ConfiguringAutokeyFourTwoFour < Support

%DISCUSS% 
%SECTION0% Autokey Configuration for NTP 4.2.4 (and earlier)

This topic provides a step-by-step guide for setting up NTP Autokey Authentication for NTP versions up through 4.2.4.

%X% <strong>Users of NTP-4.2.6, or later, should consult </strong>[[ConfiguringAutokey][Autokey Configuration for NTP 4.2.6]]

See the [[http://www.eecis.udel.edu/~mills/database/reports/stime/stime.pdf][NTP Authentication specification]] and the Briefing Slides on the [[http://www.eecis.udel.edu/~mills/ntp.html][Network Time Synchronization Project page]] for in-depth information about NTP Authentication.

There are three Identity Schemes available in the NTP Reference Implemenation: IFF, GQ, and MV. See the [[http://www.eecis.udel.edu/~mills/keygen.html][Identity Scheme documentation]] for detailed information about the Identity Schemes. Although examples of server parameter generation and client parameter installation are provided for all available Identity Schemes, it is not necessary to use all of them.

%I% Enforcement of NTP Authentication (with =restrict= statements) is beyond the scope of this topic

%I% %REF{type=Section,name=BROAD_MULTICAST}% are configured on the server side. %REF{type=Section,name=UNICAST}% is configured on the client side

%X% *Read %REF{type=Section,name=HOWTO}% before starting*

%CONTENTS{topic=%TOPIC%}%

%SECTION1{name=HOWTO}% How To Use This Guide

   1 Chose what type of Association you will be authenticating: Unicast, Multicast, or Broadcast
   1 Choose the Idenity Scheme you will be using: IFF, GQ, or MV
   1 Perform *all* of the steps for your chosen Association Type and Identity Scheme
   1 Ignore the steps for other Association Types and Identity Schemes
   1 Perform the server set-up before performing the client set-up

%SECTION1% Server Set-Up

%X% This section pertains only to systems that will be ntp servers for an NTP Trust Group; see %REF{type=Section,name=clientsetup}% for systems that will only be ntp clients. Trusted ntp servers which also operate as clients of other ntp servers may need to %REF{type=Section,name=installclientkeys}%.

%SECTION2% Create the NTP Keys directory

Create a directory for the NTP Keys (e.g =/etc/ntp=.)

%SECTION2% Edit ntp.conf

Add the following lines to =ntp.conf=:
<verbatim>
crypto pw serverpassword
keysdir /etc/ntp
</verbatim>

You may need to add the following line to =ntp.conf= if =ntpd= dies with a =crypto_setup: random seed file not found= error:
<verbatim>
crypto randfile /dev/urandom
</verbatim>

%SECTION3{name=BROAD_MULTICAST}% Broadcast and Multicast Autokey

Append =autokey= to the =broadcast= line in =ntp.conf= for the broadcast/multicast address that you want to authenticate with Autokey:
<verbatim>
broadcast my.broadcast.or.multicast.address autokey
</verbatim>

The assigned NTP Multicast address is 224.0.1.1, but other valid multicast addresses may be used.

%SECTION2% Generate Server Parameters

This section covers Server Parameter generation for all Identity Schemes. You only need to generate the Server Parameters for the Identity Scheme(s) that you have chosen to use for your NTP Trust Group.

The server key and certificate will be generated if they are missing when a set of parameters are generated. The server certificate will be updated when existing parameters are updated or additional parameters are generated.

%I% When you generate additional sets of parameters you must provide the =serverpassword= (as shown in %REF{type=Section,name=MVPARMS}%) so that =ntp-keygen= can access the server key.

%X% The =-T= option for ntp-keygen should only be used by a Trusted Authority (e.g time-server) for an NTP Trust Group.

%SECTION3{name=IFFPARAMS}% IFF Parameters

The IFF parameter generation process produces a server key which should not be distributed to other members of the NTP Trust Group.

