Hi All, Request your help/suggestions on the below problem i am facing, i am relatively new to NTP and request your inputs
Problem: I am trying to configure an ntp server/client pair to use the IFF identity scheme I followed the directions precisely that were on the following ntp page:( http://support.ntp.org/bin/view/Support/ConfiguringAutokey) Both machines running on windows-7 /Ntp version: 4.2.8p2. Problem is client never sync's with server and always rejects it( authentication:OK, condition :reject, reach:0) Please see details below ************************************************* server machine:> ************************************************* <server5672N -ntp.conf> restrict default kod nomodify notrap noquery # Authentication statsdir "D:\ntp\stats\" statistics cryptostats filegen cryptostats file cryptostats type none enable server BLRK05A iburst #timesource crypto ident iff crypto pw spassword keysdir "D:\ntp\keys\" **************************************************** server-step-1) #Generate the IFF parameters D:\ntp\keys> ntp-keygen -T -I -p spassword server-step-2) #Export the IFF Group Key D:\ntp\keys> ntp-keygen -e -p spassword #o/p on the console Using OpenSSL version OpenSSL 1.0.1m 19 Mar 2015 Using host server5672N group server5672N Using host key ntpkey_host_server5672N Using host key as sign key Using IFF keys ntpkey_iffkey_server5672N Writing IFF parameters ntpkey_iffpar_server5672N.3648303779 to stdout # ntpkey_iffpar_server5672N.3648303779 # Tue Aug 11 23:13:27 2015 -----BEGIN PRIVATE KEY----- MIG0AgEAMIGpBgcqhkjOOAQBMIGdAkEA20WQMdLTHJlm0aPwiPieUdP4dhodm0w z/ceXzabezyx7odMqJA9GwrPyk1UFkelnmLkeYLZpC8Om0KvDzc5jwIVAPTGF3I0 q5BUZq4ynXezdUaVxjdbAkEAg751a+5ClAQQBrUICA7+gAu4idG6FHPBX64B5Scy mx6kkaTyzAZsv5F2E23AetDBI7OIf6WFeCO3yxbMpQ97PQQDAgEB -----END PRIVATE KEY----- Generating new certificate server5672N RSA-MD5 X509v3 Basic Constraints: critical,CA:TRUE X509v3 Key Usage: digitalSignature,keyCertSign X509v3 Extended Key Usage: trustRoot Create hard link ntpkey_cert_server5672N to ntpkey_RSA-MD5cert_server5672N .3648303779 failed: Cannot create a file when that file already exists. RSA-MD5cert: Unknown error Generating new cert file and link ntpkey_cert_server5672N->ntpkey_RSA-MD5cert_server5672N.3648303779 #end o/p server-step-3) copied the IFFkey text (from above starting with # ntpkey_iffpar_server5672N.3648303779 to -----END PRIVATE KEY-----) and pasted into a editor(notepad). Named this file as ntpkey_iffpar_server5672N.3648303779 copied this file onto client machine into keys dir and created a sim-link(i.e in clientmachine D:ntp\keys> mklink ntpkey_iffpar_server5672N ntpkey_iffpar_server5672N.3648303779) ********************************************************** clientmachine:> ********************************************************** <client-ntp.conf> restrict default kod nomodify notrap nopeer noquery crypto ident iff crypto pw spassword server server5672N autokey iburst #prefer to connect to this source ************************************************************ //client ------------------------------------------------------------ client-step-1) D:\ntp\keys> ntp-keygen -H -p cpassword //Obtain the IFF group key, exported above (in server machine)copy the key file to the keysdir, and create the standard sym-link client-step-2)D:\ntp\keys> mklink ntpkey_iffpar_server5672N ntpkey_iffpar_server5672N.3648213639 **************************************************************************************************************************************************************** Results:> -------------------------------------------------------------- server: start ntp service on server : everything works fine on server rv 0 = c618 ( sync_ntp ) (perfectly sync with its timesource) ------------------------------------------------------- problem is with client:> o/p given below -- client keeps rejecting server and never sysnc with its server peer. ntpq> ass ind assid status conf reach auth condition last_event cnt =========================================================== 1 4167 e011 yes no ok reject mobilize 1 ntpq> rv 4167 flags flags=0x85301 ntpq> rv 4167 associd=4167 status=e011 conf, authenb, auth, sel_reject, 1 event, mobilize, srcadr=server146572n, srcport=123, dstadr=132.184.117.162, dstport=123, leap=00, stratum=5, precision=-10, rootdelay=205.750, rootdisp=236.755, refid=132.186.221.175, reftime=d9741e71.e9570d9c Tue, Aug 11 2015 12:40:41.911, rec=d974578a.a7f973f4 Tue, Aug 11 2015 16:44:18.656, reach=000, unreach=48, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=1080 pkt_autokey, peer_unreach, keyid=0x51ab0c7c, offset=0.000, delay=0.000, dispersion=15937.500, jitter=0.000, xleave=0.000, filtdelay= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtoffset= 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00, filtdisp= 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0, host="server6572N", flags=0x85301, signature="md5WithRSAEncryption" ------------------------------------------------------------------------------ cryptostats o/p i see this in client machine: 57245 36867.663 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37909.680 132.184.117.162 82030098 4167 108 signature_not_verified 57245 37973.661 132.184.117.162 82030098 4167 108 signature_not_verified 57245 38037.697 132.184.117.162 82030098 4167 108 signature_not_verified ---------------------------------------------------------- thanks a lot, Shyam _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
