NTP Support SHA2 or not



We are using ntp-4.2.6p5-28.el7, Please let us know whether the NTP support SHA2 with FIPS enable and disable?



You probably want to post on the regular NTP questions list… This is for the NTP “pool” and related…


^^^ That is the main NTP questions…



How to raise query on above link which you provided?



The archives are available publicly here. If you can’t find a previous thread which answers your question, then you can simply email your question to the list (note you will need to join it first).


I already checked this, but didnt find any answer relevant answer yet.



I would look at the man page of ntp-keygen on your system as it specifically shows what encryption is supported.



Relevant part:

When used to generate message digest keys, the program produces a file containing ten pseudo-random printable ASCII strings suitable for the MD5 message digest algorithm included in the distribution. If the OpenSSL library is installed, it produces an additional ten hex-encoded random bit strings suitable for the SHA1 and other message digest algorithms. Printable ASCII keys can have length from one to 20 characters, inclusive. Bit string keys have length 20 octets (40 hex characters). All keys are 160 bits in length.

The file can be edited later with purpose-chosen passwords for the ntpq and ntpdc programs. Each line of the file contains three fields, first an integer between 1 and 65534, inclusive, representing the key identifier used in the server and peer configuration commands. Next is the key type for the message digest algorithm, which in the absence of the OpenSSL library should be the string MD5 to designate the MD5 message digest algorithm. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by that library. However, if compatibility with FIPS 140-2 is required, the key type must be either SHA or SHA1.Finally is the key itself as a printable ASCII string excluding the space and # characters. If not greater than 20 characters in length, the string is the key itself; otherwise, it is interpreted as a hex-encoded bit string. As is custom, # and the remaining characters on the line are ignored. Later, this file can be edited to include the passwords for the ntpq and ntpdc utilities. If this is the only need, run ntp-keygen with the -M option and disregard the remainder of this page.

So my interpretation of that is no, NTP does not support SHA2, because the max support is 160 bits and the smallest SHA2 is 224 bits.


ok, thanks for information :slight_smile: