I’m trying to setup NTP Server and Client with IFF key by following ConfiguringAutokey < Support < NTP
Server OS & NTP version
Linux pop-os 5.8.0-7642-generic #47~1614007149~20.10~82fb226-Ubuntu SMP Tue Feb 23 02:59:01 UTC x86_64 x86_64 x86_64 GNU/Linux ntpd 4.2.8p12@1.3728-o (1)
Client OS & NTP version
Linux MyDev 3.10.70 #7 SMP Mon Aug 23 07:38:39 IST 2021 armv7l GNU/Linux ntpd 4.2.8p15@1.3728-o Mon Aug 23 06:35:04 UTC 2021 (1)
Server Config
crypto pw serverpassword
keysdir /etc/ntp
crypto randfile /dev/urandom
Generate the IFF parameters with the following commands:
cd /etc/ntp
ntp-keygen -T -I -p serverpassword
Export the IFF Group Key with the following commands:
cd /etc/ntp
ntp-keygen -e -p serverpassword
jey@pop-os:/etc/ntp$ sudo bash -c "ntp-keygen -e -p serverpassword > ntpkey_iffpar_pop-os.3841118849"
Using OpenSSL version OpenSSL 1.1.1f 31 Mar 2020
Using host pop-os group pop-os
Using host key ntpkey_RSAhost_pop-os.3841118849
Using host key as sign key
Using IFF keys ntpkey_IFFkey_pop-os.3841118849
Writing IFF parameters ntpkey_iffpar_pop-os.3841118849 to stdout
Generating new certificate pop-os RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Generating new cert file and link
ntpkey_cert_pop-os->ntpkey_RSA-MD5cert_pop-os.3841118849
jey@pop-os:/etc/ntp$ ls -la
total 32
drwxr-xr-x 2 root root 4096 Sep 21 10:13 .
drwxr-xr-x 145 root root 12288 Sep 20 10:26 ..
lrwxrwxrwx 1 root root 36 Sep 21 10:13 ntpkey_cert_pop-os -> ntpkey_RSA-MD5cert_pop-os.3841118849
lrwxrwxrwx 1 root root 32 Sep 20 10:27 ntpkey_host_pop-os -> ntpkey_RSAhost_pop-os.3841118849
lrwxrwxrwx 1 root root 31 Sep 20 10:27 ntpkey_iffkey_pop-os -> ntpkey_IFFkey_pop-os.3841118849
-rw-r----- 1 root root 539 Sep 20 10:27 ntpkey_IFFkey_pop-os.3841118849
-rw-r--r-- 1 root root 364 Sep 21 10:13 ntpkey_iffpar_pop-os.3841118849
-rw-r----- 1 root root 735 Sep 20 10:27 ntpkey_RSAhost_pop-os.3841118849
-rw-r----- 1 root root 576 Sep 21 10:13 ntpkey_RSA-MD5cert_pop-os.3841118849
Copied the ntpkey_iffpar_pop-os.3841118849 to client /etc/ntp
Client Config
crypto pw clientpassword
keysdir /etc/ntp
server 192.168.1.155 autokey
Generate the client key /certificate with the following commands:
[root@MyDev ntp]# ntp-keygen -H -p clientpassword
Using OpenSSL version OpenSSL 1.0.2u 20 Dec 2019
Using host MyDev group MyDev
Generating RSA keys (512 bits)...
RSA 0 3 5 1 26 54 3 1 2
Generating new host file and link
ntpkey_host_MyDev->ntpkey_RSAhost_MyDev.3841204813
Using host key as sign key
Generating new certificate MyDev RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_MyDev->ntpkey_RSA-MD5cert_MyDev.3841204813
[root@MyDev ntp]#
[root@MyDev ntp]# ln -s ntpkey_iffpar_pop-os.3841118849 ntpkey_iffpar_server
[root@MyDev ntp]# ls -la
total 20
drwxr-xr-x 2 root root 0 Sep 21 09:21 ./
drwxr-xr-x 26 root root 0 Sep 21 09:10 ../
-rw-r----- 1 root root 559 Sep 21 09:10 ntpkey_RSA-MD5cert_MyDev.3841204259
-rw-r----- 1 root root 559 Sep 21 09:20 ntpkey_RSA-MD5cert_MyDev.3841204813
-rw-r----- 1 root root 717 Sep 21 09:10 ntpkey_RSAhost_MyDev.3841204259
-rw-r----- 1 root root 709 Sep 21 09:20 ntpkey_RSAhost_MyDev.3841204813
lrwxrwxrwx 1 root root 39 Sep 21 09:20 ntpkey_cert_MyDev -> ntpkey_RSA-MD5cert_MyDev.3841204813
lrwxrwxrwx 1 root root 35 Sep 21 09:20 ntpkey_host_MyDev -> ntpkey_RSAhost_MyDev.3841204813
-rw-r--r-- 1 root root 364 Sep 21 09:19 ntpkey_iffpar_pop-os.3841118849
lrwxrwxrwx 1 root root 31 Sep 21 09:21 ntpkey_iffpar_server -> ntpkey_iffpar_pop-os.3841118849
Restart the NTP Client
[root@MyDev ntp]# date
Tue Jan 1 01:02:06 UTC 2008
[root@MyDev ntp]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.1.155 .INIT. 16 u 3 64 0 0.000 +0.000 0.000
[root@MyDev ntp]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
192.168.1.155 52.17.231.73 3 u 46 64 3 0.330 +433067 1.064
[root@MyDev ntp]#
[root@MyDev ntp]# date
Tue Jan 1 01:05:12 UTC 2008
[root@MyDev ntp]#
[root@MyDev ntp]# ntpq -cas
ind assid status conf reach auth condition last_event cnt
===========================================================
1 9595 f014 yes yes ok reject reachable 1
[root@MyDev ntp]# ntpq -cas
ind assid status conf reach auth condition last_event cnt
===========================================================
1 9595 f61e yes yes ok sys.peer 1
[root@MyDev ntp]# date
Tue Sep 21 09:40:59 UTC 2021
[root@MyDev ntp]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.155 52.17.231.73 3 u 30 64 77 0.311 +1.281 2.699
[root@MyDev ntp]#
I want the server-client authentication to fail if the ntpkey_iffpar_pop-os.3841118849 file is deleted from client’s /etc/ntp folder and NTP is restarted on client(I have tried restarting both server & client too). But in my case time gets updated. How to use IFF keys then? or Am I doing any mistake.