Bob, Bob wrote: > Can someone run me through the steps necessary to generate, and apply keys > so I can use ntpdc to make on the fly changes to ntpd? I've read through > the docs - repeatedly! - and tried every incarnation of ntp-keygen listed.
ntp-keygen is used to generate private/public key pairs which are used for NTP's "autokey" schemes which have been introduced in NTPv4. The advantage of autokey is that you just have to distribute the public key to other machines but don't have to copy the private key to some other machine. The autokey scheme is used to let NTP clients be able to verify that a NTP packet received from a NTP server has indeed been sent by that server and not by someone else wh wants to spoof a wrong time. The key numbers mentioned for ntpdc are referring to symmetric keys which have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The same key as used on the server has to be copied to the client in order to be able to autenticate (-> "symmetric"). Those symmetric keys can also be used with ntpdc. However, AFAIK, the autokey scheme can not. To configure symmetric keys you have to create a text file on the NTP server, e.g /etc/ntp.keys, which contains the keys, e.g.: 1 M my_secret_key 2 M another_secret_key > What I seem not to be able to get is what the "key number" represents. The first column is the key number you have been asking for. The second column is a shortcut for the type of encryption, where 'M' is for MD5 which is AFAIK the only type of encryption still supported for symmetric keys. The 3rd column are the keys, just text strings, which must be shared with the clients. Then the following lines need to be added to the server's ntp.conf file: keys /etc/ntp.keys # path for keys file trustedkey 1 2 After ntpd has been restarted you should be able to use either key 1, "my_secret_key", or key 2, "another_secret_key", from your NTP client or with ntpdc. Having multiple keys as in the example above can be useful to be share one key with one group of clients, and another key with another group of clients, if required. [...] > I'm running the current Meinberg windows port. Please note this is based on the original sources from ntp.org. Here at Meinberg we have just compiled those sources for Windows and put the resulting binaries into a GUI installer to simplify installation under Windows. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
