Authentication problem - NTP

This is a discussion on Authentication problem - NTP ; I've had this issue with authentication for a while, but decided to finally ask as it's bugging me. I use ntpdc to add/remove servers on the fly so I don't have to restart the server. It works fine using addserver ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Authentication problem

  1. Authentication problem

    I've had this issue with authentication for a while, but decided to finally
    ask as it's bugging me.

    I use ntpdc to add/remove servers on the fly so I don't have to restart the
    server. It works fine using addserver and unconfig as long as I don't quit
    ntpdc.

    saturn:$ ntpdc
    ntpdc> addserver 63.240.161.99
    Keyid: 1
    MD5 Password:
    done!
    ntpdc> unconfig 63.240.161.99
    done!

    However, if I quit ntpdc, start ntpdc, issue the unconfig command and put in
    the proper password when prompted, it won't be accepted. addserver works
    fine though.

    ntpdc> quit
    saturn:$ ntpdc
    ntpdc> addserver 63.240.161.99
    Keyid: 1
    MD5 Password:
    done!
    ntpdc> quit
    saturn:$ ntpdc
    ntpdc> unconfig 63.240.161.99
    MD5 Password:
    ***Permission denied
    ntpdc> quit
    saturn:$ ntpdc
    ntpdc> unconfig 63.240.161.99
    MD5 Password:
    ***Permission denied
    ntpdc> readkeys
    ***Permission denied

    The only way I've found to get it to work is to quit again and issue the
    readkeys command. The readkeys command won't be accepted until I quit and
    restart ntpdc again.

    ntpdc> quit
    saturn:$ ntpdc
    ntpdc> readkeys
    Keyid: 1
    MD5 Password:
    done!
    ntpdc> unconfig 63.240.161.99
    done!

    Am I doing something wrong, is there a bug, or is that the correct behavior
    of ntpdc?

    I have the following in my ntp.conf:

    # Authentication

    keys /etc/ntp/keys

    trustedkey 1
    requestkey 1
    controlkey 1

    And my keys file looks like this:

    1 M somepassword


    Thanks,

    Dennis

    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  2. Re: Authentication problem

    Dennis,

    The ntpdc program has not been actively maintained for some time. The
    principal problem is that the ntpdc remote configuration commands are
    incompatible with the pool and manycast schemes.

    The ntpq program can now generate configuration file commands, but the
    command set is incomplete. For instance, there is no demobilize command.
    If ntpdc works, even if buggy, use it. It would be helpful if you could
    wiggle the ntpq facilities and speak up about what you think it should
    and should not do.

    Dave

    Dennis Hilberg, Jr. wrote:
    > I've had this issue with authentication for a while, but decided to
    > finally ask as it's bugging me.
    >
    > I use ntpdc to add/remove servers on the fly so I don't have to restart
    > the server. It works fine using addserver and unconfig as long as I
    > don't quit ntpdc.
    >
    > saturn:$ ntpdc
    > ntpdc> addserver 63.240.161.99
    > Keyid: 1
    > MD5 Password:
    > done!
    > ntpdc> unconfig 63.240.161.99
    > done!
    >
    > However, if I quit ntpdc, start ntpdc, issue the unconfig command and
    > put in the proper password when prompted, it won't be accepted.
    > addserver works fine though.
    >
    > ntpdc> quit
    > saturn:$ ntpdc
    > ntpdc> addserver 63.240.161.99
    > Keyid: 1
    > MD5 Password:
    > done!
    > ntpdc> quit
    > saturn:$ ntpdc
    > ntpdc> unconfig 63.240.161.99
    > MD5 Password:
    > ***Permission denied
    > ntpdc> quit
    > saturn:$ ntpdc
    > ntpdc> unconfig 63.240.161.99
    > MD5 Password:
    > ***Permission denied
    > ntpdc> readkeys
    > ***Permission denied
    >
    > The only way I've found to get it to work is to quit again and issue the
    > readkeys command. The readkeys command won't be accepted until I quit
    > and restart ntpdc again.
    >
    > ntpdc> quit
    > saturn:$ ntpdc
    > ntpdc> readkeys
    > Keyid: 1
    > MD5 Password:
    > done!
    > ntpdc> unconfig 63.240.161.99
    > done!
    >
    > Am I doing something wrong, is there a bug, or is that the correct
    > behavior of ntpdc?
    >
    > I have the following in my ntp.conf:
    >
    > # Authentication
    >
    > keys /etc/ntp/keys
    >
    > trustedkey 1
    > requestkey 1
    > controlkey 1
    >
    > And my keys file looks like this:
    >
    > 1 M somepassword
    >
    >
    > Thanks,
    >
    > Dennis
    >