Generate the IFF parameters with the following commands:
<verbatim>
cd /etc/ntp
ntp-keygen -T -I -p serverpassword
</verbatim>

You must export an IFF Group Key for each client using that client's password. The client password is stored in the client =ntp.conf= in %REF{type=Section,name=CLIENTNTPCONF}%.

Export the IFF Group Key with the following commands:
<verbatim>
cd /etc/ntp
ntp-keygen -e -q serverpassword -p clientpassword
</verbatim>

The IFF Group Key will be directed to =STDOUT= unless you redirect it to a file. The target name of the IFF GRoup Key file is on one of the first lines of the output.

You can share a group password with all clients, use individual passwords for each client, or no password at all. This exported IFF Group Key will be used in %REF{type=Section,name=IFFGROUPKEY}%

IFF Group Keys may be distributed through a [[https://support.ntp.org/crypto.php][Web Form]] or even by pasting them across terminal windows.

IFF Group Keys may also be extracted and mailed with the following commands:
<verbatim>
cd /etc/ntp
ntp-keygen -e -q serverpassword -p clientpassword | mail timelord@client.domain
</verbatim>

%SECTION3{name=GQPARAMS}% GQ Parameters

The GQ parameter generation process produces a key file which is shared between all members of an NTP Trust Group.

%X% You must use the same crypto password on all members of an NTP Trust Group for the GQ Identity Scheme.

Generate the GQ parameters with the following commands:
<verbatim>
cd /etc/ntp
ntp-keygen -T -G -p serverpassword
</verbatim>

%SECTION3{name=MVPARAMS}% MV Parameters

The MV parameter generation process produces a server key, which must not be distributed to other members of the NTP Trust Group, and a number of client keys which are used in %REF{type=Section,name=MVCLIENTKEY}%

%X% When choosing the number of client keys avoid factors of 512 and don't exceed 30.

Generate the IFF parameters with the following commands (N-1 keys will be generated):
<verbatim>
cd /etc/ntp
ntp-keygen -V N -p serverpassword.
</verbatim>

%SECTION3{name=MVPARMS}% Multiple Identity Schemes

Multiple Identity Schemes may be used simultaneously. Use the =-q serverpassword= option so that =ntp-keygen= can access the server key when generating additional sets of parameters as shown in the following example:
<verbatim>
cd /etc/ntp
ntp-keygen -T -I -q serverpassword
ntp-keygen -T -G -q serverpassword
ntp-keygen -V 5 -q serverpassword
</verbatim>

%SECTION2% Restart ntpd

Restart =ntpd=. Watch the output of =ntpq -p= to make sure that the server is able to start.

%SECTION2% Server Parameter Update

The server key and certificate are valid only for one year and should be updated periodically (e.g. monthly) with the following command:
<verbatim>
cd /etc/ntp
ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
</verbatim>

%SECTION1{name=clientsetup}% Client Set-Up

%X% This section pertains only to systems that will be clients of an NTP Trust Group.

%SECTION2% Create the NTP Keys directory

Create a directory for the NTP Keys (e.g. =/etc/ntp=.)

%SECTION2{name=CLIENTNTPCONF}% Edit ntp.conf

Add the following lines to =ntp.conf=:
<verbatim>
crypto pw clientpassword
keysdir /etc/ntp
</verbatim>

You may need to add the following line to =ntp.conf= if =ntpd= dies with a =crypto_setup: random seed file not found= error:
<verbatim>
crypto randfile /dev/urandom
</verbatim>

%SECTION3{name=UNICAST}% Unicast Autokey

Append =autokey= to the server line for the time-server that you want to authenticate with Autokey in a unicast association:
<verbatim>
server ntp.i_have_the_key.for autokey
</verbatim>

%SECTION2% Generate Client Parameters

%X% Do not use the =-T= option for ntp-keygen on systems that are only clients of an NTP Trust Group.

