:06:32 ntpd[12915]: NTSs: loaded certificate (chain) from /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
2019-03-22T08:06:32 ntpd[12915]: NTSs: loaded private key from /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
@@ -96,9 +116,9 @@ Check your log file. You should see lines like this:
2019-03-22T08:06:34 ntpd[12915]: NTSc: read 880 bytes
2019-03-22T08:06:34 ntpd[12915]: NTSc: Got 8 cookies, length 104, aead=15.
2019-03-22T08:06:34 ntpd[12915]: NTSc: NTS-KE req to pi3.rellim.com took 0.882 sec, OK
-```
+------------------------------------------------------------
-This is because of the
+This is because of the
`server pi3.rellim.com nts`
@@ -107,15 +127,14 @@ The logging prefix *NTSs* is for the NTS Server component, eg
initializing your keys. The *NTSc* component is for the NTS Client
part, where you are talking to *other* NTS servers.
-==== Check with ntpq
+=== Check with ntpq
The output of ntpq will be slightly different when NTS is in use,
note the `t` column. Example:
-```
+------------------------------------------------------------
root at ntpmon:/var/www/html/ntp# ntpq -p
remote refid st t when poll reach delay offset jitter
-=======================================================================================================
*SHM(1) .PPS. 0 l 20 64 377 0.0000 0.0007 0.0281
xSHM(0) .GPS. 0 l 19 64 377 0.0000 233.3966 19.2212
+pi3.rellim.com .PPS. 1 8 56 64 371 197.4484 0.0932 0.9660
@@ -124,18 +143,18 @@ xSHM(0) .GPS. 0 l 19 64 377 0
-ntp2.glypnod.com 17.253.34.253 2 8 - 64 177 185.7582 -2.6534 0.0275
2407:8000:8001:80::8 .DNS. 16 u - 1024 0 0.0000 0.0000 0.0005
-navobs1.wustl.edu .GPS. 1 u 105 64 356 221.5282 -2.4354 0.0293
-```
+------------------------------------------------------------
The `t` column shows how many cookies your NTS client is holding for the
appropriate servers. The number should be close to 8 (the default).
-==== Check with ntp variables
+=== Check with ntp variables
Try `ntpq -c nts` . This will show various counters related
to NTS. This feature is under active development, so the
format might change. An example:
-```
+------------------------------------------------------------
root at ntpmon:/var/www/html/ntp# ntpq -c nts
NTS client sends: 7491
NTS client recvs: 6562
@@ -152,9 +171,11 @@ NTS KE probes: 8
NTS KE probes_bad: 0
NTS KE serves: 75
NTS KE serves_bad: 56
-```
-
+------------------------------------------------------------
=== Thanks for the handholding
Much thanks to Hal Murray and Gary Miller, for most of the
stuff above, and talking me through this.
+
+include::includes/footer.adoc[]
+
=====================================
docs/index.adoc
=====================================
@@ -96,6 +96,8 @@ link:sitemap.html[Site Map] page.
link:quick.html[Quick start for client configurations]::
Basic configuration for 99% of client installations. Introduces
concepts used later in the Handbook.
+link:NTS-QuickStart.html[Quick start for NTS]::
+ A short guide for setting up for NTS.
link:assoc.html[Association Management]::
Describes how to configure servers and peers and manage the various
options. Includes automatic server discovery schemes.
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/09896eff3e53e5f7ab09823225bf55da5f0ab0a0...5aa76abe0bf80551304e7135e09a64a36b8fbd6d
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/09896eff3e53e5f7ab09823225bf55da5f0ab0a0...5aa76abe0bf80551304e7135e09a64a36b8fbd6d
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190618/3f51e5aa/attachment-0001.htm>
More information about the vc
mailing list