  3. Re: Authentication problem

    >>> In article , "Dennis Hilberg, Jr." writes:

    Dennis> I've had this issue with authentication for a while, but decided to
    Dennis> finally ask as it's bugging me.

    Dennis> I use ntpdc to add/remove servers on the fly so I don't have to
    Dennis> restart the server. It works fine using addserver and unconfig as
    Dennis> long as I don't quit ntpdc.

    Dennis> saturn:$ ntpdc
    Dennis> ntpdc> addserver 63.240.161.99
    Dennis> Keyid: 1 MD5 Password: done!
    Dennis> ntpdc> unconfig 63.240.161.99
    Dennis> done!

    Dennis> However, if I quit ntpdc, start ntpdc, issue the unconfig command
    Dennis> and put in the proper password when prompted, it won't be
    Dennis> accepted. addserver works fine though.

    Dennis> ntpdc> quit
    Dennis> saturn:$ ntpdc
    Dennis> ntpdc> addserver 63.240.161.99
    Dennis> Keyid: 1 MD5 Password: done!
    Dennis> ntpdc> quit
    Dennis> saturn:$ ntpdc
    Dennis> ntpdc> unconfig 63.240.161.99
    Dennis> MD5 Password: ***Permission denied
    Dennis> ntpdc> quit
    Dennis> saturn:$ ntpdc
    Dennis> ntpdc> unconfig 63.240.161.99
    Dennis> MD5 Password: ***Permission denied
    Dennis> ntpdc> readkeys
    Dennis> ***Permission denied

    I think this is because you have not respecified the keyid.

    Try giving the 'keyid' command after you restart ntpdc to be sure.

    I'm not sure why you were not asked for it though...

    And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
    quite a while now, and the new config parsing code does not have an
    "unconfig" command yet (near as I can remember).

    I am aware of two obvious solutions to this problem (as well as many others)
    but since I mention these two solutions Frequently I'll refrain from
    repeating them at this time.
    --
    Harlan Stenn
    http://ntpforum.isc.org - be a member!

  4. Re: Authentication problem

    Harlan Stenn wrote:
    > I think this is because you have not respecified the keyid.


    That solves the issue just fine. I'll just have to remember to say 'keyid 1'
    whenever I start ntpdc.

    > Try giving the 'keyid' command after you restart ntpdc to be sure.


    It does say no keyid defined.

    > I'm not sure why you were not asked for it though...


    I found that odd. When I issue the addserver command, I get prompted for the
    keyid, but not when I issue the unconfig command. That's the problem.

    > And as Dave as pointed out, nobody has volunteered to maintain ntpdc for
    > quite a while now, and the new config parsing code does not have an
    > "unconfig" command yet (near as I can remember).


    Sorry, I'm not a very accomplished programmer. Otherwise I'd be glad to help
    out, time permitting.

    > I am aware of two obvious solutions to this problem (as well as many others)
    > but since I mention these two solutions Frequently I'll refrain from
    > repeating them at this time.


    Like I mentioned, specifying 'keyid 1' right after starting ntpdc solves the
    problem. Although I'd be interested in other solutions, or at least point me
    to where you've talked about them before. I use ntpdc regularly for
    adding/removing servers and fudging refclock values, etc. It's useful as I
    don't have to restart the server all the time.

    Not that it matters, as no one is maintaining ntpdc currently, but I think I
    found a bug while messing with it:

    saturn:$ ntpdc
    ntpdc> keyid
    no keyid defined
    ntpdc> unconfig 63.240.161.99
    MD5 Password:
    ***Permission denied
    ntpdc> keyid
    keyid is 134682920

    It seems to randomly generate a keyid and specify it for use, and then
    prompt for a password for that keyid even though it doesn't exist. And if I
    do it again:

    saturn:$ ntpdc
    ntpdc> keyid
    no keyid defined
    ntpdc> unconfig 63.240.161.99
    MD5 Password:
    ***Permission denied
    ntpdc> keyid
    keyid is 134686616

    A different keyid is generated.

    Anyway, thanks for the help!

    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  5. Re: Authentication problem

    David L. Mills wrote:
    > Dennis,
    >
    > The ntpdc program has not been actively maintained for some time. The
    > principal problem is that the ntpdc remote configuration commands are
    > incompatible with the pool and manycast schemes.
    >
    > The ntpq program can now generate configuration file commands, but the
    > command set is incomplete. For instance, there is no demobilize command.
    > If ntpdc works, even if buggy, use it. It would be helpful if you could
    > wiggle the ntpq facilities and speak up about what you think it should
    > and should not do.


    I looked through the ntpq documentation on the UDel website, but could not
    find anything regarding runtime configuration commands. Only for ntpdc.

    If you could point me to some documentation concerning ntpq runtime
    configuration commands, I'd be happy to mess around with it.

    > Dave


    Dennis

    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  6. Re: Authentication problem

    Harlan Stenn wrote:
    > Dennis> Not that it matters, as no one is maintaining ntpdc currently, but I
    > Dennis> think I found a bug while messing with it:
    >
    > Dennis> saturn:$ ntpdc
    > ntpdc> keyid
    > Dennis> no keyid defined
    > ntpdc> unconfig 63.240.161.99
    > Dennis> MD5 Password: ***Permission denied
    > ntpdc> keyid
    > Dennis> keyid is 134682920
    >
    > Feel free to open a bug report on this. While there is little chance
    > somebody will fix it, there is *no* chance it will be fixed if nobody
    > remembers it.


    I just did, bug 1003.

    https://support.ntp.org/bugs/show_bug.cgi?id=1003

    Hopefully someone will get to it, but if not at least it's documented.

    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  7. Re: Authentication problem

    Hello Dennis,

    On Tuesday, February 26, 2008 at 11:29:58 -0800, Dennis Hilberg, Jr. wrote:

    > start ntpdc, issue the unconfig command and put in the proper password
    > when prompted, it won't be accepted.


    It is a bug, introduced three years ago by a wrong fix for another bug.
    Previously "unconfig" was prompting for both a keyid and a password, as
    it should. Since then, it prompts for a password only, which is not
    enough. Full story at .


    > addserver works fine though.


    It may fail too, if the requestkey-id and the symmetric keyid used to
    authenticate the added server are not the same.


    An easy workaround is to preset the requestkey-id:

    | ntpdc> keyid 1
    | ntpdc> unconfig 63.240.161.99
    | MD5 Password: somepassword
    | done!

    But even that could fail with the current ntp-dev: "attempt to remove
    configure bit is invalid".


    Serge.
    --
    Serge point Bets arobase laposte point net

  8. Re: Authentication problem

    Hello Harlan,

    On Wednesday, February 27, 2008 at 5:53:09 +0000, Harlan Stenn wrote:

    > I suspect one of your command choices *requires* a key and for the
    > other it is optional. That's just a guess though...


    Both "addserver" and "unconfig" require a keyid/password pair.

    Some confusion may come from the fact that "addserver" can have to deal
    with 2 different keyids, one to authenticate the sent ntpdc command, and
    another to authenticate the added server.

