Alain, You are apparently using the release version of ntpd. That version, while dated early this year, has a patchwork of old and new algorithms. This means that, while the algorithms have been compatible as the versions progress, various combinatinos of old and new algorithms, as in the current release version, probably are not. The only version I can help you with is the development version, which does have compatible algorithms. I put a good deal of effort in the documentation for the development version, including configuration and key generation examples. However, note that the online dodumentation applies only to the development version, not the release version. In any case, the codumentation included in your version appllies specifcally to the softeare of your version.
If using the development version, pay close attention to the defaults, especially the default host name and key. I suspect the defaults are not what you expect. Dave Bartholome, Alain wrote: >Hi, > >I am currently trying to run the ntp autokey protocol with the Trusted >Certificate identity scheme. > >I use 3 systems (serverT1, server2,server3) all running ntp-4.2.4p6 on >windows 2003. > > > >##### > >1)The stratum 1 system , serverT1 is trusted. > >##### > >ntp.conf of serverT1: > > > > > >driftfile "d:\appli\NTP\ntp.drift" > >keysdir "D:\appli\ntp\etc" > >crypto > >server 127.127.1.0 > >fudge 127.127.1.0 stratum 1 > > > >#end of ntp.conf > > > >ServerT1 is trusted. I run on serverT1 the following ntp-keygen command: > >ntp-keygen -T > > > >ntpq returns the following informations: > > > >ntpq> rv > >assID=0 status=0544 leap_none, sync_local_proto, 4 events, >event_peer/strat_chg, > > > >version="ntpd 4.2....@vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009 (4)", > >processor="unknown", system="WINDOWS/NT", leap=00, stratum=2, > >precision=-20, rootdelay=0.000, rootdispersion=11.370, peer=60933, > >refid=LOCAL(0), > >reftime=cd34294d.ecd4a22c Wed, Feb 4 2009 14:48:45.925, poll=10, > >clock=cd34296b.49445fe5 Wed, Feb 4 2009 14:49:15.286, state=4, > >offset=0.000, frequency=0.000, jitter=0.001, noise=0.001, > >stability=0.000, hostname="serverT1", signature="md5WithRSAEncryption", > >flags=0x80001, update=200902041304, tai=0, cert="serverT1 serverT1 0x1", > >expire=201001281615 > >ntpq> rv 60933 > >assID=60933 status=9614 reach, conf, sel_sys.peer, 1 event, event_reach, > >srcadr=LOCAL(0), srcport=123, dstadr=127.0.0.1, dstport=123, leap=00, > >stratum=1, precision=-20, rootdelay=0.000, rootdispersion=10.000, > >refid=LOCL, reach=377, unreach=0, hmode=3, pmode=4, hpoll=6, ppoll=10, > >flash=00 ok, keyid=0, ttl=0, offset=0.000, delay=0.000, > >dispersion=0.942, jitter=0.001, > >reftime=cd3432f2.ecd4e67b Wed, Feb 4 2009 15:29:54.925, > >org=cd3432f2.ecd4e67b Wed, Feb 4 2009 15:29:54.925, > >rec=cd3432f2.ecd50a41 Wed, Feb 4 2009 15:29:54.925, > >xmt=cd3432f2.ecd4c6eb Wed, Feb 4 2009 15:29:54.925, > >filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, > >filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, > >filtdisp= 0.00 0.98 1.97 2.91 3.90 4.88 5.84 6.83 > > > > > >##### > >2) serveur server2 is not trusted , synchronization is successful with >serverT1 > >###### > >ntp.conf of server2: > > > >keysdir "D:\appli\ntp\etc" > >crypto > >server serverT1 autokey iburst > > > > #end of ntp.conf > > > >Server2 is not trusted. I run on server2 the following ntp-keygen command: > >ntp-keygen > > > > The synchronization with serverT1 is OK. > > > >I get the following ntpq informations: > > > >ntpq> rv 25408 > >assID=25408 status=f614 reach, conf, auth, sel_sys.peer, 1 event, >event_reach, > >srcadr=serverT1, srcport=123, dstadr=192.168.1.20, dstport=123, leap=00, > >stratum=2, precision=-20, rootdelay=0.000, rootdispersion=11.780, > >refid=LOCAL(0), reach=377, unreach=0, hmode=3, pmode=4, hpoll=8, > >ppoll=8, flash=00 