Re: [ntp:questions] Could some one help in pointing out the error here
On Monday, March 2, 2015 at 10:25:02 PM UTC+8, Paul wrote: On Mon, Mar 2, 2015 at 4:37 AM, catherine.wei1...@gmail.com wrote: I need to use the following commands in my system: :config server :config restrict ... :config unconfig ... Refer to http://www.eecis.udel.edu/~mills/ntp/html/confopt.html It's :config unpeer not :config unconfig. Also note that peer has more than one meaning. Hi, Paul, thank you for your response. I've tested the unpeer and unconfig command. Both of them can remove an ntp server. Their functions seem to be the same. unconfig command is what I used in ntpdc before I move from ntpdc to ntpq, and now it also takes effect in ntpq. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
Paul wrote: catherine wei wrote: I need to use the following commands in my system: :config server :config restrict ... :config unconfig ... Refer to http://www.eecis.udel.edu/~mills/ntp/html/confopt.html It's :config unpeer not :config unconfig. Also note that peer has more than one meaning. unconfig looks ok in ntp_request.c I have no idea if the docs are behind or ahead; does unconfig need to be added to the doc, or is unconfig going to be depreciated? -- E-Mail Sent to this address blackl...@anitech-systems.com will be added to the BlackLists. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
On Mon, Mar 2, 2015 at 4:37 AM, catherine.wei1...@gmail.com wrote: I need to use the following commands in my system: :config server :config restrict ... :config unconfig ... Refer to http://www.eecis.udel.edu/~mills/ntp/html/confopt.html It's :config unpeer not :config unconfig. Also note that peer has more than one meaning. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] moving from ntpdc to ntpq
On 02/03/2015 09:30, catherine.wei1...@gmail.com wrote: Hi,David, In our system, we need to unconfig and restrict in some operations through ntpq utility which originally was realized by ntpdc. However, ntpdc doesn't work now. In other words, we need to find an equivalent of ntpdc to unconfig, restrict . I found that the ntpq commands are not complete in related documents. Best Regards. Catherine, Yes, I appreciate what you are trying to do, I was asking why since it seems a rather unusual requirement. -- Cheers, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
On Saturday, April 21, 2007 at 9:50:48 PM UTC+8, Steve Kostecke wrote: On 2007-04-21, Remo madhu_me...@yahoo.co.uk wrote: I was not able to set a remote server's leap. It looks like the NTP packets from the query is not generated at all. Though the sendpkt procedure is being called sendrequest, I am not able to see the packet reaching the other side. I guess that I am missing something as there is a error reported with authentication. I believe that the real issue is that you can't use writevar to set the leap. ntpq asso ind assID status conf reach auth condition last_event cnt === 1 17284 f614 yes yes ok sys.peer reachable 1 2 17285 c000 yes yes badreject ntpq writevar 17284 leap=1 Keyid: 64 MD5 Password: ***Server disallowed request (authentication?) I have flock of systems that are set up to allow remote modification and have a working symmetric key set. When I tried to set the leap on another ntpd I see the same message: steve@stasis:~$ ntpq ntpq as ... 2 20879 7014no yes ok reject reachable 1 ... ntpq writevar 20879 leap=1 Keyid: 1 MD5 Password: ***Server disallowed request (authentication?) I've also tried setting the local ntpd leap and that fails, too: ntpq rv 0 leap assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, leap=00 ntpq writevar 0 leap=1 ***Server returned an unspecified error ntpq rv 0 leap assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg, leap=00 trustedkey 1234 requestkey 61 controlkey 64 All of the keys must be listed on the 'trustedkey' line. This tells ntpd to trust those keys; the default is to trust these keys to authenticate time service. Subsets of the trusted keys may also be specified on the 'trustedkey' and 'requestkey' lines if you wish to allow the use of certain keys by ntpdc and ntpq. This is discussed in the distribution documentation at http://www.cis.udel.edu/~mills/ntp/html/authopt.html#symm (the emphasis is mine): When