On 2015-02-28, [email protected] <[email protected]> wrote: > On Saturday, April 21, 2007 at 9:50:48 PM UTC+8, Steve Kostecke wrote: >> On 2007-04-21, Remo <[email protected]> wrote: >> >> > I was not able to set a remote server's leap. It looks like the NTP >> > packets from the query is not generated at all. Though the "sendpkt" >> > procedure is being called "sendrequest", I am not able to see the >> > packet reaching the other side. I guess that I am missing something as >> > there is a error reported with authentication. >> >> I believe that the real issue is that you can't use writevar to set the >> leap. >> >> > ntpq> asso >> > ind assID status conf reach auth condition last_event cnt >> >=========================================================== >> > 1 17284 f614 yes yes ok sys.peer reachable 1 >> > 2 17285 c000 yes yes bad reject >> > ntpq> writevar 17284 leap=1 >> > Keyid: 64 >> > MD5 Password: >> > ***Server disallowed request (authentication?) >> >> I have flock of systems that are set up to allow remote modification >> and have a working symmetric key set. When I tried to set the leap on >> another ntpd I see the same message: >> >> steve@stasis:~$ ntpq >> ntpq> as >> ... >> 2 20879 7014 no yes ok reject reachable 1 >> ... >> ntpq> writevar 20879 leap=1 >> Keyid: 1 >> MD5 Password: >> ***Server disallowed request (authentication?) >> >> I've also tried setting the local ntpd leap and that fails, too: >> >> ntpq> rv 0 leap >> assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, >> leap=00 >> ntpq> writevar 0 leap=1 >> ***Server returned an unspecified error >> ntpq> rv 0 leap >> assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, >> leap=00 >> >> > trustedkey 1234 >> > requestkey 61 >> > controlkey 64 >> >> All of the keys must be listed on the 'trustedkey' line. This tells ntpd >> to trust those keys; the default is to trust these keys to authenticate >> time service. Subsets of the trusted keys may also be specified on the >> 'trustedkey' and 'requestkey' lines if you wish to allow the use of >> certain keys by ntpdc and ntpq. >> >> This is discussed in the distribution documentation at >> http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis >> is mine): >> >> "When ntpd is first started, it reads the key file specified in the keys >> configuration command and installs the keys in the key cache. HOWEVER, >> INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE >> USE. This allows, for instance, the installation of possibly several >> batches of keys and then activating or deactivating each batch remotely >> using ntpdc. This also provides a revocation capability that can be used >> if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY >> USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND >> SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY." >> >> This is also documented in section 6.1.3.3 at >> http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm >> >> > Is this possible to work without authentication. Please help. >> >> You could disable authentication when ntpd is started, but this will >> leave your ntpd open to being remotely modified by anyone who can >> connect to it.
Or could you not use "restrict" to restrict who is able to change things on your machine. That does not necessarily stop people from getting time from it (not sure what you meant by "anyone who can connect to it") _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
