"Martin Burnicki" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Bob, > > Bob wrote: >> Can someone run me through the steps necessary to generate, and apply >> keys >> so I can use ntpdc to make on the fly changes to ntpd? I've read through >> the docs - repeatedly! - and tried every incarnation of ntp-keygen >> listed. > > ntp-keygen is used to generate private/public key pairs which are used for > NTP's "autokey" schemes which have been introduced in NTPv4. The advantage > of autokey is that you just have to distribute the public key to other > machines but don't have to copy the private key to some other machine. > > The autokey scheme is used to let NTP clients be able to verify that a NTP > packet received from a NTP server has indeed been sent by that server and > not by someone else wh wants to spoof a wrong time. > > The key numbers mentioned for ntpdc are referring to symmetric keys which > have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The > same key as used on the server has to be copied to the client in order to > be able to autenticate (-> "symmetric"). > > Those symmetric keys can also be used with ntpdc. However, AFAIK, the > autokey scheme can not. > > To configure symmetric keys you have to create a text file on the NTP > server, e.g /etc/ntp.keys, which contains the keys, e.g.: > > 1 M my_secret_key > 2 M another_secret_key > >> What I seem not to be able to get is what the "key number" represents. > > The first column is the key number you have been asking for. The second > column is a shortcut for the type of encryption, where 'M' is for MD5 > which > is AFAIK the only type of encryption still supported for symmetric keys. > The 3rd column are the keys, just text strings, which must be shared with > the clients. > > Then the following lines need to be added to the server's ntp.conf file: > > keys /etc/ntp.keys # path for keys file > trustedkey 1 2 > > After ntpd has been restarted you should be able to use either key 1, > "my_secret_key", or key 2, "another_secret_key", from your NTP client or > with ntpdc. > > Having multiple keys as in the example above can be useful to be share one > key with one group of clients, and another key with another group of > clients, if required. > > [...] >> I'm running the current Meinberg windows port. > > Please note this is based on the original sources from ntp.org. Here at > Meinberg we have just compiled those sources for Windows and put the > resulting binaries into a GUI installer to simplify installation under > Windows. > > Martin > -- > Martin Burnicki > > Meinberg Funkuhren > Bad Pyrmont > Germany
I'm getting closer... you actually put the key data in a file that you point to. OK... how do I generate the keys? For example, I tried the below (of course, the keys listed have been erased...) and which file do I use the contents of as key material, how much do I use (just the data and no headers), and do I have to do it all on one line per key? Thanks for the help on this. I've searched for detailed info without success. C:\Program Files\NTP\bin>ntp-keygen -c RSA-MD5 -V 5 -p Passwd Using OpenSSL version 90805f Random seed file C:/.rnd 1024 bytes Generating MV parameters for 5 keys (102 bits)... Birthday keys rejected 0 Duplicate keys rejected 335 Generating polynomial coefficients for 5 roots (510 bits) Generating g[i] parameters Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: yes Generating new mv file and link ntpkey_mv_wsr-88d->ntpkey_MVpar_wsr-88d.3424071587 ntpkey_MVkey1_wsr-88d.3424071587 ntpkey_MVkey2_wsr-88d.3424071587 ntpkey_MVkey3_wsr-88d.3424071587 ntpkey_MVkey4_wsr-88d.3424071587 Revoke key 5 Generating RSA keys (512 bits)... RSA 3 1 2 Generating new host file and link ntpkey_host_wsr-88d->ntpkey_RSAkey_wsr-88d.3424071587 Using host key as sign key Generating certificate RSA-MD5 X509v3 Basic Constraints: critical,CA:TRUE X509v3 Key Usage: digitalSignature,keyCertSign Generating new cert file and link ntpkey_cert_wsr-88d->ntpkey_RSA-MD5cert_wsr-88d.3424071587 Here's the contents of the only key that says MD5 anywhere in it - ntpkey_cert_wsr-88d - and, how do I make more than one? # ntpkey_RSA-MD5cert_wsr-88d.3424071294 # Thu Jul 03 06:54:54 2008 -----BEGIN CERTIFICATE----- MIIBNTCB4KADAgECAgTMFy5+MA0GCSqGSIb3DQEBBAUAMBIxEDAOBgNVBAMTB3dz ci04OGQwHhcNMDgwNzAzMTA1NDU0WhcNMDkwNzAzMTA1NDU0WjASMRAwDgYDVQQD Ewd3c3ItODhkMFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAMBZoDQSGm/2dAueRIxL fWu44Sz+Nl4vKFudplgqMd/fCdhIpkAQKE+2ZjjCZ69IE1w/kO/HPKhPNrnCKg8S tk0CAQOjIDAeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgKEMA0GCSqGSIb3 DQEBBAUAA0EATmJ7b31ljkLAxVuS5whYX25DoHjrdTdU6b4hftLkLcEyueirIacA vgqQ1ovJVGMnXw3bR5ugyjWJNCtvJZg5nA== -----END CERTIFICATE----- _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
