ntpdate with auth - NTP

This is a discussion on ntpdate with auth - NTP ; Hi all, Have anybody tried using ntpdate with iff and rsa keys on the time server ? There is no problem when using symmetric md5 keys (-k and -a options for ntpdate) but i have no idea how to force ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 22

Thread: ntpdate with auth

  1. ntpdate with auth

    Hi all,
    Have anybody tried using ntpdate with iff and rsa keys on the time server ? There is no problem when using symmetric md5 keys (-k and -a options for ntpdate) but i have no idea how to force ntpdate to use the public key for iff when remote server uses only that type of authentication. Ntpd works perfect with that but unfortunately not ntpdate.

    thanks for your help,
    Grzegorz Daniluk

  2. Re: ntpdate with auth

    lin_g wrote:
    > Hi all,
    > Have anybody tried using ntpdate with iff and rsa keys on the time


    ntpdate is deprecated.

    + server ? There is no problem when using symmetric md5 keys (-k and -a
    + options for ntpdate) but i have no idea how to force ntpdate to use the
    + public key for iff when remote server uses only that type of
    + authentication. Ntpd works perfect with that but unfortunately not
    ntpdate.

  3. Re: ntpdate with auth

    On 2008-07-11, lin_g wrote:

    > Have anybody tried using ntpdate with iff and rsa keys on the time
    > server ? There is no problem when using symmetric md5 keys (-k and
    > -a options for ntpdate) but i have no idea how to force ntpdate to
    > use the public key for iff when remote server uses only that type of
    > authentication.


    My quick review of the ntpdate source show that it only uses symmetric
    keys.

    > Ntpd works perfect with that but unfortunately not ntpdate.


    Why not use ntpd, then?

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  4. Re: ntpdate with auth

    Steve Kostecke pisze:
    > On 2008-07-11, lin_g wrote:
    >
    >
    >> Have anybody tried using ntpdate with iff and rsa keys on the time
    >> server ? There is no problem when using symmetric md5 keys (-k and
    >> -a options for ntpdate) but i have no idea how to force ntpdate to
    >> use the public key for iff when remote server uses only that type of
    >> authentication.
    >>

    >
    > My quick review of the ntpdate source show that it only uses symmetric
    > keys.
    >
    >

    hmm... as I thought
    >> Ntpd works perfect with that but unfortunately not ntpdate.
    >>

    >
    > Why not use ntpd, then?
    >
    >

    I'm using ntpd too but I need a simple way to get the time difference
    between the server and my host and ntpdate gives me that information.

  5. Re: ntpdate with auth

    On 2008-07-13, Grzegorz Daniluk wrote:

    > Steve Kostecke pisze:
    >
    >> Why not use ntpd, then?

    >
    > I'm using ntpd too but I need a simple way to get the time difference
    > between the server and my host and ntpdate gives me that information.


    ntpq -p will show the offset between your ntpd and a remote time server.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  6. Re: ntpdate with auth

    Steve Kostecke wrote:
    > ntpq -p will show the offset between your ntpd and a remote time server.

    Yes, I know that, but I can't have that time servers whose time
    difference I'm checking on my servers list in ntp.conf(i don't want ntpd
    to start synchronize to them).
    So finally I need to have some sources in ntp.conf and I need to know
    the difference of time of few servers tnat I can't synchronize to.
    That's the problem I tried to solve using ntpdate. And it works perfect
    unless I need to use iff with RSA

  7. Re: ntpdate with auth

    >>> In article <487ADEF9.7000609@o2.pl>, lin_g@o2.pl (Grzegorz Daniluk) writes:

    Grzegorz> Yes, I know that, but I can't have that time servers whose time
    Grzegorz> difference I'm checking on my servers list in ntp.conf(i don't
    Grzegorz> want ntpd to start synchronize to them).

    See the 'noselect' option in the confopt.html page.

    --
    Harlan Stenn
    http://ntpforum.isc.org - be a member!

  8. Re: ntpdate with auth

    Grzegorz Daniluk wrote:
    > Steve Kostecke wrote:
    >> ntpq -p will show the offset between your ntpd and a remote time server.

    > Yes, I know that, but I can't have that time servers whose time
    > difference I'm checking on my servers list in ntp.conf(i don't want ntpd
    > to start synchronize to them).


