Hello. This is my first post to the ntp list. I've been googling around for answers regarding autokey with ntp as I've only ever setup a non encrypted/secured ntp configuration.
I've been tasked with setting up autokey in the environment and thought I had IFF working, I'm not so sure now, since reading some of the other posts regarding the TC scheme. I did come across something I would like an answer to if possible. I'm no cryptology expert but in my years as an administrator and reviewing different docs on the internet I've come to understand that with regard to encryption /dev/random is great as long as you have random data to feed the entropy pool and /dev/urandom is not so great as it's not truly random. I had trouble getting ntpd to stay up and running and after reviewing the logs saw it was dieing saying it could not open //.rnd. I looked around for any information regarding this and found out that it is read by both ntp-keygen and ntpd to both create the keys and perform the encrypted handshake or "dance." My question then is WHY is /dev/random not used? What is the reasoning for this? ssh uses /dev/random to my knowledge and I believe openssl does too. I tried linking from /root/.rnd and /etc/ntp/.rnd (ntpd is running as user ntp) to /dev/random and when doing this I could not generate keys and ntpd would not start correctly. I tried instead of creating a sym link to mknod the random file into existence under the name .rnd and had the same problem. Is ntpd and ntp-keygen's non-use of /dev/random considered a bug? Will ntpd and ntp-keygen ever support /dev/random? In the meantime doesn't it defeat the WHOLE purpose of using encryption all together to rely upon a static .rnd file created from /dev/random? I mean it's using the SAME entropy data each time it's opened unless for instance you recreate .rnd before each new key is created or once every hour for a running ntpd. What if a cronjob recreates the .rnd file in the middle of ntpd or ntp-keygen reading from it? Just been wondering is all. _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
