Hello everyone,
Problem statement: With autokey enabled, my Windows client rejects the
server.
Some background...
So, I have three machines running 4.2.7p238. I have a problem with
autokey on one of them. It runs Windows.
I am including as much data on each machine as I can in this first post
to try and avoid the "please provide more info" replies. They are:
1- The main time server (the Soaker)
2- A control box that works fine (the Thinker)
3- The problematic system (the lb400)
~*~*~
1- Main time server
The Soaker is a soekris box running NetBSD-4 with a GPS18LVC set to use
the PPS signal only (driver 22). All NMEA sentences are turned off. It
gets the seconds from a nearby cisco router from my ISP, and I added two
servers for sanity checking. The Soaker is the gateway to my home
network and the main time server for all the other machines. Accuracy on
the soaker is low microseconds after it settles down. Keys have been
defined through the command "ntp-keygen -T -l <very large number>".
Those keys will expire in 2035.
After some uptime, I get this:
soaker# cat /etc/ntp.conf | grep "^[^#]"
pidfile /var/run/ntpd.pid
driftfile /var/db/ntp.drift
leapfile /etc/ntp.leap
keys /etc/ntp.keys
keysdir /etc/
trustedkey 1
controlkey 1
crypto
restrict default limited kod nomodify
restrict localhost
restrict soaker
restrict thinker
restrict lb400
interface ignore all
interface listen 192.168.1.0/24
interface listen 127.0.0.1/32
logconfig +allclock +allpeer +allsys +allsync
tos minsane 0
server 127.127.22.0 iburst minpoll 4
fudge 127.127.22.0 flag3 1
server 24.200.235.178 iburst prefer
server time.chu.nrc.ca iburst minpoll 10 maxpoll 17
server time.nrc.ca iburst minpoll 10 maxpoll 17
soaker# ntpq -c as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 10626 973a yes yes none pps.peer sys_peer 3
2 10627 963a yes yes none sys.peer sys_peer 3
3 10628 9424 yes yes none candidate reachable 2
4 10629 9424 yes yes none candidate reachable 2
soaker# ntpq -c pe
remote refid st t when poll reach delay offset jitter
==============================================================================
oPPS(0) .PPS. 0 l 5 16 377 0.000 0.001 0.004
*24.200.235.178 10.23.2.57 3 u 14 64 377 6.996 1.364 1.924
+time1.chu.nrc.c 209.87.233.50 2 u 769 1024 377 22.269 2.453 1.460
+time.nrc.ca 132.246.11.231 2 u 774 1024 377 36.816 -1.542 1.031
soaker# ntpq -c rv
associd=0 status=011d leap_none, sync_pps, 1 event, kern,
version="ntpd [email protected] Sat Dec 10 02:49:00 UTC 2011 (1)",
processor="i386", system="NetBSD/4.0_STABLE", leap=00, stratum=1,
precision=-18, rootdelay=0.000, rootdisp=1.150, refid=PPS,
reftime=d28f7cae.49d3e437 Sun, Dec 11 2011 14:02:06.288,
clock=d28f7cb9.17d5fa82 Sun, Dec 11 2011 14:02:17.093, peer=10626, tc=4,
mintc=3, offset=0.001, frequency=76.517, sys_jitter=0.004,
clk_jitter=0.002, clk_wander=0.008, tai=34, leapsec=200901010000,
expire=201206280000, host="soaker", flags=0x80003, digest="md5",
signature="md5WithRSAEncryption", update=201112111629,
cert="soaker soaker 0x1", until=203501011455
soaker#
~*~*~
2- The Control machine
The Thinker is an old IBM ThinkPad laptop also running NetBSD-4 and
syncs to the Soaker through the LAN. It uses autokey and produces the
following data.