ok, keyid=2530961316, ttl=0, offset=-5.406, > >delay=0.538, dispersion=7.295, jitter=7.284, > >reftime=cd342132.ec945c28 Wed, Feb 4 2009 14:14:10.924, > >org=cd34216b.6a7954cf Wed, Feb 4 2009 14:15:07.415, > >rec=cd34216b.6bed4439 Wed, Feb 4 2009 14:15:07.421, > >xmt=cd34216b.6bc631af Wed, Feb 4 2009 14:15:07.420, > >filtdelay= 0.54 0.73 0.62 24.35 0.54 0.57 0.50 0.51, > >filtoffset= -5.41 -3.59 2.06 5.67 1.19 0.93 3.51 4.64, > >filtdisp= 0.00 3.86 7.68 11.51 15.35 19.17 23.01 24.96, > >hostname="serverT1", signature="md5WithRSAEncryption", flags=0x83f01, > >trust="serverT1" > >ntpq> rv > >assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg, > >version="ntpd 4.2....@vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009 (4)", > >processor="unknown", system="WINDOWS/NT", leap=00, stratum=3, > >precision=-18, rootdelay=0.373, rootdispersion=36.531, peer=25408, > >refid=192.168.1.1, > >reftime=cd342770.7be454cf Wed, Feb 4 2009 14:40:48.483, poll=9, > >clock=cd3428e6.49fff906 Wed, Feb 4 2009 14:47:02.289, state=4, > >offset=-10.760, frequency=20.908, jitter=4.156, noise=10.913, > >stability=0.048, hostname="server2", signature="md5WithRSAEncryption", > >flags=0x80001, update=200902041308, tai=0, cert="serverT1 serverT1 0x7", > >expire=201001281615, cert="server2 server2 0x2", > >expire=201002041023 > > > >###### > >3) server3 is not trusted and should synchronize with server2 > >###### > > ntp.conf of server3 > > > >keysdir "D:\appli\ntp\etc" > >crypto > >server server2 autokey iburst prefer > >#end of ntp.conf > > > >Server3 is not trusted. I run on server3 the following ntp-keygen command: > >ntp-keygen > > > >server3 does not synchronize with server2 > > > >ntpq gives the following informations: > >ntpq> rv 50257 > >assID=50257 status=e000 unreach, conf, auth, no events, > >srcadr=server2, srcport=123, dstadr=192.168.2.11, dstport=123, > >leap=00, stratum=3, precision=-18, rootdelay=0.519, > >rootdispersion=32.700, refid=192.168.1.1, reach=000, unreach=27, > >hmode=3, pmode=4, hpoll=10, ppoll=9, flash=80 pkt_autokey, > >keyid=1380897353, ttl=0, offset=0.000, delay=0.000, > >dispersion=15937.500, jitter=0.000, > >reftime=cd3417e7.59d3f4e0 Wed, Feb 4 2009 13:34:31.350, > >org=cd34186d.a8e79f46 Wed, Feb 4 2009 13:36:45.659, > >rec=cd34186d.95b2f617 Wed, Feb 4 2009 13:36:45.584, > >xmt=cd34186d.954f37dd Wed, Feb 4 2009 13:36:45.583, > >filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, > >filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, > >filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0, > >hostname="server2", signature="md5WithRSAEncryption", flags=0x80001, > >trust="server2" > >ntpq> rv > >assID=0 status=c011 sync_alarm, sync_unspec, 1 event, event_restart, > >version="ntpd 4.2....@vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009 (4)", > >processor="unknown", system="WINDOWS/NT", leap=11, stratum=16, > >precision=-18, rootdelay=0.000, rootdispersion=64.065, peer=0, > >refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 6:28:16.000, > >poll=6, clock=cd342253.1a895515 Wed, Feb 4 2009 14:18:59.103, state=1, > >offset=0.000, frequency=16.562, jitter=0.004, noise=0.004, > >stability=0.000, hostname="server3", signature="md5WithRSAEncryption", > >flags=0x80001, update=203602070628, tai=0, > >cert="server2 server2 0x2", expire=201002041023, > >cert="server3 server3 0x2", expire=201002041058 > > > > > > > > > >Could you tell me if my use of autokey with trusted certificate identity >scheme is correct? > > > >Do you see something wrong? > > > >Thanks for your help. > > > >Alain BARTHOLOMÉ > >_______________________________________________ >questions mailing list >questions@lists.ntp.org >https://lists.ntp.org/mailman/listinfo/questions > > _______________________________________________ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