ntpd is first started, it reads the key file specified in the keys configuration command and installs the keys in the key cache. HOWEVER, INDIVIDUAL KEYS MUST BE ACTIVATED WITH THE TRUSTEDKEY COMMAND BEFORE USE. This allows, for instance, the installation of possibly several batches of keys and then activating or deactivating each batch remotely using ntpdc. This also provides a revocation capability that can be used if a key becomes compromised. THE REQUESTKEY COMMAND SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPDC UTILITY, WHILE THE CONTROLKEY COMMAND SELECTS THE KEY USED AS THE PASSWORD FOR THE NTPQ UTILITY. This is also documented in section 6.1.3.3 at http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm Is this possible to work without authentication. Please help. You could disable authentication when ntpd is started, but this will leave your ntpd open to being remotely modified by anyone who can connect to it. -- Steve Kostecke koste...@ntp.isc.org NTP Public Services Project - http://ntp.isc.org/ Hi Steve, When I start the ntpd process and disabled ntpd authentication using command: ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log and then execute the command (eg): ntpq -c :config server 10.172.161.16 minpoll 3 maxpoll 4 burst it still asks for keyid and md5 password. By the way, my ntp version is 4.2.8p1. Is the ntpd authentication a must in the new ntp version ? Thank you. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
On Monday, March 2, 2015 at 5:27:12 PM UTC+8, Rob wrote: Harlan Stenn st...@ntp.org wrote: catherine.wei1...@gmail.com writes: When I start the ntpd process and disabled ntpd authentication using command: ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log and then execute the command (eg): ntpq -c :config server 10.172.161.16 minpoll 3 maxpoll 4 burst it still asks for keyid and md5 password. Do you have a need to use that command? I have never used that. You can put the server in /etc/ntp.conf and use it. Hi Rob, I need to use the following commands in my system: :config server :config restrict ... :config unconfig ... Actually, the users of our system may use these through our platform, so we wrap these commands in the code. Thank you. Best Regards. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
catherine.wei1...@gmail.com catherine.wei1...@gmail.com wrote: On Monday, March 2, 2015 at 5:27:12 PM UTC+8, Rob wrote: Harlan Stenn st...@ntp.org wrote: catherine.wei1...@gmail.com writes: When I start the ntpd process and disabled ntpd authentication using command: ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log and then execute the command (eg): ntpq -c :config server 10.172.161.16 minpoll 3 maxpoll 4 burst it still asks for keyid and md5 password. Do you have a need to use that command? I have never used that. You can put the server in /etc/ntp.conf and use it. Hi Rob, I need to use the following commands in my system: :config server :config restrict ... :config unconfig ... Actually, the users of our system may use these through our platform, so we wrap these commands in the code. Thank you. Best Regards. Ok. Well, I have never seen a use for dynamic configuration so I cannot help you. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
catherine.wei1...@gmail.com writes: When I start the ntpd process and disabled ntpd authentication using command: ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log and then execute the command (eg): ntpq -c :config server 10.172.161.16 minpoll 3 maxpoll 4 burst it still asks for keyid and md5 password. By the way, my ntp version is 4.2.8p1. Is the ntpd authentication a must in t he new ntp version ? Thank you. Remote configuration requires authentication, as I recall. H ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Could some one help in pointing out the error here
Harlan Stenn st...@ntp.org wrote: catherine.wei1...@gmail.com writes: When I start the ntpd process and disabled ntpd authentication using command: ntpd -a -g -n -c /etc/ntp.conf -l /tmp/ntp.log and then execute the command (eg): ntpq -c :config server 10.172.161.16 minpoll 3 maxpoll 4 burst it still asks for keyid and md5 password. Do you have a need to use that command? I have never used that. You can put the server in /etc/ntp.conf and use it. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] moving from ntpdc to ntpq
