Hi I'm using ntp-4.2.8p13-85.1.x86_64 on SLES 12 SP4. I'm trying to learn how to set up authenticated ntp.
Since 'man ntp-keygen' mentioned, "If compatibility with FIPS 140-2 is required, either the DSA-SHA or DSA-SHA1 scheme must be used", I'm trying to use DSA-SHA1 in my testing. I used the command 'ntp-keygen --certificate=DSA-SHA1 --sign-key=DSA' to create the key files; I created the directory '/usr/local/etc' on my system, and did a 'cd' to that directory before executing the command. After ntp-keygen ran, I saw three files and three links to the files: lava93141:~ # ls -l /usr/local/etc total 24 -rw-r----- 1 root root 731 Dec 6 08:45 ntpkey_DSA-SHA1cert_lava93141.3784635947 -rw-r----- 1 root root 522 Dec 6 08:45 ntpkey_DSAsign_lava93141.3784635947 -rw-r----- 1 root root 709 Dec 6 08:45 ntpkey_RSAhost_lava93141.3784635947 lrwxrwxrwx 1 root root 40 Dec 6 08:45 ntpkey_cert_lava93141 -> ntpkey_DSA-SHA1cert_lava93141.3784635947 lrwxrwxrwx 1 root root 35 Dec 6 08:45 ntpkey_host_lava93141 -> ntpkey_RSAhost_lava93141.3784635947 lrwxrwxrwx 1 root root 35 Dec 6 08:45 ntpkey_sign_lava93141 -> ntpkey_DSAsign_lava93141.3784635947 lava93141:~ # I attached the following lines to my /etc/ntp.conf file: server [servername] iburst autokey crypto When I started the ntpd service, I saw the following messages in /var/log/messages: 2019-12-09T12:12:09.796427-07:00 lava93141 systemd[1]: ntpd.service: Service RestartSec=11min expired, scheduling restart. 2019-12-09T12:12:09.797208-07:00 lava93141 systemd[1]: Stopped NTP Server Daemon. 2019-12-09T12:12:09.799117-07:00 lava93141 systemd[1]: Starting NTP Server Daemon... 2019-12-09T12:12:09.820692-07:00 lava93141 ntpd[20180]: ntpd 4.2.8p13@1.3847-o Wed Mar 13 12:24:30 UTC 2019 (1): Starting 2019-12-09T12:12:09.821180-07:00 lava93141 ntpd[20180]: Command line: /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf 2019-12-09T12:12:09.826622-07:00 lava93141 ntpd[20181]: proto: precision = 0.075 usec (-24) 2019-12-09T12:12:09.827583-07:00 lava93141 ntpd[20181]: basedate set to 2019-03-01 2019-12-09T12:12:09.827981-07:00 lava93141 ntpd[20181]: gps base set to 2019-03-03 (week 2043) 2019-12-09T12:12:09.830579-07:00 lava93141 ntpd[20181]: crypto_setup: host key file ntpkey_host_lava93141 not found or corrupt 2019-12-09T12:12:09.830881-07:00 lava93141 systemd[1]: Started NTP Server Daemon. 2019-12-09T12:12:09.831200-07:00 lava93141 start-ntpd[20175]: Starting network time protocol daemon (NTPD) 2019-12-09T12:12:09.833718-07:00 lava93141 systemd[1]: ntpd.service: Main process exited, code=exited, status=255/n/a 2019-12-09T12:12:09.834047-07:00 lava93141 systemd[1]: ntpd.service: Unit entered failed state. 2019-12-09T12:12:09.834368-07:00 lava93141 systemd[1]: ntpd.service: Failed with result 'exit-code'. I'm trying to understand the error message, "crypto_setup: host key file ntpkey_host_lava93141 not found or corrupt". The file is clearly there; my 'ls -l' command above shows that. I even tried to change ntp.conf to use explicit parameters and file paths: crypto cert /usr/local/etc/ntpkey_cert_lava93141 host /usr/local/etc/ntpkey_host_lava93141 sign /usr/local/etc/ntpkey_sign_lava93141 but there was no change in behavior. So, I'm now assuming that the file IS found, but is thought to be corrupt. I'm not sure how this could be, since I used ntp-keygen to generate the files. Thoughts, please. Thanks! tl Terry Lemons terry.lem...@dell.com _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
