On 2007-04-21, Remo <[EMAIL PROTECTED]> wrote: > I was not able to set a remote server's leap. It looks like the NTP > packets from the query is not generated at all. Though the "sendpkt" > procedure is being called "sendrequest", I am not able to see the > packet reaching the other side. I guess that I am missing something as > there is a error reported with authentication.
I believe that the real issue is that you can't use writevar to set the leap. > ntpq> asso > ind assID status conf reach auth condition last_event cnt >=========================================================== > 1 17284 f614 yes yes ok sys.peer reachable 1 > 2 17285 c000 yes yes bad reject > ntpq> writevar 17284 leap=1 > Keyid: 64 > MD5 Password: > ***Server disallowed request (authentication?) I have flock of systems that are set up to allow remote modification and have a working symmetric key set. When I tried to set the leap on another ntpd I see the same message: [EMAIL PROTECTED]:~$ ntpq ntpq> as ... 2 20879 7014 no yes ok reject reachable 1 ... ntpq> writevar 20879 leap=1 Keyid: 1 MD5 Password: ***Server disallowed request (authentication?) I've also tried setting the local ntpd leap and that fails, too: ntpq> rv 0 leap assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, leap=00 ntpq> writevar 0 leap=1 ***Server returned an unspecified error ntpq> rv 0 leap assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, leap=00 > trustedkey 1234 > requestkey 61 > controlkey 64 All of the keys must be listed on the 'trustedkey' line. This tells ntpd to trust those keys; the default is to trust these keys to authenticate time service. Subsets of the trusted keys may also be specified on the 'trustedkey' and 'requestkey' lines if you wish to allow the use of certain keys by ntpdc and ntpq. This is discussed in the distribution documentation at http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis is mine): "When ntpd is first started, it reads the key file specified in the keys configuration command and installs the keys in the key cache. HOWEVER, INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE USE. This allows, for instance, the installation of possibly several batches of keys and then activating or deactivating each batch remotely using ntpdc. This also provides a revocation capability that can be used if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY." This is also documented in section 6.1.3.3 at http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm > Is this possible to work without authentication. Please help. You could disable authentication when ntpd is started, but this will leave your ntpd open to being remotely modified by anyone who can connect to it. -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
