I just ran a quick test of Autokey/IFF between a 4.2.5p118 server and a
4.2.2p4 client and am pleased to report that the new server paramter
scheme is backwards compatible.

The Autokey HOWTO at http://support.ntp.org/Support/ConfiguringAutokey
was written for versions up to 4.2.4, so it does not correctly address
all of the details for setting up the new server parameter scheme.

Here are the steps that I followed (starting with empty keys

*** On the Server:

1. Prepare the keysdir and ntp.conf as shown at

2. Generate the server's host cert/key and private IFF key with:

ntp-keygen -T -I -p server_password

3. Export the server's public IFF parameters with

ntp-keygen -e -p server_password > ntpkey_iffpar_servername

The complete suggested name for this file is shown on its first line.

The difference here is that we are no longer encrypting the server's
public IFF parameters for each client. These public IFF parameters may
be safely distributed just like a PGP/GPG public key (e.g. on a
web-page, via un-encrypted e-mail or finger or ftp or ..., etc.)

*** On the Client:

The client configuration is actually unchanged from what is shown at

1. Prepare the keysdir and ntp.conf as shown at

2. Generate the client's host cert/key with:

ntp-keygen -p server_password

3. Obtain the server's public IFF parameters and save them in a file.
The suggested file name is on the first line of the parameters. Either
save the parameters file using this name and create the standard
sym-link or, for OSes which don't support symlinks, just save the file
with the standard name (i.e. ntpkey_iff_servername).

ln -s ntpkey_iffpar_servername.XXXXXXXX ntpkey_iff_servername

4. Activate IFF on the client by creating the following sym-link

ln -s ntpkey_host_clientname ntpkey_iff_clientname

On OSes which do not support symlinks just create a file named
ntpkey_iff_clientname. The sym-link target and file contents are not
important beacuse ntpd just checks for the existence of the
sym-link/file; the contents of the sym-link/file are not actually used.

*** Running and Troubleshooting

Restart both ntpds. Use ntpdc to view the certs and flags to confirm
proper Autokey/IFF operation. The 0x20 in the flags indicates IFF

On the server ntpq -c"rv 0 flags,cert" should show something like:

flags=0x80021, cert="servername servername 0x1", until=200907011232

where the "until" date is 1 year from the time the server's cert/key
were generated.

On the client ntpq -c"rv 0 flags,cert" should show something like this:

flags=0x80021, cert="clientname servername 0x6", expire=200907011251,
cert="servername servername 0x7", expire=200907011232,
cert="clientname clientname 0x2", expire=200907011236

To view the association flags on the client you will have to use ntpq
-pcas to determine the association ID (assID) of the server then
ntpq -c"rv assID flags" should return flags=0x83f21 (for a working
Autokey/IFF association.)

The Crypto Association Flags are documented in ./include/ntp_crypto.h in
the distribution and at

Steve Kostecke
NTP Public Services Project - http://support.ntp.org/