r1 - 2004-08-15 - 04:07:00 - SteveKosteckeYou are here: NTP >  Support Web > ConfiguringAutokey > ConfiguringAutokeyDev
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Discussion of ConfiguringAutokey

The checklist

A short checklist to setup a ntp server Alice and a client Bob to use autokey with the IFF identity scheme:
1) On both Alice and Bob, add two lines to your ntp.conf:
### ntp.conf
#added lines to switch on autokey usage:
crypto pw littlesecret
keysdir /etc/ntp/

And add the server line for Alice to Bob's ntp.conf, including the autokey parameter:

### ntp.conf of Bob
server Alice autokey

2) On Alice, create trusted public key and identity scheme parameter file, and use a password with at least 4 characters:

Alice:/etc/ntp# ntp-keygen -T -I -p littlesecret

3) Then copy the file ntpkey_IFFpar_Alice.[timestamp] securely to Bob's keysdir:
Bob:/etc/ntp# scp root@alice:/etc/ntp/ntpkey_IFFpar_Alice.3288592503 /etc/ntp/

4) Create two links in Bob's keysdir:
Bob:/etc/ntp# ln -s ntpkey_IFFpar_Alice.3288592503 ntpkey_iff_Alice
Bob:/etc/ntp# ln -s ntpkey_IFFpar_Alice.3288592503 ntpkey_iff_Bob

5) Restart your ntpd on Alice
6) Restart your ntpd on Bob
7) Sit back, get a beer (or any other beverage you prefer) and - if religous - pray a little prayer

After a while, Bob should accept Alice as his timesource and the world is a better place (well, at least a little bit better).

In order to generate a new public key (you could do this on a monthly basis), use the following command on Alice:

Alice:/etc/ntp# ntp-keygen -T -q littlesecret

-- HeikoGerstung

Additional comments:

Here is an additional comment from Dave:

You might need to automate a scheme for a new user to get an (encrypted) copy of the group key, say by electric mail. I did that for one of our NTP servers as an experiment and proposed that for use by others. It amounts to a procmail recipe that sends back a script containing the encrypted key. The client runs the script and the appropriate magic happens. Of course, it should be done using PGP mail, but I'm not a mail expert here and I was hoping some volunteer would do it properly.

If you really want to have some fun, try the MV identity scheme. Use that scheme if you can't trust the servers, much less the clients, and need to be able for the trusted agent to revoke some client turned terrorist. The mathematics of that scheme is delicious.


-- HeikoGerstung - 19 Mar 2004

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r4 < r3 < r2 < r1 | More topic actions...
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback