摘录于ntp官网:http://support.ntp.org/bin/view/Support/ConfiguringAutokey
6.7. Autokey Configuration for NTP stable releases
This topic provides a step-by-step guide for setting up NTP Autokey Authentication for NTP stable release versions 4.2.6 and later. The material contained in this topic may not be applicable to releases in the ntp-dev series.
Users of NTP-4.2.4, or earlier, should consult Autokey Configuration for NTP 4.2.4
Users of NTP-dev should consult ConfiguringAutokeyDev for errata and notes pertaining to the ntp-dev series of releases.
See the NTP Authentication specification and the Briefing Slides on the Network Time Synchronization Project page for in-depth information about NTP Authentication.
There are three Identity Schemes available in the NTP Reference Implemenation: IFF, GQ, and MV. See the Identity Scheme documentation for detailed information about the Identity Schemes. Although examples of server parameter generation and client parameter installation are provided for all available Identity Schemes, it is not necessary to use all of them.
Enforcement of NTP Authentication (with restrict statements) is beyond the scope of this topic
6.7.2.2.1. Broadcast and Multicast Autokey are configured on the server side. 6.7.3.2.1. Unicast Autokey is configured on the client side
Read 6.7.1. How To Use This Guide before starting
6.7.1. How To Use This Guide
- Perform the server set-up before performing the client set-up
- Follow each step in this guide
This guide currently only addresses the IFF identity scheme.
6.7.2. Server Set-Up
This section pertains only to systems that will be ntp servers for an NTP Trust Group; see 6.7.3. Client Set-Up for systems that will only be ntp clients. Trusted ntp servers which also operate as clients of other ntp servers may need to 6.7.3.4. Install Group/Client Keys.
6.7.2.1. Create the NTP Keys directory
Create a directory for the NTP Keys (e.g /etc/ntp.)
6.7.2.2. Edit ntp.conf
Add the following lines to ntp.conf:
crypto pw serverpassword keysdir /etc/ntp
You may need to add the following line to ntp.conf if ntpd dies with a crypto_setup: random seed file not found error:
crypto randfile /dev/urandom
6.7.2.2.1. Broadcast and Multicast Autokey
Append autokey to the broadcast line in ntp.conf for the broadcast/multicast address that you want to authenticate with Autokey:
broadcast my.broadcast.or.multicast.address autokey
The assigned NTP Multicast address is 224.0.1.1, but other valid multicast addresses may be used.
6.7.2.3. Generate Server Parameters
This section covers Server Parameter generation for the IFF Identity Scheme.
The server key and certificate will be generated if they are missing when a set of parameters are generated. The server certificate will be updated when existing parameters are updated or additional parameters are generated.
The -T option for ntp-keygen should only be used by a Trusted Authority (e.g time-server) for an NTP Trust Group.
6.7.2.3.1. IFF Parameters
The IFF parameter generation process produces a server key which should not be distributed to other members of the NTP Trust Group.
Generate the IFF parameters with the following commands:
cd /etc/ntp ntp-keygen -T -I -p serverpassword
You must export an IFF Group Key for use by the members of the Trust Group. This Group Key is unencrypted and may be handled in the same manner as a PGP/GPG public key.
Export the IFF Group Key with the following commands:
cd /etc/ntp ntp-keygen -e -p serverpassword
The IFF Group Key will be directed to STDOUT unless you redirect it to a file. The target name of the IFF Group Key file is on one of the first lines of the output.
This exported IFF Group Key will be used in 6.7.3.4.1. IFF Group Keys
IFF Group Keys may be distributed in any convenient manner (e.g. on a web page or even by pasting them across terminal windows).
IFF Group Keys may also be extracted and mailed with the following commands:
cd /etc/ntp ntp-keygen -e -p serverpassword | mail timelord@client.domain
6.7.2.4. Restart ntpd
Restart ntpd. Watch the output of ntpq -p to make sure that the server is able to start.
6.7.2.5. Server Parameter Update
The server key and certificate are valid only for one year and should be updated periodically (e.g. monthly). This could be scripted with the following command:
cd /etc/ntp
ntp-keygen -T -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
6.7.3. Client Set-Up
This section pertains only to systems that will be clients of an NTP Trust Group.
6.7.3.1. Create the NTP Keys directory
Create a directory for the NTP Keys (e.g. /etc/ntp.)
6.7.3.2. Edit ntp.conf
Add the following lines to ntp.conf:
crypto pw clientpassword keysdir /etc/ntp
You may need to add the following line to ntp.conf if ntpd dies with a crypto_setup: random seed file not found error:
crypto randfile /dev/urandom
6.7.3.2.1. Unicast Autokey
Append autokey to the server line for the time-server that you want to authenticate with Autokey in a unicast association:
server ntp.i_have_the_key.for autokey
6.7.3.3. Generate Client Parameters
Do not use the -T option for ntp-keygen on systems that are only clients of an NTP Trust Group.
Generate the client key /certificate with the following commands:
cd /etc/ntp ntp-keygen -H -p clientpassword
6.7.3.4. Install Group/Client Keys
This section covers the installation of Group/Client Keys for all Identity Schemes. You only need to install the Group/Client Keys used by the NTP Trust Group that this client will be joining.
6.7.3.4.1. IFF Group Keys
Obtain the IFF group key, exported in 6.7.2.3.1. IFF Parameters, from your time server operator, copy the key file to the keysdir, and create the standard sym-link:
cd /etc/ntp ln -s ntpkey_iffpar_server.3301264563 ntpkey_iffpar_server
6.7.3.5. Restart ntpd
Restart ntpd. Watch the output of ntpq -p to make sure that the client is able to start and sync with the server.
6.7.3.6. Client Parameter Update
The client key and certificate are valid only for one year and should be updated periodically (e.g. monthly) with the following command:
cd /etc/ntp
ntp-keygen -q `awk '/crypto pw/ { print $3 }' </etc/ntp.conf`
6.7.4. Monitoring Authentication Status
It is not usually necessary to run ntpd in debug mode to troubleshoot Authentication problems.
Use ntpq -c "rv 0 cert" to view the Autokey certificates held by ntpd.
Use ntpq -c as to the check the authentication status of NTP associations. Authenticated associations display ok in the auth column:
ind assID status conf reach auth condition last_event cnt =========================================================== 1 26132 f694 yes yes ok sys.peer reachable 9
For detailed information about an authenticated association use the assID from ntpq -cas in the following command:
ntpq -c"rv assID flags"
An Autokey+IFF association without a verified leapseconds table will show the following flags on the client:
flags=0x83f21
An Autokey+IFF association with a verified leapseconds table will show the following flags on the client:
flags=0x87f21
6.7.4.1. Crypto Association Flags
/*
* The following bits are set by the CRYPTO_ASSOC message from
* the server and are not modified by the client.
*/
#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */
#define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */
#define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */
#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */
#define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */
#define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */
/*
* The following bits are used by the client during the protocol
* exchange.
*/
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
#define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */
#define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */
#define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */