Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Any Linux Gurus On FR?
http://freerepublic.com ^ | 1/24/2016 | Self

Posted on 01/24/2016 4:32:58 PM PST by Washi

Are there any Linux gurus here?

I've looked around online and asked some questions in various forums, but I'm not getting anywhere. I've found explanations of how to set it up, but no examples. I have yet to get it working.

I am trying to configure an environment with several Red Hat Enterprise Linux 6.1 virtual machines. All of these machines need to be NTP clients of my NTP server. The NTP server uses MD5 authentication, and I need to have the Linux clients authenticate the NTP traffic.

Can someone please post a working "ntp.conf" and "keys" file so that I can see the correct way to enable authentication on my Red Hat Enterprise Linux 6.1 NTP clients?

Also, please recommend the best method to verify that authentication is being used and that only authenticated NTP messages are influencing the clients.

Thanks!


TOPICS: Computers/Internet
KEYWORDS: computers; computing; linux; md5; ntp; techhelp
Navigation: use the links below to view more comments.
first previous 1-2021-33 last
To: Darth Reardon

Using ntpd.
After editing ntp.conf on the Linux machine, with VI, I restart the ntpd service (service ntpd restart)


21 posted on 01/24/2016 6:29:34 PM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Washi

Can you post the output of:

ntpq -c as


22 posted on 01/24/2016 6:37:40 PM PST by DataDink
[ Post Reply | Private Reply | To 21 | View Replies]

To: DataDink

I’ll do that when I get a chance tomorrow. Thank you.


23 posted on 01/24/2016 6:43:22 PM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Washi
Based on the config you sent me, it looks good so far.

I have to ask--You do have the correct key on the client, right?

24 posted on 01/25/2016 3:53:16 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 23 | View Replies]

To: Washi
From Red Hat:

Client Configuration

driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
server <ntp.server.com> key 1
trustedkey 1
controlkey 1
requestkey 1
# vim /etc/ntp/keys
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE.
#
#65535  M  akey
#1      M  pass
1  M  <password>
<
# service ntpd restart
# ntpq -c as
ind  assID  status  conf  reach  auth  condition  last_event  cnt
=================================================================
 1   64605   f614   yes    yes   ok    sys.peer   reachable    1

If compatibility with FIPS 140-2 is required.

Key Explanation

1  M  key

#1 = the key value
#M = the type of key
#key = the actual key or password

25 posted on 01/25/2016 4:48:36 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 23 | View Replies]

To: Washi

There is also a NTP configuration tool at Red Hat (https://access.redhat.com/labs/ntpcc/) that will create the proper configuration files for the clients. You will need the MD5 key from the server to use it. It should save you a lot of time and headaches. You will need a login to use it.


26 posted on 01/25/2016 5:44:40 AM PST by DataDink
[ Post Reply | Private Reply | To 23 | View Replies]

To: DataDink; ShadowAce

Sweet. Thanks a lot for your time and assistance, guys. I’ll let you know how it works shortly.


27 posted on 01/25/2016 7:19:34 AM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: ShadowAce

Yep. Key checked, double-checked, and triple-checked.


28 posted on 01/25/2016 7:21:17 AM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: DataDink
Can you post the output of:

ntpq -c as

Still no dice. Output of the above is:

ind assid status conf reach auth condition last_event cnt
---------------------------------------------------------
---------------------------------------------------------
1 32163 c01c yes no bad reject 1
2 32164 c01c yes no bad reject 1

The keys in the "keys" file are plaintext, right? I don't have to do the MD5 hash first and put the ASCII text in the file?

29 posted on 01/25/2016 9:49:04 AM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Washi

They are plaintext, but have to follow the correct format in the config file or in the keys file.

Did you try the Access Labs link for NTP configuration that I sent earlier?

Here is a sample of what it generates for /etc/ntp.conf using 111.222.333.444 for the NTP server:

# START FILE
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

server 111.222.333.444 iburst key 1

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
trustedkey 1

# Specify the key identifier to use with the ntpdc utility.
requestkey 1

# Specify the key identifier to use with the ntpq utility.
controlkey 1

# Enable writing of statistics records.
statistics clockstats cryptostats loopstats peerstats sysstats rawstats
# END FILE

The /etc/ntp/keys file contains:

1 MD5 }Vp72N9amdf-Qa6`FQ^Y

the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y
should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.

The /etc/ntp/crypto/pw file can be empty, but must exist.


30 posted on 01/25/2016 4:32:16 PM PST by DataDink
[ Post Reply | Private Reply | To 29 | View Replies]

To: DataDink
The /etc/ntp/keys file contains:

1 MD5 }Vp72N9amdf-Qa6`FQ^Y

the part that looks like this: }Vp72N9amdf-Qa6`FQ^Y should be the same as the key that your NTP server is using to authenticate the other clients on your network. I generated the key with the ntp-keygen command.

Okay, so does the ntp-keygen command just spit out random ASCII text, or do you supply a plaintext word, and it spits out ASCII text representing the MD5 hash of the plaintext?

31 posted on 01/25/2016 7:12:40 PM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Washi

Wait. I see another difference; I’ve been placing just “M” in the keys file for the encryption algorithm type. Should it be “MD5” for RHEL 6.1?


32 posted on 01/25/2016 7:58:33 PM PST by Washi (All lives matter, or none do.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Washi

Everything I’ve seen says that “M” should be fine.


33 posted on 01/26/2016 3:19:31 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 32 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-33 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson