Generating keys for ntpdc control - NTP

This is a discussion on Generating keys for ntpdc control - NTP ; Can someone run me through the steps necessary to generate, and apply keys so I can use ntpdc to make on the fly changes to ntpd? I've read through the docs - repeatedly! - and tried every incarnation of ntp-keygen ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 33

Thread: Generating keys for ntpdc control

  1. Generating keys for ntpdc control

    Can someone run me through the steps necessary to generate, and apply keys
    so I can use ntpdc to make on the fly changes to ntpd? I've read through the
    docs - repeatedly! - and tried every incarnation of ntp-keygen listed. What
    I seem not to be able to get is what the "key number" represents. I suspect
    that it's got something to do with the -v option where it generates numbered
    keys, but creating them with a password ,and then specifying one - like key
    1 - after entering password in ntpdc results in the cursor simply staring
    back at me. The keygen section of the docs includes the statement "Following
    hte heard the keys are entered one per line in the format keyno type key",
    which I suspect is a typo, but I'm still not getting it. I suspect there
    needs to be a file referring to what key number is what.

    I'm running the current Meinberg windows port. This comes about because of a
    question I asked last week about KOD. It was suggested that I could use
    ntpdc to effect the necessary changes by either setting up symmetric keys or
    disabling authentication. Well, I didn't have any luck with the keys, so I
    disabled authentication.

    That didn't work for two reasons: ntpdc still wouldn't talk to ntpd, and I
    found that someone at 66.80.7.58 does know how to reconfigure ntpd remotely.
    I looked at my logs on the morning of 26 June, and found that I was now
    polling that address several times a second for time. Looking at my host
    server list, I showed that address listed about 20 times as mode 1 (whatever
    that is???) I didn't do it, and it wasn't in the config file.Also, it
    started after I disabled auth. Enabling auth, and restarting fixed it,
    although he kept trying for the rest of the day. I think the intention was
    to make himself an authoritive source and force my clock to drift, as his
    incoming timestamps looked to be off by at least a minute. Hackers.........
    And not the good definition, either.



  2. Re: Generating keys for ntpdc control

    Bob,

    Bob wrote:
    > Can someone run me through the steps necessary to generate, and apply keys
    > so I can use ntpdc to make on the fly changes to ntpd? I've read through
    > the docs - repeatedly! - and tried every incarnation of ntp-keygen listed.


    ntp-keygen is used to generate private/public key pairs which are used for
    NTP's "autokey" schemes which have been introduced in NTPv4. The advantage
    of autokey is that you just have to distribute the public key to other
    machines but don't have to copy the private key to some other machine.

    The autokey scheme is used to let NTP clients be able to verify that a NTP
    packet received from a NTP server has indeed been sent by that server and
    not by someone else wh wants to spoof a wrong time.

    The key numbers mentioned for ntpdc are referring to symmetric keys which
    have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
    same key as used on the server has to be copied to the client in order to
    be able to autenticate (-> "symmetric").

    Those symmetric keys can also be used with ntpdc. However, AFAIK, the
    autokey scheme can not.

    To configure symmetric keys you have to create a text file on the NTP
    server, e.g /etc/ntp.keys, which contains the keys, e.g.:

    1 M my_secret_key
    2 M another_secret_key

    > What I seem not to be able to get is what the "key number" represents.


    The first column is the key number you have been asking for. The second
    column is a shortcut for the type of encryption, where 'M' is for MD5 which
    is AFAIK the only type of encryption still supported for symmetric keys.
    The 3rd column are the keys, just text strings, which must be shared with
    the clients.

    Then the following lines need to be added to the server's ntp.conf file:

    keys /etc/ntp.keys # path for keys file
    trustedkey 1 2

    After ntpd has been restarted you should be able to use either key 1,
    "my_secret_key", or key 2, "another_secret_key", from your NTP client or
    with ntpdc.

    Having multiple keys as in the example above can be useful to be share one
    key with one group of clients, and another key with another group of
    clients, if required.

    [...]
    > I'm running the current Meinberg windows port.


    Please note this is based on the original sources from ntp.org. Here at
    Meinberg we have just compiled those sources for Windows and put the
    resulting binaries into a GUI installer to simplify installation under
    Windows.

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  3. Re: Generating keys for ntpdc control


    "Martin Burnicki" wrote in message
    news:lbeuj5-4i6.ln1@gateway.py.meinberg.de...
    > Bob,
    >
    > Bob wrote:
    >> Can someone run me through the steps necessary to generate, and apply
    >> keys
    >> so I can use ntpdc to make on the fly changes to ntpd? I've read through
    >> the docs - repeatedly! - and tried every incarnation of ntp-keygen
    >> listed.

    >
    > ntp-keygen is used to generate private/public key pairs which are used for
    > NTP's "autokey" schemes which have been introduced in NTPv4. The advantage
    > of autokey is that you just have to distribute the public key to other
    > machines but don't have to copy the private key to some other machine.
    >
    > The autokey scheme is used to let NTP clients be able to verify that a NTP
    > packet received from a NTP server has indeed been sent by that server and
    > not by someone else wh wants to spoof a wrong time.
    >
    > The key numbers mentioned for ntpdc are referring to symmetric keys which
    > have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
    > same key as used on the server has to be copied to the client in order to
    > be able to autenticate (-> "symmetric").
    >
    > Those symmetric keys can also be used with ntpdc. However, AFAIK, the
    > autokey scheme can not.
    >
    > To configure symmetric keys you have to create a text file on the NTP
    > server, e.g /etc/ntp.keys, which contains the keys, e.g.:
    >
    > 1 M my_secret_key
    > 2 M another_secret_key
    >
    >> What I seem not to be able to get is what the "key number" represents.

    >
    > The first column is the key number you have been asking for. The second
    > column is a shortcut for the type of encryption, where 'M' is for MD5
    > which
    > is AFAIK the only type of encryption still supported for symmetric keys.
    > The 3rd column are the keys, just text strings, which must be shared with
    > the clients.
    >
    > Then the following lines need to be added to the server's ntp.conf file:
    >
    > keys /etc/ntp.keys # path for keys file
    > trustedkey 1 2
    >
    > After ntpd has been restarted you should be able to use either key 1,
    > "my_secret_key", or key 2, "another_secret_key", from your NTP client or
    > with ntpdc.
    >
    > Having multiple keys as in the example above can be useful to be share one
    > key with one group of clients, and another key with another group of
    > clients, if required.
    >
    > [...]
    >> I'm running the current Meinberg windows port.

    >
    > Please note this is based on the original sources from ntp.org. Here at
    > Meinberg we have just compiled those sources for Windows and put the
    > resulting binaries into a GUI installer to simplify installation under
    > Windows.
    >
    > Martin
    > --
    > Martin Burnicki
    >
    > Meinberg Funkuhren
    > Bad Pyrmont
    > Germany


    I'm getting closer... you actually put the key data in a file that you point
    to. OK... how do I generate the keys? For example, I tried the below (of
    course, the keys listed have been erased...) and which file do I use the
    contents of as key material, how much do I use (just the data and no
    headers), and do I have to do it all on one line per key? Thanks for the
    help on this. I've searched for detailed info without success.

    C:\Program Files\NTP\bin>ntp-keygen -c RSA-MD5 -V 5 -p Passwd
    Using OpenSSL version 90805f
    Random seed file C:/.rnd 1024 bytes
    Generating MV parameters for 5 keys (102 bits)...
    Birthday keys rejected 0
    Duplicate keys rejected 335
    Generating polynomial coefficients for 5 roots (510 bits)
    Generating g[i] parameters
    Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: yes
    Generating new mv file and link
    ntpkey_mv_wsr-88d->ntpkey_MVpar_wsr-88d.3424071587
    ntpkey_MVkey1_wsr-88d.3424071587
    ntpkey_MVkey2_wsr-88d.3424071587
    ntpkey_MVkey3_wsr-88d.3424071587
    ntpkey_MVkey4_wsr-88d.3424071587
    Revoke key 5
    Generating RSA keys (512 bits)...
    RSA 3 1 2
    Generating new host file and link
    ntpkey_host_wsr-88d->ntpkey_RSAkey_wsr-88d.3424071587
    Using host key as sign key
    Generating certificate RSA-MD5
    X509v3 Basic Constraints: critical,CA:TRUE
    X509v3 Key Usage: digitalSignature,keyCertSign
    Generating new cert file and link
    ntpkey_cert_wsr-88d->ntpkey_RSA-MD5cert_wsr-88d.3424071587


    Here's the contents of the only key that says MD5 anywhere in it -
    ntpkey_cert_wsr-88d - and, how do I make more than one?

    # ntpkey_RSA-MD5cert_wsr-88d.3424071294

    # Thu Jul 03 06:54:54 2008

    -----BEGIN CERTIFICATE-----

    MIIBNTCB4KADAgECAgTMFy5+MA0GCSqGSIb3DQEBBAUAMBIxED AOBgNVBAMTB3dz

    ci04OGQwHhcNMDgwNzAzMTA1NDU0WhcNMDkwNzAzMTA1NDU0Wj ASMRAwDgYDVQQD

    Ewd3c3ItODhkMFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAMBZoD QSGm/2dAueRIxL

    fWu44Sz+Nl4vKFudplgqMd/fCdhIpkAQKE+2ZjjCZ69IE1w/kO/HPKhPNrnCKg8S

    tk0CAQOjIDAeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgKEMA0GCSqGSIb3

    DQEBBAUAA0EATmJ7b31ljkLAxVuS5whYX25DoHjrdTdU6b4hft LkLcEyueirIacA

    vgqQ1ovJVGMnXw3bR5ugyjWJNCtvJZg5nA==

    -----END CERTIFICATE-----





  4. Re: Generating keys for ntpdc control

    On 2008-07-03, Bob wrote:

    > I'm getting closer... you actually put the key data in a file that you
    > point to. OK... how do I generate the keys? For example, I tried the
    > below (of course, the keys listed have been erased...) and which file
    > do I use the contents of as key material, how much do I use (just the
    > data and no headers), and do I have to do it all on one line per key?
    > Thanks for the help on this. I've searched for detailed info without
    > success.


    You're making this more complicated than it needs to be.

    As Martin stated previously, the keys file is just a list of keyids
    and passwords. You can populate this file yourself using your prefered
    passwords, or you may use ntp-keygen to generate the passwords, or some
    combination of both.

    You may create the manually populated keys file with your favorite
    editor and generate the passwords in your preferred manner. The contents
    of manually populated keys file looks like this:

    -------------------------8X-------------------------

    1 M a_password
    2 M another_password
    5 M is_right_out
    42 M themeaningoflife
    255 M yet_another_password

    -------------------------8X-------------------------

    If you wish to use ntp-keygen to create the keys file run the following
    command in the directory where you wish to store the file:

    ntp-keygen -M

    The contents of the file generated in this way will look similar to:

    -------------------------8X-------------------------

    # ntpkey_MD5key_stasis.3424023800
    # Wed Jul 2 17:43:20 2008

    1 MD5 F<=\Q>+xuk:bMHO # MD5 key

    [snip]

    16 MD5 uWk>srQSIw0d=0N # MD5 key

    -------------------------8X-------------------------

    To use symmetric keys you must configure them in ntp.conf (we'll use the
    keyids shown above):

    Tell ntpd where to find the keys file with:

    keys /etc/ntp.keys

    Tell ntpd which keys in that file to trust with:

    trustedkey 1 2 42 255

    Tell ntpd which keys may be used to authenticate time service with:

    requestkey 1 2 255

    Tell ntpd which keys may be used to authenticate remote configuration
    with:

    controlkey 42

    Please note that the 'nomodify' restriction overrides the symmetric keys
    configuration. So hosts/sub-nets which are covered by 'nomodify' will
    not be able to remotely configure ntpd even if they know the right
    keyids and passwords.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  5. Re: Generating keys for ntpdc control

    Bob,

    Bob wrote:
    >
    > "Martin Burnicki" wrote in message
    > news:lbeuj5-4i6.ln1@gateway.py.meinberg.de...
    >> Bob,
    >>
    >> Bob wrote:
    >>> Can someone run me through the steps necessary to generate, and apply
    >>> keys
    >>> so I can use ntpdc to make on the fly changes to ntpd? I've read through
    >>> the docs - repeatedly! - and tried every incarnation of ntp-keygen
    >>> listed.

    >>
    >> ntp-keygen is used to generate private/public key pairs which are used
    >> for NTP's "autokey" schemes which have been introduced in NTPv4. The
    >> advantage of autokey is that you just have to distribute the public key
    >> to other machines but don't have to copy the private key to some other
    >> machine.
    >>
    >> The autokey scheme is used to let NTP clients be able to verify that a
    >> NTP packet received from a NTP server has indeed been sent by that server
    >> and not by someone else wh wants to spoof a wrong time.
    >>
    >> The key numbers mentioned for ntpdc are referring to symmetric keys which
    >> have been introduced before NTPv4 (i.e v3 or even v2, I'm not sure). The
    >> same key as used on the server has to be copied to the client in order to
    >> be able to autenticate (-> "symmetric").
    >>
    >> Those symmetric keys can also be used with ntpdc. However, AFAIK, the
    >> autokey scheme can not.
    >>
    >> To configure symmetric keys you have to create a text file on the NTP
    >> server, e.g /etc/ntp.keys, which contains the keys, e.g.:
    >>
    >> 1 M my_secret_key
    >> 2 M another_secret_key
    >>
    >>> What I seem not to be able to get is what the "key number" represents.

    >>
    >> The first column is the key number you have been asking for. The second
    >> column is a shortcut for the type of encryption, where 'M' is for MD5
    >> which
    >> is AFAIK the only type of encryption still supported for symmetric keys.
    >> The 3rd column are the keys, just text strings, which must be shared with
    >> the clients.
    >>
    >> Then the following lines need to be added to the server's ntp.conf file:
    >>
    >> keys /etc/ntp.keys # path for keys file
    >> trustedkey 1 2
    >>
    >> After ntpd has been restarted you should be able to use either key 1,
    >> "my_secret_key", or key 2, "another_secret_key", from your NTP client or
    >> with ntpdc.
    >>
    >> Having multiple keys as in the example above can be useful to be share
    >> one key with one group of clients, and another key with another group of
    >> clients, if required.
    >>
    >> [...]
    >>> I'm running the current Meinberg windows port.

    >>
    >> Please note this is based on the original sources from ntp.org. Here at
    >> Meinberg we have just compiled those sources for Windows and put the
    >> resulting binaries into a GUI installer to simplify installation under
    >> Windows.
    >>
    >> Martin
    >> --
    >> Martin Burnicki
    >>
    >> Meinberg Funkuhren
    >> Bad Pyrmont
    >> Germany

    >
    > I'm getting closer... you actually put the key data in a file that you
    > point to. OK... how do I generate the keys?


    Hm, in the past I've just put a kind of password in as a key. That works.

    > For example, I tried the below
    > (of course, the keys listed have been erased...) and which file do I use
    > the contents of as key material, how much do I use (just the data and no
    > headers), and do I have to do it all on one line per key? Thanks for the
    > help on this. I've searched for detailed info without success.


    I've just seen a new bug
    http://bugs.ntp.org/1037
    which says the MD5 keys generated by ntpkeygen -M are 1 character shorter
    than they should be.

    Running ntp-keygen -M produces a file with 16 MD5 keys, e.g.:

    # ntpkey_MD5key_gateway.3424077267
    # Thu Jul 3 14:34:27 2008
    1 MD5 {ph":xjnCg=6ih` # MD5 key
    2 MD5 6Ny0U9qNXY*2D@p # MD5 key
    3 MD5 Qlsn(6Lz>m~x}V2 # MD5 key
    4 MD5 L{%cTECTpwaiHF< # MD5 key
    5 MD5 }zOay@i+;1v8S]S # MD5 key
    6 MD5 ) # MD5 key
    7 MD5 lB~^/}6Bt0=N`1q # MD5 key
    8 MD5 t.n$r{C=t'|E{ 9 MD5 yzyb]G>LmJ # MD5 key
    10 MD5 Ve7`}+@y~SdcLgv # MD5 key
    11 MD5 xq`?%KeehO`'?g3 # MD5 key
    12 MD5 1SV?LIMl1IA;L2i # MD5 key
    13 MD5 g$@J-h4n7iiJ^Tu # MD5 key
    14 MD5 OFh)V>%AT?6XiI~ # MD5 key
    15 MD5 cPi|bxlwH&^)dB@ # MD5 key
    16 MD5 5[0?>~(;4C0?at% # MD5 key

    where gateway is the name of the machine the command has been run on.

    Interestingly, while older NTP docs stated the second column should read
    just 'M' for MD5 keys, the generated key file contains 'MD5'. Don't know
    whether this is accepted by older and/or current versions of ntpd and
    ntpdc.

    Also, in my earlier post I forgot to mention that you should specify which
    keys should be used to authenticate with ntpdc and ntpq, i.e.:

    keys /etc/ntp.keys # path for keys file
    trustedkey 1 2 15
    controlkey 15 # ntpq
    requestkey 15 # ntpdc

    Though at least bug #418
    http://bugs.ntp.org/1037
    mentions at least the controlkey stuff has never been implemented.


    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  6. Re: Generating keys for ntpdc control


    "Steve Kostecke" wrote in message
    news:slrng6pi3j.bj6.kostecke@stasis.kostecke.net.. .
    > On 2008-07-03, Bob wrote:
    >
    >> I'm getting closer... you actually put the key data in a file that you
    >> point to. OK... how do I generate the keys? For example, I tried the
    >> below (of course, the keys listed have been erased...) and which file
    >> do I use the contents of as key material, how much do I use (just the
    >> data and no headers), and do I have to do it all on one line per key?
    >> Thanks for the help on this. I've searched for detailed info without
    >> success.

    >
    > You're making this more complicated than it needs to be.
    >
    > As Martin stated previously, the keys file is just a list of keyids
    > and passwords. You can populate this file yourself using your prefered
    > passwords, or you may use ntp-keygen to generate the passwords, or some
    > combination of both.
    >
    > You may create the manually populated keys file with your favorite
    > editor and generate the passwords in your preferred manner. The contents
    > of manually populated keys file looks like this:
    >
    > -------------------------8X-------------------------
    >
    > 1 M a_password
    > 2 M another_password
    > 5 M is_right_out
    > 42 M themeaningoflife
    > 255 M yet_another_password
    >
    > -------------------------8X-------------------------
    >
    > If you wish to use ntp-keygen to create the keys file run the following
    > command in the directory where you wish to store the file:
    >
    > ntp-keygen -M
    >
    > The contents of the file generated in this way will look similar to:
    >
    > -------------------------8X-------------------------
    >
    > # ntpkey_MD5key_stasis.3424023800
    > # Wed Jul 2 17:43:20 2008
    >
    > 1 MD5 F<=\Q>+xuk:bMHO # MD5 key
    >
    > [snip]
    >
    > 16 MD5 uWk>srQSIw0d=0N # MD5 key
    >
    > -------------------------8X-------------------------
    >
    > To use symmetric keys you must configure them in ntp.conf (we'll use the
    > keyids shown above):
    >
    > Tell ntpd where to find the keys file with:
    >
    > keys /etc/ntp.keys
    >
    > Tell ntpd which keys in that file to trust with:
    >
    > trustedkey 1 2 42 255
    >
    > Tell ntpd which keys may be used to authenticate time service with:
    >
    > requestkey 1 2 255
    >
    > Tell ntpd which keys may be used to authenticate remote configuration
    > with:
    >
    > controlkey 42
    >
    > Please note that the 'nomodify' restriction overrides the symmetric keys
    > configuration. So hosts/sub-nets which are covered by 'nomodify' will
    > not be able to remotely configure ntpd even if they know the right
    > keyids and passwords.
    >


    Still not working.... I did restart ntpd after creating the files....

    C:\PROGRA~1\NTP\etc>type ntp.keys
    1 M a_password
    2 M another_password
    5 M is_right_out
    42 M themeaningoflife
    255 M yet_another_password

    ***> ntp.conf contains:

    #--# authentication section #--#
    keys "C:\Program Files\NTP\etc\ntp.keys"
    enable auth
    trustedkey 1 2 42 255
    requestkey 1 2 255
    controlkey 42
    #--# end of authentication section #--#

    ***> Yet, I get Permission denied

    C:\PROGRA~1\NTP\etc>ntpdc
    ntpdc> restri 64.198.211.64 255.255.255.255 noserve
    Keyid: 42
    ***Permission denied <**** I entered "themeaningoflife"
    here
    ntpdc> vers
    ntpdc 4.2.4p3@1.1502-foehr-o Jul 25 12:53:26 (UTC+02:00) 2007 (3)



  7. Re: Generating keys for ntpdc control

    On 2008-07-03, Bob wrote:

    > "Steve Kostecke" wrote
    >
    > [---=| Quote block shrinked by t-prot: 66 lines snipped |=---]


    [snip]

    > Still not working... I did restart ntpd after creating the files...
    >
    > C:\PROGRA~1\NTP\etc>type ntp.keys
    > 1 M a_password
    > 2 M another_password
    > 5 M is_right_out
    > 42 M themeaningoflife
    > 255 M yet_another_password


    OK

    > ***> ntp.conf contains:
    >
    > #--# authentication section #--#
    > keys "C:\Program Files\NTP\etc\ntp.keys"


    I don't use Windows so someone else should comment here, but are spaces
    allowed in the filename? Perhaps C:\PROGRA~1\NTP\etc\ntp.keys might be
    better.

    > enable auth
    > trustedkey 1 2 42 255
    > requestkey 1 2 255
    > controlkey 42


    There is some debate as to whether or not controlkey was fully
    implemented. Have you tried using one of the key numbers on the
    requestkey line?

    > #--# end of authentication section #--#
    >
    > ***> Yet, I get Permission denied


    Are there any restrict lines that apply to the host you're running ntpdc
    on?
    >
    > C:\PROGRA~1\NTP\etc>ntpdc
    > ntpdc> restri 64.198.211.64 255.255.255.255 noserve
    > Keyid: 42
    > ***Permission denied <**** I entered "themeaningoflife" here


    It should have looked like:

    ntpdc> restrict 192.168.3.3 255.255.255.255 noserve
    Keyid: 678
    MD5 Password:
    ***Permission denied
    ntpdc>

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  8. Re: Generating keys for ntpdc control

    "Steve Kostecke" wrote in message
    news:slrng6qrhj.tjt.kostecke@stasis.kostecke.net.. .
    > On 2008-07-03, Bob wrote:




    > It should have looked like:
    >
    > ntpdc> restrict 192.168.3.3 255.255.255.255 noserve
    > Keyid: 678
    > MD5 Password:
    > ***Permission denied
    > ntpdc>



    There's not really a space in the file name. Type in Dos / Windoze is
    similar in function to cat in *nix.. Basically, I did a cat ntp.keys. I've
    got something called filemon that shows file system activity. I see ntp.keys
    being read by ntpd upon restart. I never see ntpdc touch the ntp.keys file -
    not sure if it's supposed to. Also, it appears from your example, which I
    assume is from BSD / Linux / Mac, that ntpdc is supposed to prompt for a
    password. The windows version says nothing after you respond to Keyid. If
    figured you have to enter a password (key contents?) because it does say
    "Invalid password" if you press enter at the flashing cursor after Keyid.

    Here's the contents of my ntp.conf except for comments, and server addresses
    other than my local GPS / OCXO clock - no 1pps doesn't work under windows.

    Thanks for your help with this.

    keys "C:\Program Files\NTP\etc\ntp.keys"
    enable auth
    trustedkey 1 2 42 255
    requestkey 1 2 255
    controlkey 42
    driftfile "C:\Program Files\NTP\etc\ntp.drift"
    server 127.127.1.0 minpoll 4 maxpoll 10
    fudge 127.127.1.1 stratum 10
    server 10.33.90.50 minpoll 4 maxpoll 4 iburst
    server
    server
    server
    server
    enable stats
    statsdir "C:\Program Files\NTP\etc\"
    statistics loopstats



  9. Re: Generating keys for ntpdc control

    "Bob" wrote in message
    news:Bkgbk.23790$AJ6.5384@bignews8.bellsouth.net.. .

    > [...] I never see ntpdc touch the ntp.keys file - not sure if it's
    > supposed to. ...


    No, it isn't. It's supposed to send questions to ntpd, which is
    supposed to send answers. Ntpd may touch local files, ntpdc should
    be network-transparent.

    Groetjes,
    Maarten Wiltink



  10. Re: Generating keys for ntpdc control

    Bob,

    I've just done some quick tests, and it worked for me.

    Installed the foehr-v2 version (should be the same you are using) on W2k
    with the following config files:

    ntp.conf:
    -----------------------------------------
    driftfile "E:\Program Files\NTP\etc\ntp.drift"
    server gateway iburst minpoll 6 maxpoll 6
    keys "E:\Program Files\NTP\etc\ntp.key"
    trustedkey 5 6
    requestkey 5
    controlkey 5
    -----------------------------------------

    ntp.key:
    -----------------------------------------
    6 M key1
    5 M key2
    -----------------------------------------

    Then I tried at the ntpdc prompt:
    ntpdc> addserver pc-martin iburst
    Keyid: 5
    (here should be a prompt for the MD5 password, where I entered "key2")
    done!

    So the command was successful unless I mis-typed and corrected the MD5
    password. After this ntpq -p listed the new server, so everything is fine.

    Maybe you can try to use a simple MD5 key like me, and see if it works?

    BTW, running the debug version of ntpdc did pop up the debugger, with an
    "assertion failed" message. When I ignored that failed assertion the "MD5
    password: " prompt was displayed.

    Strange, I'll have a closer look at this later.

    Martin
    --
    Martin Burnicki

    Meinberg Funkuhren
    Bad Pyrmont
    Germany

  11. Re: Generating keys for ntpdc control

    On 2008-07-04, Martin Burnicki wrote:

    > ntp.key:
    > -----------------------------------------
    > 6 M key1
    > 5 M key2
    > -----------------------------------------


    [snip]

    > Maybe you can try to use a simple MD5 key like me, and see if it works?


    The key* strings in your ntp.key file are not the actual keys; they are
    what you enter at the _password_ prompt. An MD5 hash of the password is
    the key which is sent across the wire.

    FWIW: I had an association running here which used an ~ 480 character
    password.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  12. Re: Generating keys for ntpdc control

    On 2008-07-04, Bob wrote:

    > There's not really a space in the file name. Type in Dos / Windoze is
    > similar in function to cat in *nix.. Basically, I did a cat ntp.keys.


    I've used DOS/Windows in the past so I do know what 'type' is.

    > I've got something called filemon that shows file system activity. I
    > see ntp.keys being read by ntpd upon restart. I never see ntpdc touch
    > the ntp.keys file - not sure if it's supposed to.


    ntpdc does not access any files.

    > Also, it appears from your example, which I assume is from BSD / Linux
    > / Mac,


    Debian (Linux)

    > that ntpdc is supposed to prompt for a password.


    It has to.

    > The windows version says nothing after you respond to Keyid. If
    > figured you have to enter a password (key contents?) because it does
    > say "Invalid password" if you press enter at the flashing cursor after
    > Keyid.


    With ntp-dev-4.2.5p118 I see the "Invalid password" message if I enter
    no password at all (i.e. just hit return as the "MD5 Password:" prompt)
    and a "***Permission denied" message I enter the wrong password or
    use an untrusted key.

    It is possible that ntpdc is not seeing the password you typed in.

    > Here's the contents of my ntp.conf except for comments, and server addresses
    > other than my local GPS / OCXO clock - no 1pps doesn't work under windows.


    None of the following is germane to your symmetric key issue, but ...

    > keys "C:\Program Files\NTP\etc\ntp.keys"
    > enable auth


    Auth is enabled by default. It can be disabled on the command-line. The
    worst that can happen is this line will generate an extra log entry.

    > trustedkey 1 2 42 255
    > requestkey 1 2 255
    > controlkey 42
    > driftfile "C:\Program Files\NTP\etc\ntp.drift"
    > server 127.127.1.0 minpoll 4 maxpoll 10
    > fudge 127.127.1.1 stratum 10
    > server 10.33.90.50 minpoll 4 maxpoll 4 iburst


    This minpoll/maxpoll combination means that you are polling this server
    every 16 seconds. That's generally considered to be "unfriendly" unless
    it's your server.

    ntpd has been designed to choose the correct poll interval to strike a
    balance between quick short term correction and long term stability. It
    is generally considered better to allow ntpd to manage the poll
    interval.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  13. Re: Generating keys for ntpdc control


    "Steve Kostecke" wrote in message
    news:slrng6sdqh.lip.kostecke@stasis.kostecke.net.. .
    > On 2008-07-04, Bob wrote:
    > >
    >> that ntpdc is supposed to prompt for a password.

    >
    > It has to.

    The Windows version does not. It asks for keyid, and when entered, moves to
    a new line with no prompt.

    > It is possible that ntpdc is not seeing the password you typed in.


    After getting past the key file content, and ntp.conf issue, what I finally
    figured out is that ntpdc will remember that it got a "permission denied",
    and no further attempts will be made without stopping and restarting it.

    > None of the following is germane to your symmetric key issue, but ...
    >
    >> keys "C:\Program Files\NTP\etc\ntp.keys"
    >> enable auth

    >
    > Auth is enabled by default. It can be disabled on the command-line. The
    > worst that can happen is this line will generate an extra log entry.


    I disabled auth earlier this week, and promptly got attacked. I did an
    enable auth with the intention of reversing my disable auth.
    >
    > This minpoll/maxpoll combination means that you are polling this server
    > every 16 seconds. That's generally considered to be "unfriendly" unless
    > it's your server.


    Agreed... REAL unfriendly! It is a Truetime NTS-100. I can't use it
    directly as my publicly visible server because of some firmware bugs in it
    where it's ntp output isn't universaly liked by clients. Also, sending
    packets to these too quickly - several per second - puts them to sleep.
    >
    > ntpd has been designed to choose the correct poll interval to strike a
    > balance between quick short term correction and long term stability. It
    > is generally considered better to allow ntpd to manage the poll
    > interval.


    The shorter poll interval seems to smooth out the Windows induced timing
    variations. I've tried it with no special instructions, and the offset
    variation seems smaller. This server (NTS-100) is favored as the selected
    clock because it's got ~0 round trip time, and it's got little jitter.


    > --
    > Steve Kostecke
    > NTP Public Services Project - http://support.ntp.org/




  14. Re: Generating keys for ntpdc control


    "Martin Burnicki" wrote in message
    news:gng1k5-i11.ln1@gateway.py.meinberg.de...
    > Bob,
    >
    > I've just done some quick tests, and it worked for me.
    >
    > Installed the foehr-v2 version (should be the same you are using) on W2k
    > with the following config files:
    >
    > ntp.conf:
    > -----------------------------------------
    > driftfile "E:\Program Files\NTP\etc\ntp.drift"
    > server gateway iburst minpoll 6 maxpoll 6
    > keys "E:\Program Files\NTP\etc\ntp.key"
    > trustedkey 5 6
    > requestkey 5
    > controlkey 5
    > -----------------------------------------
    >
    > ntp.key:
    > -----------------------------------------
    > 6 M key1
    > 5 M key2
    > -----------------------------------------
    >
    > Then I tried at the ntpdc prompt:
    > ntpdc> addserver pc-martin iburst
    > Keyid: 5
    > (here should be a prompt for the MD5 password, where I entered "key2")
    > done!
    >
    > So the command was successful unless I mis-typed and corrected the MD5
    > password. After this ntpq -p listed the new server, so everything is fine.
    >
    > Maybe you can try to use a simple MD5 key like me, and see if it works?
    >
    > BTW, running the debug version of ntpdc did pop up the debugger, with an
    > "assertion failed" message. When I ignored that failed assertion the "MD5
    > password: " prompt was displayed.
    >
    > Strange, I'll have a closer look at this later.
    >
    > Martin
    > --
    > Martin Burnicki
    >
    > Meinberg Funkuhren
    > Bad Pyrmont
    > Germany


    Got it working... thanks!
    After getting past the key file content, lack of password prompt, and
    ntp.conf issue, what I finally figured out is that ntpdc will remember that
    it got a "permission denied", and no further attempts will be made without
    stopping and restarting it.



  15. Re: Generating keys for ntpdc control

    Steve,

    When I wrote the ntp-keygen page I was mostly concerned to demistify the
    autokey files; a casual reader could well drown before figuring out all
    that is needed is the -M option. I put a note to that effect on the page.

    Dave

    Steve Kostecke wrote:

    > On 2008-07-03, Bob wrote:
    >
    >
    >>I'm getting closer... you actually put the key data in a file that you
    >>point to. OK... how do I generate the keys? For example, I tried the
    >>below (of course, the keys listed have been erased...) and which file
    >>do I use the contents of as key material, how much do I use (just the
    >>data and no headers), and do I have to do it all on one line per key?
    >>Thanks for the help on this. I've searched for detailed info without
    >>success.

    >
    >
    > You're making this more complicated than it needs to be.
    >
    > As Martin stated previously, the keys file is just a list of keyids
    > and passwords. You can populate this file yourself using your prefered
    > passwords, or you may use ntp-keygen to generate the passwords, or some
    > combination of both.
    >
    > You may create the manually populated keys file with your favorite
    > editor and generate the passwords in your preferred manner. The contents
    > of manually populated keys file looks like this:
    >
    > -------------------------8X-------------------------
    >
    > 1 M a_password
    > 2 M another_password
    > 5 M is_right_out
    > 42 M themeaningoflife
    > 255 M yet_another_password
    >
    > -------------------------8X-------------------------
    >
    > If you wish to use ntp-keygen to create the keys file run the following
    > command in the directory where you wish to store the file:
    >
    > ntp-keygen -M
    >
    > The contents of the file generated in this way will look similar to:
    >
    > -------------------------8X-------------------------
    >
    > # ntpkey_MD5key_stasis.3424023800
    > # Wed Jul 2 17:43:20 2008
    >
    > 1 MD5 F<=\Q>+xuk:bMHO # MD5 key
    >
    > [snip]
    >
    > 16 MD5 uWk>srQSIw0d=0N # MD5 key
    >
    > -------------------------8X-------------------------
    >
    > To use symmetric keys you must configure them in ntp.conf (we'll use the
    > keyids shown above):
    >
    > Tell ntpd where to find the keys file with:
    >
    > keys /etc/ntp.keys
    >
    > Tell ntpd which keys in that file to trust with:
    >
    > trustedkey 1 2 42 255
    >
    > Tell ntpd which keys may be used to authenticate time service with:
    >
    > requestkey 1 2 255
    >
    > Tell ntpd which keys may be used to authenticate remote configuration
    > with:
    >
    > controlkey 42
    >
    > Please note that the 'nomodify' restriction overrides the symmetric keys
    > configuration. So hosts/sub-nets which are covered by 'nomodify' will
    > not be able to remotely configure ntpd even if they know the right
    > keyids and passwords.
    >


  16. Re: Generating keys for ntpdc control

    In article "Bob"
    writes:
    >
    >"Steve Kostecke" wrote in message
    >news:slrng6sdqh.lip.kostecke@stasis.kostecke.net.. .
    >
    >> None of the following is germane to your symmetric key issue, but ...
    >>
    >>> keys "C:\Program Files\NTP\etc\ntp.keys"
    >>> enable auth

    >>
    >> Auth is enabled by default. It can be disabled on the command-line. The
    >> worst that can happen is this line will generate an extra log entry.

    >
    >I disabled auth earlier this week, and promptly got attacked. I did an
    >enable auth with the intention of reversing my disable auth.


    Unless someone has done something really bad to current versions of the
    code, enable/disable auth has nothing to do with ntpdc control commands
    - those *always* require authentication, and if you haven't configured a
    key file, they just cannot be done. If (as you claimed earlier) your
    config got changed by someone else, you have bigger problems to chase
    (as in someone has broken into your system). I suspect that you were
    just seeing a badly-behaved client trying to get time from your server,
    though.

    --Per Hedeland
    per@hedeland.org

  17. Re: Generating keys for ntpdc control


    "Per Hedeland" wrote in message
    news:g4m5s6$312b$1@hedeland.org...
    > In article "Bob"
    > writes:
    >>
    >>"Steve Kostecke" wrote in message
    >>news:slrng6sdqh.lip.kostecke@stasis.kostecke.net.. .
    >>
    >>> None of the following is germane to your symmetric key issue, but ...
    >>>
    >>>> keys "C:\Program Files\NTP\etc\ntp.keys"
    >>>> enable auth
    >>>
    >>> Auth is enabled by default. It can be disabled on the command-line. The
    >>> worst that can happen is this line will generate an extra log entry.

    >>
    >>I disabled auth earlier this week, and promptly got attacked. I did an
    >>enable auth with the intention of reversing my disable auth.

    >
    > Unless someone has done something really bad to current versions of the
    > code, enable/disable auth has nothing to do with ntpdc control commands
    > - those *always* require authentication, and if you haven't configured a
    > key file, they just cannot be done. If (as you claimed earlier) your
    > config got changed by someone else, you have bigger problems to chase
    > (as in someone has broken into your system). I suspect that you were
    > just seeing a badly-behaved client trying to get time from your server,
    > though.
    >
    > --Per Hedeland
    > per@hedeland.org


    There was no change to my config file. I noticed that I was frequently
    polling a single server in addition to my normal list, which were being
    polled at their normal rate. I looked at my server list, via ntpdc, and
    there was about 15 entries for the same IP. I never told my system to look
    at that server. I saw reasonably frequent incoming requests from that
    server, and they were listed as mode 1. I looked at the time being received
    from that server, and it's time was off by a couple of minutes. I'm willing
    to set my server to disable auth, and see if it happens again. This time
    Wireshark will be running to see what they're sending.



  18. Re: Generating keys for ntpdc control

    Bob wrote:
    > "Steve Kostecke" wrote in message
    > news:slrng6qrhj.tjt.kostecke@stasis.kostecke.net.. .
    >> On 2008-07-03, Bob wrote:

    >
    >
    >
    >> It should have looked like:
    >>
    >> ntpdc> restrict 192.168.3.3 255.255.255.255 noserve
    >> Keyid: 678
    >> MD5 Password:
    >> ***Permission denied
    >> ntpdc>

    >
    >
    > There's not really a space in the file name. Type in Dos / Windoze is
    > similar in function to cat in *nix.. Basically, I did a cat ntp.keys. I've
    > got something called filemon that shows file system activity. I see ntp.keys
    > being read by ntpd upon restart. I never see ntpdc touch the ntp.keys file -
    > not sure if it's supposed to. Also, it appears from your example, which I
    > assume is from BSD / Linux / Mac, that ntpdc is supposed to prompt for a
    > password. The windows version says nothing after you respond to Keyid. If
    > figured you have to enter a password (key contents?) because it does say
    > "Invalid password" if you press enter at the flashing cursor after Keyid.
    >


    That might be a bug in the Windows environment. You should enter a bug
    report on this.

    Danny

  19. Re: Generating keys for ntpdc control

    In article "Bob"
    writes:
    >
    >"Per Hedeland" wrote in message
    >news:g4m5s6$312b$1@hedeland.org...
    >> In article "Bob"
    >> writes:
    >>>
    >>>"Steve Kostecke" wrote in message
    >>>news:slrng6sdqh.lip.kostecke@stasis.kostecke.net.. .
    >>>
    >>>> None of the following is germane to your symmetric key issue, but ...
    >>>>
    >>>>> keys "C:\Program Files\NTP\etc\ntp.keys"
    >>>>> enable auth
    >>>>
    >>>> Auth is enabled by default. It can be disabled on the command-line. The
    >>>> worst that can happen is this line will generate an extra log entry.
    >>>
    >>>I disabled auth earlier this week, and promptly got attacked. I did an
    >>>enable auth with the intention of reversing my disable auth.

    >>
    >> Unless someone has done something really bad to current versions of the
    >> code, enable/disable auth has nothing to do with ntpdc control commands
    >> - those *always* require authentication, and if you haven't configured a
    >> key file, they just cannot be done. If (as you claimed earlier) your
    >> config got changed by someone else, you have bigger problems to chase
    >> (as in someone has broken into your system). I suspect that you were
    >> just seeing a badly-behaved client trying to get time from your server,
    >> though.


    >There was no change to my config file.


    No, there is no code in ntpd to write to the config file, but of course
    changing the running config is serious enough.

    > I noticed that I was frequently
    >polling a single server in addition to my normal list, which were being
    >polled at their normal rate.


    How did you determine that you were "polling" that server, and not just
    sending replies to requests?

    > I looked at my server list, via ntpdc, and
    >there was about 15 entries for the same IP.


    What exact ntpdc command did you use for this?

    --Per Hedeland
    per@hedeland.org

  20. Unauthorized remote server configuration

    Subject was Re: Generating keys for ntpdc control
    "Per Hedeland" wrote in message
    news:g4noe9$hb2$1@hedeland.org...
    >
    >>There was no change to my config file.

    >
    > No, there is no code in ntpd to write to the config file, but of course
    > changing the running config is serious enough.
    >
    >> I noticed that I was frequently
    >>polling a single server in addition to my normal list, which were being
    >>polled at their normal rate.

    >
    > How did you determine that you were "polling" that server, and not just
    > sending replies to requests?
    >
    >> I looked at my server list, via ntpdc, and
    >>there was about 15 entries for the same IP.

    >
    > What exact ntpdc command did you use for this?
    >
    > --Per Hedeland
    > per@hedeland.org


    It's happened again. I disabled auth last night after my previous post, and
    let it run overnight with Wireshark capturing I've now got two IP addresses
    listed as peers that I did not add. They are listed as "sym_passive". I see
    requests from these sites listed as "mode 1" in monlist. Looking at the
    Wireshark packet captures, the packet from the remote that seems to make me
    start polling the remote contains a flag of "Symmetric Mode Active". I got
    a number of packets from this same remote that I began polling, that when
    looked at with Wireshark, did things like changing polling frequency. All
    had "Symmetric Mode Active" set. My polls all have "Symmetric Mode Passive"
    set.

    According to the docs, "Since an intruder can impersonate a symmetric active
    peer and inject false time values, symmetric mode should always be
    cryptographically validated." That's what seems to be the attempt here
    because, as you can see below, the unwanted peers' time is offset. This ONLY
    happens when I say disable auth in the config. When I say enable auth, or
    leave disable auth out, I've never had a problem. Also, this morning, since
    the remote was actively sending these packets, I removed disable auth from
    the config, and restarted. The packets they sent had no effect. I then
    reinserted disable auth, and restarted. With the first packet they sent, I
    began polling them for time, and they were inserted as a peer. I've got the
    packet captures for what was sent, and my response if anyone thinks this
    might be a bug that warrants further investigation.

    BTW: I'm running the current Windows port.


    ntpdc> listpee
    client xxx.xxx.xxx.xxx
    client client LOCAL(0)
    client xxx.xxx.xxx.xxx
    client xxx.xxx.xxx.xxx
    sym_passive xxx.xxx.xxx.xxx
    sym_passive xxx.xxx.xxx.xxx
    ntpdc> peer
    remote local st poll reach delay offset disp
    ================================================== =====================
    =xxx.xxx.xxx.xxx 10.33.90.10 2 128 377 0.05254 -0.002906 0.08342
    =xxx.xxx.xxx.xxx 10.33.90.10 1 128 377 0.04851 -0.002161 0.08820
    =LOCAL(0) 127.0.0.1 5 16 377 0.00000 0.000000 0.01515
    =xxx.xxx.xxx.xxx 10.33.90.10 2 128 377 0.05470 0.000449 0.08444
    *xxx.xxx.xxx.xxx 10.33.90.10 1 128 377 0.02818 -0.000289 0.06276
    -xxx.xxx.xxx.xxx 10.33.90.10 2 128 117 0.06007 -0.053240 0.30006
    -xxx.xxx.xxx.xxx 10.33.90.10 3 512 0 0.28026 0.465356 3.99217



+ Reply to Thread
Page 1 of 2 1 2 LastLast