Dennis,

The ntpdc program has not been actively maintained for some time. The
principal problem is that the ntpdc remote configuration commands are
incompatible with the pool and manycast schemes.

The ntpq program can now generate configuration file commands, but the
command set is incomplete. For instance, there is no demobilize command.
If ntpdc works, even if buggy, use it. It would be helpful if you could
wiggle the ntpq facilities and speak up about what you think it should
and should not do.

Dave

Dennis Hilberg, Jr. wrote:
> I've had this issue with authentication for a while, but decided to
> finally ask as it's bugging me.
>
> I use ntpdc to add/remove servers on the fly so I don't have to restart
> the server. It works fine using addserver and unconfig as long as I
> don't quit ntpdc.
>
> saturn:$ ntpdc
> ntpdc> addserver 63.240.161.99
> Keyid: 1
> MD5 Password:
> done!
> ntpdc> unconfig 63.240.161.99
> done!
>
> However, if I quit ntpdc, start ntpdc, issue the unconfig command and
> put in the proper password when prompted, it won't be accepted.
> addserver works fine though.
>
> ntpdc> quit
> saturn:$ ntpdc
> ntpdc> addserver 63.240.161.99
> Keyid: 1
> MD5 Password:
> done!
> ntpdc> quit
> saturn:$ ntpdc
> ntpdc> unconfig 63.240.161.99
> MD5 Password:
> ***Permission denied
> ntpdc> quit
> saturn:$ ntpdc
> ntpdc> unconfig 63.240.161.99
> MD5 Password:
> ***Permission denied
> ntpdc> readkeys
> ***Permission denied
>
> The only way I've found to get it to work is to quit again and issue the
> readkeys command. The readkeys command won't be accepted until I quit
> and restart ntpdc again.
>
> ntpdc> quit
> saturn:$ ntpdc
> ntpdc> readkeys
> Keyid: 1
> MD5 Password:
> done!
> ntpdc> unconfig 63.240.161.99
> done!
>
> Am I doing something wrong, is there a bug, or is that the correct
> behavior of ntpdc?
>
> I have the following in my ntp.conf:
>
> # Authentication
>
> keys /etc/ntp/keys
>
> trustedkey 1
> requestkey 1
> controlkey 1
>
> And my keys file looks like this:
>
> 1 M somepassword
>
>
> Thanks,
>
> Dennis
>

>>> In article , "Dennis Hilberg, Jr." writes:

Dennis> I've had this issue with authentication for a while, but decided to
Dennis> finally ask as it's bugging me.

Dennis> I use ntpdc to add/remove servers on the fly so I don't have to
Dennis> restart the server. It works fine using addserver and unconfig as
Dennis> long as I don't quit ntpdc.

Dennis> saturn:$ ntpdc
Dennis> ntpdc> addserver 63.240.161.99
Dennis> Keyid: 1 MD5 Password: done!
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> done!

Dennis> However, if I quit ntpdc, start ntpdc, issue the unconfig command
Dennis> and put in the proper password when prompted, it won't be
Dennis> accepted. addserver works fine though.

Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> addserver 63.240.161.99
Dennis> Keyid: 1 MD5 Password: done!
Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
Dennis> ntpdc> quit
Dennis> saturn:$ ntpdc
Dennis> ntpdc> unconfig 63.240.161.99
Dennis> MD5 Password: ***Permission denied
Dennis> ntpdc> readkeys
Dennis> ***Permission denied

I think this is because you have not respecified the keyid.

Try giving the 'keyid' command after you restart ntpdc to be sure.

I'm not sure why you were not asked for it though...

And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
quite a while now, and the new config parsing code does not have an
"unconfig" command yet (near as I can remember).

I am aware of two obvious solutions to this problem (as well as many others)
but since I mention these two solutions Frequently I'll refrain from
repeating them at this time.
--
Harlan Stenn
http://ntpforum.isc.org - be a member!

Harlan Stenn wrote:
> I think this is because you have not respecified the keyid.