    Check the documentation. There is an option that allows you to
    configure a server such that its time is never used.

  9. Re: ntpdate with auth

    Grzegorz Daniluk wrote:
    > Steve Kostecke wrote:
    >> ntpq -p will show the offset between your ntpd and a remote time server.

    > Yes, I know that, but I can't have that time servers whose time
    > difference I'm checking on my servers list in ntp.conf(i don't want ntpd
    > to start synchronize to them).
    > So finally I need to have some sources in ntp.conf and I need to know
    > the difference of time of few servers tnat I can't synchronize to.
    > That's the problem I tried to solve using ntpdate. And it works perfect
    > unless I need to use iff with RSA


    The autokey code requires a number of packets to be exchanged before the
    client can authenticate the server. That's inappropriate for ntpdate. In
    addition, we want to retire ntpdate and adding such a feature to it
    would take a great deal of work. So far only ntpd can do autokey.

    Danny

  10. Re: ntpdate with auth

    On 2008-07-14, Grzegorz Daniluk wrote:

    > Steve Kostecke wrote:
    >
    >> ntpq -p will show the offset between your ntpd and a remote time
    >> server.

    >
    > Yes, I know that, but I can't have that time servers whose time
    > difference I'm checking on my servers list in ntp.conf(i don't want
    > ntpd to start synchronize to them).


    You can include reference time sources in your ntp.conf

    The syntax is:

    server your.reference.server noselect

    > So finally I need to have some sources in ntp.conf


    You will need to select some time sources whether you're using ntpd or
    ntpdate.

    > and I need to know the difference of time of few servers that I can't
    > synchronize to.


    ???

    > That's the problem I tried to solve using ntpdate. And it works
    > perfect unless I need to use iff with RSA


    What's the real issue here?

    Are you trying to manually check the offset of a free running system?

    Are you trying to manually check the offset of a system disciplined by
    ntpd?

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  11. Re: ntpdate with auth

    Steve Kostecke wrote:
    >
    > What's the real issue here?
    >
    > Are you trying to manually check the offset of a free running system?
    >
    > Are you trying to manually check the offset of a system disciplined by
    > ntpd?
    >
    >

    I'm trying to manually check the difference between the system that I
    know is ntpd server and my ntp server but that remote machine is not the
    time server for me (I'm not synchronizing my time to that server)

    Grzegorz Daniluk

  12. Re: ntpdate with auth

    Steve Kostecke wrote:
    >
    > What's the real issue here?
    >
    > Are you trying to manually check the offset of a free running system?
    >
    > Are you trying to manually check the offset of a system disciplined by
    > ntpd?
    >
    >

    In another words, the problem is how to remotely audit the ntp server's
    time without synchronizing to it.
    And btw. another question, what is the maximum amount of servers that
    can be put into the ntp.conf so that ntpd would still work correctly.



    Grzegorz Daniluk

  13. Re: ntpdate with auth

    On 2008-07-14, Grzegorz Daniluk wrote:

    > Steve Kostecke wrote:
    >
    >> What's the real issue here?


    [snip]

    > ... the problem is how to remotely audit the ntp server's time without
    > synchronizing to it.


    You can use 'noselect' for this purpose.

    > And btw. another question, what is the maximum amount of servers that
    > can be put into the ntp.conf so that ntpd would still work correctly.


    Quite a few.

    ntpd will poll all configured time sources but only uses a maximum
    of 10 peers (sorted by synchronization distance) as candidates for
    consideration as the sys_peer.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  14. Re: ntpdate with auth

    Grzegorz,

    The selection algorithm has a hard limit of 50 servers all of these can
    be considered for selection, but only the best three will survive the
    clustering algorithm. The tos maxclock option only effects the number
    considered by the pruning algorithm used by the manycast and pool schemes.

