Different GroupKey and Client Passwords - NTP

This is a discussion on Different GroupKey and Client Passwords - NTP ; Regarding Client/Server mode, with AutoKey and the IFF scheme: Following the instruction on http://ntp.isc.org/bin/view/Support/ConfiguringAutokey I have successfully configured, generated keys, and tested a client/server setup using AutoKey with an encrypted group key using the IFF scheme. Q1: How it possible ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Different GroupKey and Client Passwords

  1. Different GroupKey and Client Passwords

    Regarding Client/Server mode, with AutoKey and the IFF scheme:
    Following the instruction on
    http://ntp.isc.org/bin/view/Support/ConfiguringAutokey I have
    successfully configured, generated keys, and tested a client/server
    setup using AutoKey with an encrypted group key using the IFF scheme.

    Q1: How it possible for a leaf client to use different groupkey and
    client credential passwords, which are specified in the configuration
    file (i.e. crypto pw clientpassword)?
    - "clientpassword" used in creation of groupkey
    - "clientpassword" also used in creation of clients host/cert files
    - I'm unsuccessful in using different passwords for client host/cert
    files and creation of groupkey by server

    Q2: How can the passwords be read without specifying them in the clear
    within the respecitive server/client configuration files?

    Password used from ConfiguringAutoKey link:
    server: serverpassword
    client: clientpassword

    Thanks............DanR


  2. Re: Different GroupKey and Client Passwords

    On 2006-09-11, DanR wrote:
    > Regarding Client/Server mode, with AutoKey and the IFF scheme:
    > Following the instruction on
    > http://ntp.isc.org/bin/view/Support/ConfiguringAutokey I have
    > successfully configured, generated keys, and tested a client/server
    > setup using AutoKey with an encrypted group key using the IFF scheme.
    >
    > Q1: How it possible for a leaf client to use different groupkey and
    > client credential passwords, which are specified in the configuration
    > file (i.e. crypto pw clientpassword)?


    No.

    Currently, each ntpd can have exactly _one_ crypto password.

    In the case of an IFF Trust Group each participant may use a unique
    crypto password. This password is used to generate the host parameters
    (i.e. cert and key files) and is used for the portion of the "groupkey"
    held by that ntpd.

    The Trust Group server generates the "groupkey" with:

    ntp-keygen -T -I -p serverpassword

    The resulting file, ntpkey_IFFpar_server.hostname.NNNNNNNNNN, is the
    server's "private key" and is not distributed to the clients.

    A "public key" is exported for each client using that client's crypto
    password (which, as stated above, may be unique):

    ntp-keygen -e -q serverpassword -p clientpassword

    > Q2: How can the passwords be read without specifying them in the clear
    > within the respecitive server/client configuration files?


    AFAIK, the only way to specify the crypto password is in the ntp.conf
    file.

    --
    Steve Kostecke
    NTP Public Services Project - http://ntp.isc.org/

+ Reply to Thread