That solves the issue just fine. I'll just have to remember to say 'keyid 1'
whenever I start ntpdc.

> Try giving the 'keyid' command after you restart ntpdc to be sure.

It does say no keyid defined.

> I'm not sure why you were not asked for it though...

I found that odd. When I issue the addserver command, I get prompted for the
keyid, but not when I issue the unconfig command. That's the problem.

> And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
> quite a while now, and the new config parsing code does not have an
> "unconfig" command yet (near as I can remember).

Sorry, I'm not a very accomplished programmer. Otherwise I'd be glad to help
out, time permitting.

> I am aware of two obvious solutions to this problem (as well as many others)
> but since I mention these two solutions Frequently I'll refrain from
> repeating them at this time.

Like I mentioned, specifying 'keyid 1' right after starting ntpdc solves the
problem. Although I'd be interested in other solutions, or at least point me
to where you've talked about them before. I use ntpdc regularly for
adding/removing servers and fudging refclock values, etc. It's useful as I
don't have to restart the server all the time.

Not that it matters, as no one is maintaining ntpdc currently, but I think I
found a bug while messing with it:

saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> keyid
keyid is 134682920

It seems to randomly generate a keyid and specify it for use, and then
prompt for a password for that keyid even though it doesn't exist. And if I
do it again:

saturn:$ ntpdc
ntpdc> keyid
no keyid defined
ntpdc> unconfig 63.240.161.99
MD5 Password:
***Permission denied
ntpdc> keyid
keyid is 134686616

A different keyid is generated.

Anyway, thanks for the help!

--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

David L. Mills wrote:
> Dennis,
>
> The ntpdc program has not been actively maintained for some time. The
> principal problem is that the ntpdc remote configuration commands are
> incompatible with the pool and manycast schemes.
>
> The ntpq program can now generate configuration file commands, but the
> command set is incomplete. For instance, there is no demobilize command.
> If ntpdc works, even if buggy, use it. It would be helpful if you could
> wiggle the ntpq facilities and speak up about what you think it should
> and should not do.

I looked through the ntpq documentation on the UDel website, but could not
find anything regarding runtime configuration commands. Only for ntpdc.

If you could point me to some documentation concerning ntpq runtime
configuration commands, I'd be happy to mess around with it.

> Dave

Dennis

--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

Harlan Stenn wrote:
> Dennis> Not that it matters, as no one is maintaining ntpdc currently, but I
> Dennis> think I found a bug while messing with it:
>
> Dennis> saturn:$ ntpdc
> ntpdc> keyid
> Dennis> no keyid defined
> ntpdc> unconfig 63.240.161.99
> Dennis> MD5 Password: ***Permission denied
> ntpdc> keyid
> Dennis> keyid is 134682920
>
> Feel free to open a bug report on this. While there is little chance
> somebody will fix it, there is *no* chance it will be fixed if nobody
> remembers it.

I just did, bug 1003.

https://support.ntp.org/bugs/show_bug.cgi?id=1003

Hopefully someone will get to it, but if not at least it's documented.

--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

Hello Dennis,

On Tuesday, February 26, 2008 at 11:29:58 -0800, Dennis Hilberg, Jr. wrote:

> start ntpdc, issue the unconfig command and put in the proper password
> when prompted, it won't be accepted.

It is a bug, introduced three years ago by a wrong fix for another bug.
Previously "unconfig" was prompting for both a keyid and a password, as
it should. Since then, it prompts for a password only, which is not
enough. Full story at .


> addserver works fine though.

It may fail too, if the requestkey-id and the symmetric keyid used to
authenticate the added server are not the same.


An easy workaround is to preset the requestkey-id:

| ntpdc> keyid 1
| ntpdc> unconfig 63.240.161.99
| MD5 Password: somepassword
| done!

But even that could fail with the current ntp-dev: "attempt to remove
configure bit is invalid".


