NTP Autokey IFF keys Usage

ashjey1224 · October 4, 2021, 1:13pm

I’m trying to setup NTP Server and Client with IFF key by following ConfiguringAutokey < Support < NTP

Server OS & NTP version

Linux pop-os 5.8.0-7642-generic #47~1614007149~20.10~82fb226-Ubuntu SMP Tue Feb 23 02:59:01 UTC x86_64 x86_64 x86_64 GNU/Linux ntpd 4.2.8p12@1.3728-o (1)

Client OS & NTP version

Linux MyDev 3.10.70 #7 SMP Mon Aug 23 07:38:39 IST 2021 armv7l GNU/Linux ntpd 4.2.8p15@1.3728-o Mon Aug 23 06:35:04 UTC 2021 (1)

Server Config

crypto pw serverpassword
keysdir /etc/ntp
crypto randfile /dev/urandom

Generate the IFF parameters with the following commands:

cd /etc/ntp
ntp-keygen -T -I -p serverpassword

Export the IFF Group Key with the following commands:

cd /etc/ntp
ntp-keygen -e -p serverpassword



jey@pop-os:/etc/ntp$ sudo bash -c "ntp-keygen -e -p serverpassword > ntpkey_iffpar_pop-os.3841118849"
Using OpenSSL version OpenSSL 1.1.1f  31 Mar 2020
Using host pop-os group pop-os
Using host key ntpkey_RSAhost_pop-os.3841118849
Using host key as sign key
Using IFF keys ntpkey_IFFkey_pop-os.3841118849
Writing IFF parameters ntpkey_iffpar_pop-os.3841118849 to stdout
Generating new certificate pop-os RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
X509v3 Extended Key Usage: trustRoot
Generating new cert file and link
ntpkey_cert_pop-os->ntpkey_RSA-MD5cert_pop-os.3841118849


jey@pop-os:/etc/ntp$ ls -la
total 32
drwxr-xr-x   2 root root  4096 Sep 21 10:13 .
drwxr-xr-x 145 root root 12288 Sep 20 10:26 ..
lrwxrwxrwx   1 root root    36 Sep 21 10:13 ntpkey_cert_pop-os -> ntpkey_RSA-MD5cert_pop-os.3841118849
lrwxrwxrwx   1 root root    32 Sep 20 10:27 ntpkey_host_pop-os -> ntpkey_RSAhost_pop-os.3841118849
lrwxrwxrwx   1 root root    31 Sep 20 10:27 ntpkey_iffkey_pop-os -> ntpkey_IFFkey_pop-os.3841118849
-rw-r-----   1 root root   539 Sep 20 10:27 ntpkey_IFFkey_pop-os.3841118849
-rw-r--r--   1 root root   364 Sep 21 10:13 ntpkey_iffpar_pop-os.3841118849
-rw-r-----   1 root root   735 Sep 20 10:27 ntpkey_RSAhost_pop-os.3841118849
-rw-r-----   1 root root   576 Sep 21 10:13 ntpkey_RSA-MD5cert_pop-os.3841118849

Copied the ntpkey_iffpar_pop-os.3841118849 to client /etc/ntp

Client Config

crypto pw clientpassword
keysdir /etc/ntp
server 192.168.1.155 autokey

Generate the client key /certificate with the following commands:

[root@MyDev ntp]# ntp-keygen -H -p clientpassword
Using OpenSSL version OpenSSL 1.0.2u  20 Dec 2019
Using host MyDev group MyDev
Generating RSA keys (512 bits)...
RSA 0 3 5       1 26 54                         3 1 2
Generating new host file and link
ntpkey_host_MyDev->ntpkey_RSAhost_MyDev.3841204813
Using host key as sign key
Generating new certificate MyDev RSA-MD5
X509v3 Basic Constraints: critical,CA:TRUE
X509v3 Key Usage: digitalSignature,keyCertSign
Generating new cert file and link
ntpkey_cert_MyDev->ntpkey_RSA-MD5cert_MyDev.3841204813
[root@MyDev ntp]# 

[root@MyDev ntp]# ln -s ntpkey_iffpar_pop-os.3841118849 ntpkey_iffpar_server
[root@MyDev ntp]# ls -la
total 20
drwxr-xr-x    2 root     root             0 Sep 21 09:21 ./
drwxr-xr-x   26 root     root             0 Sep 21 09:10 ../
-rw-r-----    1 root     root           559 Sep 21 09:10 ntpkey_RSA-MD5cert_MyDev.3841204259
-rw-r-----    1 root     root           559 Sep 21 09:20 ntpkey_RSA-MD5cert_MyDev.3841204813
-rw-r-----    1 root     root           717 Sep 21 09:10 ntpkey_RSAhost_MyDev.3841204259
-rw-r-----    1 root     root           709 Sep 21 09:20 ntpkey_RSAhost_MyDev.3841204813
lrwxrwxrwx    1 root     root            39 Sep 21 09:20 ntpkey_cert_MyDev -> ntpkey_RSA-MD5cert_MyDev.3841204813
lrwxrwxrwx    1 root     root            35 Sep 21 09:20 ntpkey_host_MyDev -> ntpkey_RSAhost_MyDev.3841204813
-rw-r--r--    1 root     root           364 Sep 21 09:19 ntpkey_iffpar_pop-os.3841118849
lrwxrwxrwx    1 root     root            31 Sep 21 09:21 ntpkey_iffpar_server -> ntpkey_iffpar_pop-os.3841118849

Restart the NTP Client

[root@MyDev ntp]# date
Tue Jan  1 01:02:06 UTC 2008
[root@MyDev ntp]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.1.155   .INIT.          16 u    3   64    0    0.000   +0.000   0.000
[root@MyDev ntp]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.1.155   52.17.231.73     3 u   46   64    3    0.330  +433067   1.064
[root@MyDev ntp]# 
[root@MyDev ntp]# date
Tue Jan  1 01:05:12 UTC 2008
[root@MyDev ntp]# 
[root@MyDev ntp]# ntpq -cas
ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1  9595  f014   yes   yes   ok     reject   reachable  1
[root@MyDev ntp]# ntpq -cas
ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1  9595  f61e   yes   yes   ok   sys.peer              1
[root@MyDev ntp]# date
Tue Sep 21 09:40:59 UTC 2021
[root@MyDev ntp]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.1.155   52.17.231.73     3 u   30   64   77    0.311   +1.281   2.699
[root@MyDev ntp]#

I want the server-client authentication to fail if the ntpkey_iffpar_pop-os.3841118849 file is deleted from client’s /etc/ntp folder and NTP is restarted on client(I have tried restarting both server & client too). But in my case time gets updated. How to use IFF keys then? or Am I doing any mistake.

Bas · October 4, 2021, 6:16pm

Why do you want to do this? There is nothing secret about the correct time NTP-servers give.
I do not understand your question at all.

marco.davids · October 4, 2021, 8:48pm

Hi ashjey1224 and welcome!

It’s no so much about keeping the packets secret but rather about ensuring the authenticity and integrity of them, in order to avoid tampering and thus to defend against adversaries. There are some use cases that might benefit from additional measures in the form of authentication.

However, if you want to do authentication; do not use autokey. It is considered unsafe. A better option would be ‘symmetric keys’, but the newly NTS (Network Time Security) might be even better. It is less hassle for a client to start using, because you don’t need to exchange any keys beforehand.

ashjey1224 · October 5, 2021, 9:59am

Thanks guys for the response.

@marco.davids Thanks you so much for your suggestion. Will try and comeback to you guys if anything required.

Topic		Replies	Views
NTP FIPS config question	2	2100	September 15, 2023
Ntpd and chroot Client Configuration and Development	3	2027	October 19, 2017
NTP Support SHA2 or not Client Configuration and Development	6	1835	October 15, 2018
Weird problem with my public NTP server Client Configuration and Development	2	1604	November 24, 2019
NTPSec, opinions?	17	3949	November 26, 2023

NTP Autokey IFF keys Usage

Server OS & NTP version

Client OS & NTP version

Server Config

Client Config

Related Topics