Bob, Bob wrote: > > "Martin Burnicki" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> Bob, >> >> Bob wrote: >>> Can someone run me through the steps necessary to generate, and apply >>> keys >>> so I can use ntpdc to make on the fly changes to ntpd? I've read through >>> the docs - repeatedly! - and tried every incarnation of ntp-keygen >>> listed. >> >> ntp-keygen is used to generate private/public key pairs which are used >> for NTP's "autokey" schemes which have been introduced in NTPv4. The >> advantage of autokey is that you just have to distribute the public key >> to other machines but don't have to copy the private key to some other >> machine. >> >> The autokey scheme is used to let NTP clients be able to verify that a >> NTP packet received from a NTP server has indeed been sent by that server >> and not by someone else wh wants to spoof a wrong time. >> >> The key numbers mentioned for ntpdc are referring to symmetric keys which >> have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The >> same key as used on the server has to be copied to the client in order to >> be able to autenticate (-> "symmetric"). >> >> Those symmetric keys can also be used with ntpdc. However, AFAIK, the >> autokey scheme can not. >> >> To configure symmetric keys you have to create a text file on the NTP >> server, e.g /etc/ntp.keys, which contains the keys, e.g.: >> >> 1 M my_secret_key >> 2 M another_secret_key >> >>> What I seem not to be able to get is what the "key number" represents. >> >> The first column is the key number you have been asking for. The second >> column is a shortcut for the type of encryption, where 'M' is for MD5 >> which >> is AFAIK the only type of encryption still supported for symmetric keys. >> The 3rd column are the keys, just text strings, which must be shared with >> the clients. >> >> Then the following lines need to be added to the server's ntp.conf file: >> >> keys /etc/ntp.keys # path for keys file >> trustedkey 1 2 >> >> After ntpd has been restarted you should be able to use either key 1, >> "my_secret_key", or key 2, "another_secret_key", from your NTP client or >> with ntpdc. >> >> Having multiple keys as in the example above can be useful to be share >> one key with one group of clients, and another key with another group of >> clients, if required. >> >> [...] >>> I'm running the current Meinberg windows port. >> >> Please note this is based on the original sources from ntp.org. Here at >> Meinberg we have just compiled those sources for Windows and put the >> resulting binaries into a GUI installer to simplify installation under >> Windows. >> >> Martin >> -- >> Martin Burnicki >> >> Meinberg Funkuhren >> Bad Pyrmont >> Germany > > I'm getting closer... you actually put the key data in a file that you > point to. OK... how do I generate the keys?
Hm, in the past I've just put a kind of password in as a key. That works. > For example, I tried the below > (of course, the keys listed have been erased...) and which file do I use > the contents of as key material, how much do I use (just the data and no > headers), and do I have to do it all on one line per key? Thanks for the > help on this. I've searched for detailed info without success. I've just seen a new bug http://bugs.ntp.org/1037 which says the MD5 keys generated by ntpkeygen -M are 1 character shorter than they should be. Running ntp-keygen -M produces a file with 16 MD5 keys, e.g.: # ntpkey_MD5key_gateway.3424077267 # Thu Jul 3 14:34:27 2008 1 MD5 {ph":xjnCg=6ih` # MD5 key 2 MD5 [EMAIL PROTECTED] # MD5 key 3 MD5 Qlsn(6Lz>m~x}V2 # MD5 key 4 MD5 L{%cTECTpwaiHF< # MD5 key 5 MD5 [EMAIL PROTECTED];1v8S]S # MD5 key 6 MD5 )<A(C.t~%Sx`7%> # MD5 key 7 MD5 lB~^/}6Bt0=N`1q # MD5 key 8 MD5 t.n$r{C=t'|E{<j # MD5 key 9 MD5 yzyb]G><F`N>LmJ # MD5 key 10 MD5 [EMAIL PROTECTED] # MD5 key 11 MD5 xq`?%KeehO`'?g3 # MD5 key 12 MD5 1SV?LIMl1IA;L2i # MD5 key 13 MD5 [EMAIL PROTECTED] # MD5 key 14 MD5 OFh)V>%AT?6XiI~ # MD5 key 15 MD5 cPi|bxlwH&^)dB@ # MD5 key 16 MD5 5[0?>~(;4C0?at% # MD5 key where gateway is the name of the machine the command has been run on. Interestingly, while older NTP docs stated the second column should read just 'M' for MD5 keys, the generated key file contains 'MD5'. Don't know whether this is accepted by older and/or current versions of ntpd and ntpdc. Also, in my earlier post I forgot to mention that you should specify which keys should be used to authenticate with ntpdc and ntpq, i.e.: keys /etc/ntp.keys # path for keys file trustedkey 1 2 15 controlkey 15 # ntpq requestkey 15 # ntpdc Though at least bug #418 http://bugs.ntp.org/1037 mentions at least the controlkey stuff has never been implemented. Martin -- Martin Burnicki Meinberg Funkuhren Bad Pyrmont Germany _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