Generate the client key /certificate with the following commands:
<verbatim>
cd /etc/ntp
ntp-keygen -H -p clientpassword
</verbatim>

%SECTION2{name=installclientkeys}% Install Group/Client Keys

This section covers the installation of Group/Client Keys for all Identity Schemes. You only need to install the Group/Client Keys used by the NTP Trust Group that this client will be joining.

%X% Group/Client Keys, and their associated passwords, should be regarded as confidential and not disseminated to others.

%SECTION3{name=IFFGROUPKEY}% IFF Group Keys

Obtain the IFF group key, exported in %REF{type=Section,name=IFFPARAMS}% via a secure means (e.g. an SSL [[https://support.ntp.org/crypto.php][Web Form]] or encrypted e-mail), copy the key file to the =keysdir=, and create the standard sym-link:
<verbatim>
cd /etc/ntp
ln -s ntpkey_IFFkey_server.3301264563 ntpkey_iff_server 
</verbatim>

You must create an =ntpkey_iff_client= sym-link to activate IFF. You may set this sym-link to point to any file in the =keysdir=. Such as:

<verbatim>
ln -s ntpkey_host_client ntpkey_iff_client
</verbatim>

%SECTION3{name=GQGROUPKEY}% GQ Group Keys

Obtain the GQ group key, generated in %REF{type=Section,name=GQPARAMS}% via a secure means, copy the key file to the =keysdir=, and create the standard sym-link:
<verbatim>
cd /etc/ntp
ln -s ntpkey_GQpar_server.3301145293 ntpkey_gq_server
</verbatim>

%X% You must use the same crypto password on all members of an NTP Trust Group for the GQ Identity Scheme.

%SECTION3{name=MVCLIENTKEY}% MV Client Keys

Obtain the MV client key, generated in %REF{type=Section,name=MVPARAMS}%, via a secure means, copy the key file to the =keysdir=, and create the standard sym-link:
<verbatim>
cd /etc/ntp
ln -s ntpkey_MVkey1_server.3301144193 ntpkey_mv_server
</verbatim>

%SECTION2% Restart ntpd

Restart =ntpd=. Watch the output of =ntpq -p= to make sure that the client is able to start and sync with the server. 
%SECTION2% Client Parameter Update

The client key and certificate are valid only for one year and should be updated periodically (e.g. monthly) with the following command:
<verbatim>
cd /etc/ntp
ntp-keygen -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
</verbatim>

%SECTION1% Monitoring Authentication Status

It is not usually necessary to run ntpd in debug mode to troubleshoot Authentication problems.

Use =ntpq -c "rv 0 cert"= to view the Autokey certificates held by =ntpd=.

Use =ntpq -c as= to the check the authentication status of NTP associations. Authenticated associations display =ok= in the =auth= column:
<verbatim>
ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 26132  f694   yes   yes   ok   sys.peer   reachable  9
</verbatim>

For detailed information about an authenticated association use the =assID= from =ntpq -cas= in the following command:
<verbatim>
ntpq -c"rv assID flags"
</verbatim>

A fully functioning Autokey+IFF assocition will show the following flags on the client:
<verbatim>
flags=0x83f21
</verbatim>

%SECTION2% Crypto Association Flags
<verbatim>
/*
 * The following bits are set by the CRYPTO_ASSOC message from
 * the server and are not modified by the client.
 */
#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
#define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */

#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ    0x0040 /* GQ identity scheme */
#define CRYPTO_FLAG_MV    0x0080 /* MV identity scheme */
#define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
        
/*
 * The following bits are used by the client during the protocol
 * exchange.
 */
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
#define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
#define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */
</verbatim>

%SECTION1{name=RELATED_LINKS}% Related Links

   * [[http://www.meinbergglobal.com/english/sw/ak_tools.htm][Autokey Helper Script]]
WebForm
NtpVersion	NtpFourTwo
OperatingSystem
OsVersion
This topic: Support > ConfiguringAutokeyFourTwoFour
Topic revision: r24 - 2012-12-14 - 21:30:16 - SteveKostecke