NTP FIPS config question


#1

I apologise if this has been answered previously, but searches turned up nothing for me.

We have RHEL 7 system configured with FIPS 140-2, and apparently RH are saying this won’t be fixed until possibly RHEL 7.5.

I am trying to get ntpd to autostart without complaining about “MAC encrypt: digest init failed” on FIPS enabled systems. This is causing the auto start of the service to fail and time to drift wildly.

We do not use ntp authentication on our internal NTP servers. And, the ntpd service starts fine if I manually restart it. But, I can’t manually restart on every system every we update/reboot something.

My question is: Is there a way to configure ntpd to either bypass the md5 hash init, or feed it an hash (SHA256 maybe?) to make it happy even though we aren’t going to use for anything?

Thanks!


#2

Never mind… I was able to use an SHA1 key with no auth config, and that seems to be working.