thinker# cat /etc/ntp.conf | grep "^[^#]"
pidfile /var/run/ntpd.pid
driftfile /var/db/ntp.drift
leapfile /etc/ntp.leap
keys /etc/ntp.keys
keysdir /etc/
trustedkey 1
controlkey 1
crypto
restrict default limited kod nomodify
restrict localhost
restrict soaker
restrict thinker
restrict lb400
interface ignore all
interface listen 192.168.1.0/24
interface listen 127.0.0.1/32
logconfig +allclock +allpeer +allsys +allsync
server soaker iburst autokey
thinker# ntpq -c as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 37134 f63a yes yes ok sys.peer sys_peer 3
thinker# ntpq -c pe
remote refid st t when poll reach delay offset jitter
==============================================================================
*soaker .PPS. 1 u 64 1024 377 0.486 -0.109 0.116
thinker# ntpq -c rv
associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,
version="ntpd [email protected] Sat Dec 10 02:49:00 UTC 2011 (1)",
processor="i386", system="NetBSD/4.0_STABLE", leap=00, stratum=2,
precision=-19, rootdelay=0.486, rootdisp=21.407, refid=192.168.1.4,
reftime=d28f7d0f.eb35f08c Sun, Dec 11 2011 14:03:43.918,
clock=d28f7d52.05a42a38 Sun, Dec 11 2011 14:04:50.022, peer=37134,
tc=10, mintc=3, offset=-0.109, frequency=15.106, sys_jitter=0.000,
clk_jitter=0.142, clk_wander=0.011, tai=34, leapsec=200901010000,
expire=201206280000, host="thinker", flags=0x80003, digest="md5",
signature="md5WithRSAEncryption", update=201112110158,
cert="thinker soaker 0x4", until=201212100158, cert="soaker soaker 0x5",
until=203501011455, cert="thinker thinker 0x0", until=203501020156
thinker#
As you can see above, autokey works fine for the Thinker and the client is
happy to sync with the server.
~*~*~
3- The problematic machine
The lb400 is a Windows XP box running Dave Hart's pre-compiled binaries.
I installed the most recent OpenSSL libeay32.dll I could find in the NTP
runtime directory.
Here's the data:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\NTP\etc>type ntp.conf
driftfile "C:\Program Files\NTP\etc\ntp.drift"
leapfile "C:\Program Files\NTP\etc\ntp.leap"
keys "C:\Program Files\NTP\etc\ntp.keys"
keysdir "C:\Program Files\NTP\etc\"
trustedkey 1
controlkey 1
crypto
restrict default limited kod nomodify
restrict localhost
restrict soaker
restrict thinker
restrict lb400
interface ignore all
interface listen 192.168.1.0/24
interface listen 127.0.0.1/32
logconfig +allclock +allpeer +allsys +allsync
server soaker iburst autokey
C:\Program Files\NTP\etc>ntpq -c as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 44112 e011 yes no ok reject mobilize 1
C:\Program Files\NTP\etc>ntpq -c pe
remote refid st t when poll reach delay offset jitter
==============================================================================
soaker .PPS. 1 u 39 64 0 0.000 0.000 0.000
C:\Program Files\NTP\etc>ntpq -c rv
associd=0 status=c016 leap_alarm, sync_unspec, 1 event, restart,
version="ntpd 4.2.7p238-o Dec 10 4:46:28.43 (UTC-00:00) 2011 (1)",
processor="x86", system="Windows", leap=11, stratum=16, precision=-21,
rootdelay=0.000, rootdisp=0.855, refid=INIT,
reftime=00000000.00000000 Thu, Feb 7 2036 1:28:16.000,
clock=d28f7fa2.72516db4 Sun, Dec 11 2011 14:14:42.446, peer=0, tc=3,
mintc=3, offset=0.000, frequency=21.550, sys_jitter=0.000,
clk_jitter=0.000, clk_wander=0.000, leapsec=200901010000,
expire=201206280000, host="lb400", flags=0x80001, digest="md5",
signature="md5WithRSAEncryption", cert="soaker soaker 0x5",
until=203501011455, cert="lb400 lb400 0x0", until=203501011645
C:\Program Files\NTP\etc>
You can see above that the lb400 rejects the association with the
Soaker. It authenticates the autokey all right, but reports as
unreachable.
If I change the lb400 configuration file to simply omit the autokey
keyword and restart the daemon/service, it syncs immediately. Here is
the kind of output I get if I do this:
C:\Program Files\NTP\etc>type ntp.conf
driftfile "C:\Program Files\NTP\etc\ntp.drift"
leapfile "C:\Program Files\NTP\etc\ntp.leap"
keys "C:\Program Files\NTP\etc\ntp.keys"
keysdir "C:\Program Files\NTP\etc\"
trustedkey 1
controlkey 1
crypto
restrict default limited kod nomodify
restrict localhost
restrict soaker
restrict thinker
restrict lb400
interface ignore all
interface listen 192.168.1.0/24
interface listen 127.0.0.1/32
logconfig +allclock +allpeer +allsys +allsync
server soaker iburst
C:\Program Files\NTP\etc>ntpq -c as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 62871 965a yes yes none sys.peer sys_peer 5
C:\Program Files\NTP\etc>ntpq -c pe
remote refid st t when poll reach delay offset jitter
==============================================================================
*soaker .PPS. 1 u 2 64 1 4.909 -2.781 11.338
C:\Program Files\NTP\etc>ntpq -c rv
associd=0 status=0618 leap_none, sync_ntp, 1 event, no_sys_peer,
version="ntpd 4.2.7p238-o Dec 10 4:46:28.43 (UTC-00:00) 2011 (1)",
processor="x86", system="Windows", leap=00, stratum=2, precision=-21,
rootdelay=0.378, rootdisp=953.589, refid=192.168.1.4,
reftime=d28f8146.907823ff Sun, Dec 11 2011 14:21:42.564,
clock=d28f8172.29f63a84 Sun, Dec 11 2011 14:22:26.163, peer=62871, tc=6,
mintc=3, offset=-14.116, frequency=21.550, sys_jitter=0.000,
clk_jitter=4.991, clk_wander=0.000, tai=34, leapsec=200901010000,
expire=201206280000, host="lb400", flags=0x80003, digest="md5",
signature="md5WithRSAEncryption", update=201112111921,
cert="lb400 lb400 0x0", until=203501011645
C:\Program Files\NTP\etc>
I concede that I haven't let this session run very long, but my point is
simply to show that the association is not rejected. The Soaker can be
reached. So by disabling autokey on the lb400, I get the association to
materialize correctly and very quickly. This is on Windows.