On Saturday, February 28, 2015 at 4:24:14 PM UTC+8, David Taylor wrote: On 28/02/2015 01:17, catherine.wei1...@gmail.com wrote: [] Hi, Harlan In my system, ntpdc was used to add an ntp server and the command is like this: ntpdc -c keyid 0 -c addserver 10.172.161.16 minpoll 3 maxpoll 4 burst since keyid is 0, we don't need authentication. But now, I use ntpq to replace ntpdc, if I add :config before addserver, I need to authenticate. Is there any way to avoid authenticate in ntpq utility? Thank you. I don't know how to addserver in ntpq. There's little knowledge about this on the Internet. Thank you so much. Catherine, Could you remind me again why you need to add and remove servers rather than letting NTP get on with the job? The pool directive allows NTP to add an discard servers as it needs, with NTP monitoring each server's performance. Could that be an alternative approach? If you are in a test environment, what's wrong with simply editing ntp.conf and restarting? -- Cheers, David Web: http://www.satsignal.eu Hi,David, In our system, we need to unconfig and restrict in some operations through ntpq utility which originally was realized by ntpdc. However, ntpdc doesn't work now. In other words, we need to find an equivalent of ntpdc to unconfig, restrict . I found that the ntpq commands are not complete in related documents. Best Regards. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpq authentication problem
On Monday, March 2, 2015 at 1:03:47 PM UTC+8, catherin...@gmail.com wrote:
On Friday, February 27, 2015 at 7:45:03 PM UTC+8, Martin Burnicki wrote:
catherine.wei1...@gmail.com wrote:
On Friday, February 27, 2015 at 5:54:41 PM UTC+8, catherin...@gmail.com
wrote:
On Friday, February 27, 2015 at 4:45:03 PM UTC+8, Martin Burnicki wrote:
catherine.wei1...@gmail.com wrote:
I've upgrading the ntp from 4.6.1 to 4.8.1, and need to change some
commands which depend on ntpdc to ntpq since ntpdc has been
depreciated in 4.8.1 version. And I met a problem.
When I first set the keyid to 0, it said Invalid key identifier, so
I set it to 1, but it requires a MD5 Password. I don't quite
understand how to get the keyid and password.
Can you give me some advice? Appreciate your help very much.
~ # ntpq
ntpq :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
Keyid: 0
Invalid key identifier
ntpq :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
Keyid: 1
MD5 Password:
***Server disallowed request (authentication?)
ntpq
Please see my reply to your other posting. Why do you post basically the
same question three times?
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
Hi,appreciate for your kind response. I've generate a file
1 MD5 P[G\;5Ob@[\[Ni4PJx3 # MD5 key
2 MD5 z}6`X[cpV%UDktmbghiA # MD5 key
3 MD5 %(4%pM~(8p[cn,,S/0N # MD5 key
4 MD5 TT_QA;=x*G$4p1-d1;C # MD5 key
5 MD5 ml~KoJ*`vM7fxTeR.@ # MD5 key
6 MD5 +wc93d8[~tBRyzdGL{L # MD5 key
7 MD5 _WMzU`YQpwN?5TYJ^5i # MD5 key
8 MD5 ~1zzyA.9-fM[|Zv|mpv # MD5 key
9 MD5 ?N4f+')!S9@7.V*G3,xI # MD5 key
10 MD5 u;LcQ*cJ8{%yKo`z1? # MD5 key
11 SHA1 591701ab51fd2936651ce6920ffecc3ea5b99dea # SHA1 key
12 SHA1 6fe71721baef0e91c41e23984cf9f663f18ba112 # SHA1 key
13 SHA1 bb96c2b73f01659194a94cadc496cedfa12f3832 # SHA1 key
14 SHA1 51f5237ef46c99492070deb5a762d7f434794b58 # SHA1 key
15 SHA1 21c578d9e5d56a8bdc0560443f96f1047c93a276 # SHA1 key
16 SHA1 5c3927c1e05559f5695a353636d4c3ddff6e7e11 # SHA1 key
17 SHA1 14321c68317d531e004497bd9b6b0d475630a291 # SHA1 key
18 SHA1 89ac3debc33937ba25638ef0fc035d830fea6fe5 # SHA1 key
19 SHA1 9f47dda7ae80426c6aa8acac22dc9afef4b900fb # SHA1 key
20 SHA1 8051501a9e6d5bb70d6985b236008d962f34 # SHA1 key
I've renamed it to npt.keys, put it /etc/ntp.keys. My /etc/ntp.conf
file is like this:
driftfile /etc/ntp.drift
keys /etc/ntp.keys
trustedkey 1 5
controlkey 5
restrict default ignore
restrict 127.0.0.1
broadcastdelay 0.008
#60s because we start at 1970
tinker panic 60
restrict 3.cn.pool.ntp.org nomodify notrap
server 3.cn.pool.ntp.org minpoll 3 maxpoll 4
However, when I run ntpq :
~ # ntpq
ntpq :config addserver 192.168.1.101 minpoll 3 maxpoll 4 burst
Keyid: 5
MD5 Password:(password corresponding to keyid 5 in /etc/ntp.keys)