Serge.
--
Serge point Bets arobase laposte point net

Hello Harlan,

On Wednesday, February 27, 2008 at 5:53:09 +0000, Harlan Stenn wrote:

> I suspect one of your command choices *requires* a key and for the
> other it is optional. That's just a guess though...

Both "addserver" and "unconfig" require a keyid/password pair.

Some confusion may come from the fact that "addserver" can have to deal
with 2 different keyids, one to authenticate the sent ntpdc command, and
another to authenticate the added server.

- In "addserver ", the keyid is to be used by the added
association. No prompt for a password, the remote client and its server
have identical ntp.keys values for this keyid, and they will use it in
usual mode 3 and 4 packets (client/server mode).

- When you enter "keyid ", or reply to the "Keyid:" prompt, this
should be used only for the sent mode 7 commands. You are prompted for
a password, and the remote client you attempt to reconfigure has the
trusted-request-keyid/password in its ntp.keys.

This was the original design. However the patch in bug 401 messed-up
this clear separation. Solution: remove this harmful patch. And keep bug
401 open, waiting for its own rethinked solution. Removing the patch
will also automagically fix bug 1003, AFAICS.


Serge.
--
Serge point Bets arobase laposte point net

Serge Bets wrote:
> This was the original design. However the patch in bug 401 messed-up
> this clear separation. Solution: remove this harmful patch. And keep bug
> 401 open, waiting for its own rethinked solution. Removing the patch
> will also automagically fix bug 1003, AFAICS.

It does. I removed the 401 patch code and replaced it with the original
code, and now addserver and unconfig both prompt for a keyid when one isn't
specified.

I created a unified diff patch and attached it to the bug report for those
interested. It works with ntp 4.2.4p4.

http://bugs.ntp.org/1003

> Serge.


--
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

Dennis,

The ntpq remote configuration is a work in progress. The original author
got pulled off on another project before the documentation was complete.
However, a little poking reveals that a ntpq command beginning with
":config" sends the rest of the line to the server, which interpets it
as a vanilla configuration file command. This of course requires
authentication as in ntpdc.

As I said, the implementation is incomplete and very likely additional
commands will be useful in future. Your comments are invited.

Dave

Dennis Hilberg, Jr. wrote:
> David L. Mills wrote:
>
>> Dennis,
>>
>> The ntpdc program has not been actively maintained for some time. The
>> principal problem is that the ntpdc remote configuration commands are
>> incompatible with the pool and manycast schemes.
>>
>> The ntpq program can now generate configuration file commands, but the
>> command set is incomplete. For instance, there is no demobilize
>> command. If ntpdc works, even if buggy, use it. It would be helpful if
>> you could wiggle the ntpq facilities and speak up about what you think
>> it should and should not do.
>
>
> I looked through the ntpq documentation on the UDel website, but could
> not find anything regarding runtime configuration commands. Only for ntpdc.
>
> If you could point me to some documentation concerning ntpq runtime
> configuration commands, I'd be happy to mess around with it.
>
>> Dave
>
>
> Dennis
>

Dennis Hilberg, Jr. wrote:

> Not that it matters, as no one is maintaining ntpdc currently, but I think I
> found a bug while messing with it:
>
> saturn:$ ntpdc
> ntpdc> keyid
> no keyid defined
> ntpdc> unconfig 63.240.161.99
> MD5 Password:
> ***Permission denied
> ntpdc> keyid
> keyid is 134682920
>
> It seems to randomly generate a keyid and specify it for use, and then
> prompt for a password for that keyid even though it doesn't exist. And if I
> do it again:
>
> saturn:$ ntpdc
> ntpdc> keyid
> no keyid defined
> ntpdc> unconfig 63.240.161.99
> MD5 Password:
> ***Permission denied
> ntpdc> keyid
> keyid is 134686616
>
> A different keyid is generated.
>
> Anyway, thanks for the help!
>

it's using an uninitialized variable so the value is random junk. We
probably should set it to 0 assuming that you cannot use 0 for a keyid.

Danny