Posted on 01/24/2016 4:32:58 PM PST by Washi
Are there any Linux gurus here?
I've looked around online and asked some questions in various forums, but I'm not getting anywhere. I've found explanations of how to set it up, but no examples. I have yet to get it working.
I am trying to configure an environment with several Red Hat Enterprise Linux 6.1 virtual machines. All of these machines need to be NTP clients of my NTP server. The NTP server uses MD5 authentication, and I need to have the Linux clients authenticate the NTP traffic.
Can someone please post a working "ntp.conf" and "keys" file so that I can see the correct way to enable authentication on my Red Hat Enterprise Linux 6.1 NTP clients?
Also, please recommend the best method to verify that authentication is being used and that only authenticated NTP messages are influencing the clients.
Thanks!
Using ntpd.
After editing ntp.conf on the Linux machine, with VI, I restart the ntpd service (service ntpd restart)
Can you post the output of:
ntpq -c as
I’ll do that when I get a chance tomorrow. Thank you.
I have to ask--You do have the correct key on the client, right?
Client Configuration
- Ensure the following entries are in /etc/ntp.conf:
driftfile /var/lib/ntp/drift restrict 127.0.0.1 restrict -6 ::1 keys /etc/ntp/keys server <ntp.server.com> key 1 trustedkey 1 controlkey 1 requestkey 1
- Specify the client-side keys:
# vim /etc/ntp/keys
- Example keys file:
# # PLEASE DO NOT USE THE DEFAULT VALUES HERE. # #65535 M akey #1 M pass 1 M <password><
- Restart the NTP service
# service ntpd restart
- Ensure authenticated NTP is connecting successfully
# ntpq -c as ind assID status conf reach auth condition last_event cnt ================================================================= 1 64605 f614 yes yes ok sys.peer reachable 1If compatibility with FIPS 140-2 is required.
Ntp must be supported to SHA & SHA1 authentication.
It is not supported prior to ntp 4.2.6. Red Hat has fixed this and now supported..
More information about Ntp Auth.
Key Explanation
- Keys file:
1 M key #1 = the key value #M = the type of key #key = the actual key or password
- Types of key:
- A = DES key, ASCII format
- M = MD5 key, ASCII format
- S = DES key, DES format
- N = DES key, NTP format
- Key value:
- Any number 1-65535
- Multiple keys can be used on the same server
- Max 20-character printable ASCII string or a 40-character hex string
- For more information please see
man 5 ntp_auth
There is also a NTP configuration tool at Red Hat (https://access.redhat.com/labs/ntpcc/) that will create the proper configuration files for the clients. You will need the MD5 key from the server to use it. It should save you a lot of time and headaches. You will need a login to use it.
Sweet. Thanks a lot for your time and assistance, guys. I’ll let you know how it works shortly.
Yep. Key checked, double-checked, and triple-checked.
ntpq -c as
Still no dice. Output of the above is:
ind assid status conf reach auth condition last_event cnt
---------------------------------------------------------
---------------------------------------------------------
1 32163 c01c yes no bad reject 1
2 32164 c01c yes no bad reject 1
The keys in the "keys" file are plaintext, right? I don't have to do the MD5 hash first and put the ASCII text in the file?
They are plaintext, but have to follow the correct format in the config file or in the keys file.
Did you try the Access Labs link for NTP configuration that I sent earlier?
Here is a sample of what it generates for /etc/ntp.conf using 111.222.333.444 for the NTP server:
# START FILE
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
server 111.222.333.444 iburst key 1
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
trustedkey 1
# Specify the key identifier to use with the ntpdc utility.
requestkey 1
# Specify the key identifier to use with the ntpq utility.
controlkey 1
# Enable writing of statistics records.
statistics clockstats cryptostats loopstats peerstats sysstats rawstats
# END FILE
The /etc/ntp/keys file contains:
1 MD5 }Vp72N9amdf-Qa6`FQ^Y
the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y
should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.
The /etc/ntp/crypto/pw file can be empty, but must exist.
1 MD5 }Vp72N9amdf-Qa6`FQ^Y
the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.
Okay, so does the ntp-keygen command just spit out random ASCII text, or do you supply a plaintext word, and it spits out ASCII text representing the MD5 hash of the plaintext?
Wait. I see another difference; I’ve been placing just “M” in the keys file for the encryption algorithm type. Should it be “MD5” for RHEL 6.1?
Everything I’ve seen says that “M” should be fine.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.