On Saturday, April 21, 2007 at 9:50:48 PM UTC+8, Steve Kostecke wrote: > On 2007-04-21, Remo <[email protected]> wrote: > > > I was not able to set a remote server's leap. It looks like the NTP > > packets from the query is not generated at all. Though the "sendpkt" > > procedure is being called "sendrequest", I am not able to see the > > packet reaching the other side. I guess that I am missing something as > > there is a error reported with authentication. > > I believe that the real issue is that you can't use writevar to set the > leap. > > > ntpq> asso > > ind assID status conf reach auth condition last_event cnt > >=========================================================== > > 1 17284 f614 yes yes ok sys.peer reachable 1 > > 2 17285 c000 yes yes bad reject > > ntpq> writevar 17284 leap=1 > > Keyid: 64 > > MD5 Password: > > ***Server disallowed request (authentication?) > > I have flock of systems that are set up to allow remote modification > and have a working symmetric key set. When I tried to set the leap on > another ntpd I see the same message: > > steve@stasis:~$ ntpq > ntpq> as > ... > 2 20879 7014 no yes ok reject reachable 1 > ... > ntpq> writevar 20879 leap=1 > Keyid: 1 > MD5 Password: > ***Server disallowed request (authentication?) > > I've also tried setting the local ntpd leap and that fails, too: > > ntpq> rv 0 leap > assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, > leap=00 > ntpq> writevar 0 leap=1 > ***Server returned an unspecified error > ntpq> rv 0 leap > assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, > leap=00 > > > trustedkey 1234 > > requestkey 61 > > controlkey 64 > > All of the keys must be listed on the 'trustedkey' line. This tells ntpd > to trust those keys; the default is to trust these keys to authenticate > time service. Subsets of the trusted keys may also be specified on the > 'trustedkey' and 'requestkey' lines if you wish to allow the use of > certain keys by ntpdc and ntpq. > > This is discussed in the distribution documentation at > http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis > is mine): > > "When ntpd is first started, it reads the key file specified in the keys > configuration command and installs the keys in the key cache. HOWEVER, > INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE > USE. This allows, for instance, the installation of possibly several > batches of keys and then activating or deactivating each batch remotely > using ntpdc. This also provides a revocation capability that can be used > if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY > USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND > SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY." > > This is also documented in section 6.1.3.3 at > http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm > > > Is this possible to work without authentication. Please help. > > You could disable authentication when ntpd is started, but this will > leave your ntpd open to being remotely modified by anyone who can > connect to it. > > -- > Steve Kostecke <[email protected]> > NTP Public Services Project - http://ntp.isc.org/
Hi, does that mean I need to know the controlkey and corresponding password on the ntp server, if I want to use ntpq :config on ntp client? If so, how could I get the key and password in remote ntp server? Appreciate for you quick response. Thank you. _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