    - In "addserver ", the keyid is to be used by the added
    association. No prompt for a password, the remote client and its server
    have identical ntp.keys values for this keyid, and they will use it in
    usual mode 3 and 4 packets (client/server mode).

    - When you enter "keyid ", or reply to the "Keyid:" prompt, this
    should be used only for the sent mode 7 commands. You are prompted for
    a password, and the remote client you attempt to reconfigure has the
    trusted-request-keyid/password in its ntp.keys.

    This was the original design. However the patch in bug 401 messed-up
    this clear separation. Solution: remove this harmful patch. And keep bug
    401 open, waiting for its own rethinked solution. Removing the patch
    will also automagically fix bug 1003, AFAICS.


    Serge.
    --
    Serge point Bets arobase laposte point net

  9. Re: Authentication problem

    Serge Bets wrote:
    > This was the original design. However the patch in bug 401 messed-up
    > this clear separation. Solution: remove this harmful patch. And keep bug
    > 401 open, waiting for its own rethinked solution. Removing the patch
    > will also automagically fix bug 1003, AFAICS.


    It does. I removed the 401 patch code and replaced it with the original
    code, and now addserver and unconfig both prompt for a keyid when one isn't
    specified.

    I created a unified diff patch and attached it to the bug report for those
    interested. It works with ntp 4.2.4p4.

    http://bugs.ntp.org/1003

    > Serge.



    --
    Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
    NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php

  10. Re: Authentication problem

    Dennis,

    The ntpq remote configuration is a work in progress. The original author
    got pulled off on another project before the documentation was complete.
    However, a little poking reveals that a ntpq command beginning with
    ":config" sends the rest of the line to the server, which interpets it
    as a vanilla configuration file command. This of course requires
    authentication as in ntpdc.

    As I said, the implementation is incomplete and very likely additional
    commands will be useful in future. Your comments are invited.

    Dave

    Dennis Hilberg, Jr. wrote:
    > David L. Mills wrote:
    >
    >> Dennis,
    >>
    >> The ntpdc program has not been actively maintained for some time. The
    >> principal problem is that the ntpdc remote configuration commands are
    >> incompatible with the pool and manycast schemes.
    >>
    >> The ntpq program can now generate configuration file commands, but the
    >> command set is incomplete. For instance, there is no demobilize
    >> command. If ntpdc works, even if buggy, use it. It would be helpful if
    >> you could wiggle the ntpq facilities and speak up about what you think
    >> it should and should not do.

    >
    >
    > I looked through the ntpq documentation on the UDel website, but could
    > not find anything regarding runtime configuration commands. Only for ntpdc.
    >
    > If you could point me to some documentation concerning ntpq runtime
    > configuration commands, I'd be happy to mess around with it.
    >
    >> Dave

    >
    >
    > Dennis
    >


  11. Re: Authentication problem

    Dennis Hilberg, Jr. wrote:

    > Not that it matters, as no one is maintaining ntpdc currently, but I think I
    > found a bug while messing with it:
    >
    > saturn:$ ntpdc
    > ntpdc> keyid
    > no keyid defined
    > ntpdc> unconfig 63.240.161.99
    > MD5 Password:
    > ***Permission denied
    > ntpdc> keyid
    > keyid is 134682920
    >
    > It seems to randomly generate a keyid and specify it for use, and then
    > prompt for a password for that keyid even though it doesn't exist. And if I
    > do it again:
    >
    > saturn:$ ntpdc
    > ntpdc> keyid
    > no keyid defined
    > ntpdc> unconfig 63.240.161.99
    > MD5 Password:
    > ***Permission denied
    > ntpdc> keyid
    > keyid is 134686616
    >
    > A different keyid is generated.
    >
    > Anyway, thanks for the help!
    >


    it's using an uninitialized variable so the value is random junk. We
    probably should set it to 0 assuming that you cannot use 0 for a keyid.

    Danny

+ Reply to Thread