    Dave

    Grzegorz Daniluk wrote:
    > Steve Kostecke wrote:
    >
    >>What's the real issue here?
    >>
    >>Are you trying to manually check the offset of a free running system?
    >>
    >>Are you trying to manually check the offset of a system disciplined by
    >>ntpd?
    >>
    >>

    >
    > In another words, the problem is how to remotely audit the ntp server's
    > time without synchronizing to it.
    > And btw. another question, what is the maximum amount of servers that
    > can be put into the ntp.conf so that ntpd would still work correctly.
    >
    >
    >
    > Grzegorz Daniluk


  15. Re: ntpdate with auth

    Steve Kostecke wrote:
    > You can include reference time sources in your ntp.conf
    >
    > The syntax is:
    >
    > server your.reference.server noselect
    >


    Thank you very much, that is exactly what I was looking for.
    Now I have another question. I would like to change the poll interval
    for those 'noselect' hosts so I figured out that I'll use ntpdc. Then I
    realized that the 'addserver' option doesn't support 'noselect'. I tried
    to add that flag so I did something like that in ntpdc_ops.c:

    /while (pcmd->nargs > items) {
    if (STREQ(pcmd->argval[items].string, "prefer"))
    flags |= CONF_FLAG_PREFER;
    else if (STREQ(pcmd->argval[items].string, "burst"))
    flags |= CONF_FLAG_BURST;
    else if (STREQ(pcmd->argval[items].string, "dynamic"))
    flags |= CONF_FLAG_DYNAMIC;
    /*///////////*/
    else if (STREQ(pcmd->argval[items].string, "noselect"))
    flags |= CONF_FLAG_NOSELECT;
    /*///////////*/
    else if (STREQ(pcmd->argval[items].string, "iburst"))
    flags |= CONF_FLAG_IBURST;
    else if (!refc && STREQ(pcmd->argval[items].string,
    "keyid"))
    numtyp = 1;
    else if (!refc && STREQ(pcmd->argval[items].string,
    "version"))
    numtyp = 2;
    else if (STREQ(pcmd->argval[items].string, "minpoll"))
    numtyp = 3;
    else if (STREQ(pcmd->argval[items].string, "maxpoll"))
    numtyp = 4;

    /but when I tried to use my new ntpdc with noselect option I got
    following errors:

    ***Warning changing to older implementation
    ***Warning changing the request packet size from 160 to 48
    ***Server reports a format error in the received packet (shouldn't happen)
    ***Retrying command with old conf_peer size
    ***Server reports a format error in the received packet (shouldn't happen)

    The other flags works perfect, I got these messages only with noselect.
    So maybe I also need to add some code to ntpd so that it would
    understand a message with noselect flag ? I'm still not very familiar
    with ntpd code so maybe somebody tried to do that before or have any
    idea what's wrong and how to fix it ?

    thank you very much for all your help

    Grzegorz Daniluk

  16. Re: ntpdate with auth

    On 2008-07-23, Grzegorz Daniluk wrote:

    > Steve Kostecke wrote:
    >> You can include reference time sources in your ntp.conf
    >>
    >> The syntax is:
    >>
    >> server your.reference.server noselect
    >>

    >
    > Thank you very much, that is exactly what I was looking for.
    > Now I have another question. I would like to change the poll interval
    > for those 'noselect' hosts so I figured out that I'll use ntpdc. Then I
    > realized that the 'addserver' option doesn't support 'noselect'. I tried
    > to add that flag so I did something like that in ntpdc_ops.c:


    You're trying to do things the hard way.

    Read the documentation about "maxpoll" (hint: go to http://doc.ntp.org
    and search for maxpoll) to learn about an existing solution.

    You may safely use maxpoll to control the maximum poll interval for a
    remote time server under the following conditions:

    1. You, or your company/organization, controls the remote time server

    2. You have (written) permission from the server operator to poll more
    frequently than the ntpd default

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  17. Re: ntpdate with auth

    Steve Kostecke wrote:
    > On 2008-07-23, Grzegorz Daniluk wrote:
    >
    >> Thank you very much, that is exactly what I was looking for.
    >> Now I have another question. I would like to change the poll interval
    >> for those 'noselect' hosts so I figured out that I'll use ntpdc. Then I
    >> realized that the 'addserver' option doesn't support 'noselect'. I tried
    >> to add that flag so I did something like that in ntpdc_ops.c:
    >>

    >
    > You're trying to do things the hard way.
    >
    > Read the documentation about "maxpoll" (hint: go to http://doc.ntp.org
    > and search for maxpoll) to learn about an existing solution.
    >
    > You may safely use maxpoll to control the maximum poll interval for a
    > remote time server under the following conditions:
    >
    > 1. You, or your company/organization, controls the remote time server
    >
    > 2. You have (written) permission from the server operator to poll more
    > frequently than the ntpd default
    >

    Helo,
    Thank you for answering,
    I understand the problem of maxpolling that you are talking about but in
    my situation I need that for a certain servers that I know I can poll
    more often sometimes. That's why I thought I would use ntpdc to change that.