***Server disallowed request (authentication?)
I don't know why this happens? Do I need some other configurations?
Thank you so much.
Hm, that should work.
Can you try it with a simple password first? E.g.:
1 MD5 passwd1
5 MD5 passwd5
By the way, how can I define the controlkey for ntpq. In my case, I just
define the controlkey to 5 randomly, is there any rule?
AFAIK there is no rule. The keys file is just a list of passwords. If
you have more than one machines running ntpd then every other machine
may have a single, individual trusted key, each with index 1.
If your local ntpd should talk to all the others then of course you
can't add several keys with inde 1 in your local file, so you need to
have a keys fle containing all the keys of the other servers, for time
sync, plus the control key for your local ntpd. The number is just
associated to the entry number of the keys file you are supplying to
your local ntpd.
This is very flexible, but you need to take care to get the keys and
index/ID numbers right.
The third column in /etc/ntp.keys is the password of MD5, right?
Yes.
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
Hi, thank you for your answer, I typed the wrong password. When I changed the
complicated password to a simple one say mypassword and I tested it again,
then authenticate passed, but it's strange why can I change the password ? As
it is generated by ntp md5 algorithm, if I change the password, then
authenticate should fail and the ntp server can't parse the new password in
my understanding.
It seems that the authenticate just happens between ntpq and ntpd of localhost
and it's not related to remote ntp server, right ?
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpq authentication problem
On Monday, March 2, 2015 at 1:35:40 AM UTC+8, William Unruh wrote: On 2015-03-01, catherine.wei1...@gmail.com catherine.wei1...@gmail.com wrote: On Saturday, February 28, 2015 at 4:25:02 PM UTC+8, Jan Ceuleers wrote: On 28/02/15 08:48, catherine.wei1...@gmail.com wrote: I still have a doubt: the key file is generated on my PC (as the first ntp server) , when I copied it to the box(client), and I changed the box's ntp server to a second server 3.cn.pool.ntp.org or some other ntp servers. The authentication still passes. Why is that? ntpq talks directly to the ntpd process over the network. If you run ntpq without specifying where the server is located it talks to ntpd on localhost. Which time sources ntpd uses is immaterial. Hi, Jan I specified the ntp server 3.cn.pool.ntp.org in the /etc/ntp.conf file. In this case, I run ntpq :config ... , does it still talk to ntpd on localhost ? and time sources is still 3.cn.pool.ntp.org ? 3.cn.pool.npt.org is not an ntp time source. It is a dummy name, which is filled in by pool.ntp.org. For example every time you ping that a different address comes up ping -c 1 3.cn.pool.ntp.org PING 3.cn.pool.ntp.org (202.112.10.36) 56(84) bytes of data. ping -c 1 3.cn.pool.ntp.org PING 3.cn.pool.ntp.org (202.112.31.197) 56(84) bytes of data. ping -c 1 3.cn.pool.ntp.org PING 3.cn.pool.ntp.org (202.118.1.81) 56(84) bytes of data. Thus there is no time source 3.cn.pool.ntp.org ( or to be exact, there are many) Hi,William I now understand your points, you're right. The ntpq authentication has nothing to do with remote ntp server, it talks to ntpd directly. Thank you so much. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
