Any Linux Gurus On FR?

http://freerepublic.com ^ | 1/24/2016 | Self

[Washi]

Using ntpd.
After editing ntp.conf on the Linux machine, with VI, I restart the ntpd service (service ntpd restart)

[DataDink]

Can you post the output of:

ntpq -c as

[Washi]

I’ll do that when I get a chance tomorrow. Thank you.

[ShadowAce]

Based on the config you sent me, it looks good so far.

I have to ask--You do have the correct key on the client, right?

[ShadowAce]

From Red Hat:

Client Configuration

• Ensure the following entries are in /etc/ntp.conf:

driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
server <ntp.server.com> key 1
trustedkey 1
controlkey 1
requestkey 1

• Specify the client-side keys:

# vim /etc/ntp/keys

• Example keys file:

#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE.
#
#65535  M  akey
#1      M  pass
1  M  <password>

• Restart the NTP service

<

# service ntpd restart

• Ensure authenticated NTP is connecting successfully

# ntpq -c as
ind  assID  status  conf  reach  auth  condition  last_event  cnt
=================================================================
 1   64605   f614   yes    yes   ok    sys.peer   reachable    1

If compatibility with FIPS 140-2 is required.

• Ntp must be supported to SHA & SHA1 authentication.

• It is not supported prior to ntp 4.2.6. Red Hat has fixed this and now supported..

• More information about Ntp Auth.

Key Explanation

• Keys file:

1  M  key

#1 = the key value
#M = the type of key
#key = the actual key or password

• Types of key:
  • A = DES key, ASCII format
  • M = MD5 key, ASCII format
  • S = DES key, DES format
  • N = DES key, NTP format
• Key value:
  • Any number 1-65535
  • Multiple keys can be used on the same server
  • Max 20-character printable ASCII string or a 40-character hex string
• For more information please see man 5 ntp_auth

[DataDink]

There is also a NTP configuration tool at Red Hat (https://access.redhat.com/labs/ntpcc/) that will create the proper configuration files for the clients. You will need the MD5 key from the server to use it. It should save you a lot of time and headaches. You will need a login to use it.

[Washi]

Sweet. Thanks a lot for your time and assistance, guys. I’ll let you know how it works shortly.

[Washi]

Yep. Key checked, double-checked, and triple-checked.

[Washi]

Can you post the output of:

ntpq -c as

Still no dice. Output of the above is:

ind assid status conf reach auth condition last_event cnt
---------------------------------------------------------
---------------------------------------------------------
1 32163 c01c yes no bad reject 1
2 32164 c01c yes no bad reject 1

The keys in the "keys" file are plaintext, right? I don't have to do the MD5 hash first and put the ASCII text in the file?

[DataDink]

They are plaintext, but have to follow the correct format in the config file or in the keys file.

Did you try the Access Labs link for NTP configuration that I sent earlier?

Here is a sample of what it generates for /etc/ntp.conf using 111.222.333.444 for the NTP server:

# START FILE
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

server 111.222.333.444 iburst key 1

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
trustedkey 1

# Specify the key identifier to use with the ntpdc utility.
requestkey 1

# Specify the key identifier to use with the ntpq utility.
controlkey 1

# Enable writing of statistics records.
statistics clockstats cryptostats loopstats peerstats sysstats rawstats
# END FILE

The /etc/ntp/keys file contains:

1 MD5 }Vp72N9amdf-Qa6`FQ^Y

the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y
should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.

The /etc/ntp/crypto/pw file can be empty, but must exist.

[Washi]

The /etc/ntp/keys file contains:

1 MD5 }Vp72N9amdf-Qa6`FQ^Y

the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.

Okay, so does the ntp-keygen command just spit out random ASCII text, or do you supply a plaintext word, and it spits out ASCII text representing the MD5 hash of the plaintext?

[Washi]

Wait. I see another difference; I’ve been placing just “M” in the keys file for the encryption algorithm type. Should it be “MD5” for RHEL 6.1?

[ShadowAce]

Everything I’ve seen says that “M” should be fine.