Quantcast
Channel: Network – Weberblog.net
Viewing all articles
Browse latest Browse all 253

NTP Authentication: Client Side

$
0
0

Now that we have enabled NTP authentication on our own stratum 1 NTP servers (Linux/Raspbian and Meinberg LANTIME) we need to set up this SHA-1 based authentication on our clients. Here we go for a standard Linux ntp setup:

This article is one of many blogposts within this NTP series. Please have a look!

Note that when you’re using multiple NTP servers (which I highly recommend, refer to Why should I run own NTP Servers?) you must use different keys/IDs for each of them. Obviously you can’t use the same “key number 11” for different NTP servers as far as they’re using different randomly generated keys. In my lab I’m using three stratum 1 NTP servers (Pi DCF77, Pi GPS, Meinberg M200) with the key IDs 11, 12, and 13.

NTP Client Setup

Everything takes place solely on the NTP client. The first step is to create the ntp.keys file with the needed keys

sudo nano /etc/ntp.keys
In my case it’s:
#ntp1.weberlab.de
11 SHA1 7f3682c57faef9c87ea2eb473c393f5d61aa01ce  # SHA1 key

#ntp2.weberlab.de
12 SHA1 897a2dc01c9903a8eb89162410f9e40fecc59cee  # SHA1 key

#ntp3.weberlab.de
13 SHA1 01ff36b6b7bb0a9028e15cf1620b6308a901d3d2  # SHA1 key

The second step is to refer to this ntp.keys file, trusting those three keys, and using them on the appropriate NTP servers.

sudo nano /etc/ntp.conf
, adding/modifying those lines:
#server statements with the key ID
server ntp1.weberlab.de iburst key 11
server ntp2.weberlab.de iburst key 12
server ntp3.weberlab.de iburst prefer key 13

#path to the ntp.keys file
keys /etc/ntp.keys

#currently trusted keys out of that ntp.keys file
trustedkey (11 ... 13)

Followed by a restart of ntp:

sudo service ntp restart
.

Verify

Of course you should verify whether everything is working as expected. At first the well-known

ntpq -p
to show the peers (but yet without the information whether NTP authentication is working). Lines 5-7 are my three stratum 1 NTP servers while I am also querying another pool:
pi@pi05-random:~ $ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000   0.001
+2003:de:2016:33 .DCFa.           1 u    2   64  177   55.803  -22.469   7.273
+2003:de:2016:33 .PPS.            1 u    5   64  177    3.748    0.741   0.607
*2003:de:2016:33 .PZF.            1 u    2   64  177    3.808    0.389   0.363
-217.79.179.106  192.53.103.104   2 u    2   64  177    5.468    0.753   0.331
-mail.morbitzer. 193.171.23.163   2 u   65   64   77    4.528    1.225   1.002
-ns1.customer-re 192.53.103.108   2 u    1   64  177    7.690   -0.213   1.960

Displaying the associations shows a column “auth” which clearly states that those three NTP servers are “ok”, i.e., authenticated:

pi@pi05-random:~ $ ntpq -c asso

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 34432  8811   yes  none  none    reject    mobilize  1
  2 34433  f414   yes   yes   ok  candidate   reachable  1
  3 34434  f41a   yes   yes   ok  candidate    sys_peer  1
  4 34435  f61a   yes   yes   ok   sys.peer    sys_peer  1
  5 34436  1314    no   yes  none   outlier   reachable  1
  6 34437  1314    no   yes  none   outlier   reachable  1
  7 34438  1314    no   yes  none   outlier   reachable  1

Furthermore you can display the authinfo section which shows the count of encryptions/decryptions. Both should increase over time:

pi@pi05-random:~ $ ntpq -c authinfo
time since reset:  1486
stored keys:       3
free keys:         0
key lookups:       164
keys not found:    0
uncached keys:     112
expired keys:      0
encryptions:       82
decryptions:       82

If you’re interested in how authenticated NTP packets look on the wire, have a look at my downloadable pcap file at Packet Capture: Network Time Protocol (NTP).

Yo. Cheers.

Featured image “Unterschrift mit Füller” by Tim Reckmann is licensed under CC BY 2.0.


Viewing all articles
Browse latest Browse all 253

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>