I ran both attempts, with or without autokey, with the -D4 flag turned
on. I can provide both outputs if someone is interested. They are rather
long, so I won't include them just yet. Here is a short excerpt which I
think shows the problem.
auth_setkey: key 176003 type 4 len 16 3b3121552f7414c00320858b72092360
session_key: 192.168.1.15 > 192.168.1.4 0002af83 00000000 hash 3b312155 life
4160
make_keys: 0 3b312155 00000000 ts 0 fs 0 poll 6
crypto_xmit: flags 0x80001 offset 48 len 32 code 0x201 associd 44112
session_key: 192.168.1.15 > 192.168.1.4 0002af83 00000000 hash 3b312155 life 2
sendpkt(1592, dst=192.168.1.4, src=192.168.1.15, ttl=0, len=100)
sendto 192.168.1.4 100 octets
fd 1592 192.168.1.4 recv packet mode is 4
transmit: at 2 192.168.1.15->192.168.1.4 mode 3 keyid 0002af83 len 100 index 0
Received 100 bytes fd 1592 in buffer 00C4D4A8 from 192.168.1.4
poll_update: at 2 192.168.1.4 poll 6 burst 0 retry 2 head 62 early 2 next 64
timer: interface update
update_interfaces(123)
interface_action: interface Local Area Connection subnet address match - listen
examining interface #0: fd=-1, bfd=-1, name=Local Area Connection, flags=0x19,
ifindex=0, sin=192.168.1.15,
bcast=192.168.1.255, mask=255.255.255.0, Enabled:
Searching for addr 192.168.1.15 in list of addresses - FOUND
updating interface #1: fd=1592, bfd=-1, name=Local Area Connection, flags=0x19,
ifindex=0, sin=192.168.1.15
, bcast=192.168.1.255, mask=255.255.255.0, Enabled: present
interface_action: interface MS TCP Loopback interface subnet address match -
listen
examining interface #0: fd=-1, bfd=-1, name=MS TCP Loopback interface,
flags=0x15, ifindex=0, sin=127.0.0.1
, mask=255.255.255.255, Enabled:
Searching for addr 127.0.0.1 in list of addresses - FOUND
updating interface #2: fd=1584, bfd=-1, name=MS TCP Loopback interface,
flags=0x15, ifindex=0, sin=127.0.0.
1, mask=255.255.255.255, Enabled: present
IoEvent occurred
receive: at 2 192.168.1.15<-192.168.1.4 flags 19 restrict 000
auth_setkey: key 176003 type 4 len 16 42ef0e09875ce0ecb144f2608d0be72c
session_key: 192.168.1.4 > 192.168.1.15 0002af83 00000000 hash 42ef0e09 life 2
receive: at 2 192.168.1.15<-192.168.1.4 mode 4 keyid 0002af83 len 100 auth 1
crypto_recv: flags 0x0 ext offset 48 len 32 code 0x8201 associd 44112
crypto_recv: ident host 0x80001 44112 server 0x80003 0
crypto_recv: assoc 44112 44112 host soaker md5WithRSAEncryption
poll_update: at 2 192.168.1.4 poll 6 burst 5 retry 0 head 62 early 2 next 2
packet: flash header 1680
As far as OpenSSL is concerned, checking the attributes of libeay32.dll
reports the following:
- File/Product version 1.0.0.5 (also reports as 1.0.0e)
- MD5 hash of the dll is A64CAF9EF3DCFC68AECACC61D2F6708B
Thank you for your time. Pun intented.
--
Pierre Dubuc
[email protected]
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