    Grzegorz Daniluk

  18. Re: ntpdate with auth

    On 2008-07-23, Grzegorz Daniluk wrote:

    > Steve Kostecke wrote:
    >
    >> On 2008-07-23, Grzegorz Daniluk wrote:
    >>
    >> You're trying to do things the hard way.
    >>
    >> Read the documentation about "maxpoll" (hint: go to
    >> http://doc.ntp.org and search for maxpoll) to learn about an existing
    >> solution.

    >
    > I understand the problem of maxpolling that you are talking about but
    > in my situation I need that for a certain servers that I know I can
    > poll more often sometimes.


    You have permission then? Fine.

    > That's why I thought I would use ntpdc to change that.


    You're complicating matters by using ntpdc.

    Just edit the server lines in ntpd.conf and restart ntpd. If you're
    using iburst on the other server lines ntpd will be ready to answer
    polls about 15 seconds after a warm restart.

    maxpoll 4 == 16 seconds
    maxpoll 5 == 32 seconds
    maxpoll 6 == 64 seconds

    and so on

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  19. Re: ntpdate with auth

    Steve Kostecke pisze:
    > On 2008-07-23, Grzegorz Daniluk wrote:
    > You're complicating matters by using ntpdc.
    >
    > Just edit the server lines in ntpd.conf and restart ntpd. If you're
    > using iburst on the other server lines ntpd will be ready to answer
    > polls about 15 seconds after a warm restart.
    >
    > maxpoll 4 == 16 seconds
    > maxpoll 5 == 32 seconds
    > maxpoll 6 == 64 seconds
    >
    > and so on
    >
    >

    Helo,
    I know that I can do it by editing ntp.conf and restarting ntpd, I also
    know what the numbers next to 'maxpoll' mean but thank you of course
    for advice. My problem is that I don't want to restart ntpd because I
    need that deamon to be a time server too (it has few time sources
    without 'noselect' option). That's why I'm trying to use ntpdc and its
    'addserver' option. My problem is that when I'm using it I can't add
    server with 'noselect' option which I need very much. Or maybe there is
    another way to change maxpoll with ntpdc instead of using 'addserver'.

    Grzegorz Daniluk

  20. Re: ntpdate with auth

    lin_g@o2.pl (Grzegorz Daniluk) writes:

    >Steve Kostecke wrote:
    >> On 2008-07-23, Grzegorz Daniluk wrote:
    >>
    >>> Thank you very much, that is exactly what I was looking for.
    >>> Now I have another question. I would like to change the poll interval
    >>> for those 'noselect' hosts so I figured out that I'll use ntpdc. Then I
    >>> realized that the 'addserver' option doesn't support 'noselect'. I tried
    >>> to add that flag so I did something like that in ntpdc_ops.c:
    >>>

    >>
    >> You're trying to do things the hard way.
    >>
    >> Read the documentation about "maxpoll" (hint: go to http://doc.ntp.org
    >> and search for maxpoll) to learn about an existing solution.
    >>
    >> You may safely use maxpoll to control the maximum poll interval for a
    >> remote time server under the following conditions:
    >>
    >> 1. You, or your company/organization, controls the remote time server
    >>
    >> 2. You have (written) permission from the server operator to poll more
    >> frequently than the ntpd default
    >>

    >Helo,
    >Thank you for answering,
    >I understand the problem of maxpolling that you are talking about but in
    >my situation I need that for a certain servers that I know I can poll
    >more often sometimes. That's why I thought I would use ntpdc to change that.


    If you have permission to poll those servers more often, go ahead and put
    in a low maxpoll.



    >Grzegorz Daniluk


+ Reply to Thread
Page 1 of 2 1 2 LastLast