Hello everyone,
I've been trying to set up NTP authentication between a server and a workstation. Both point to the same NTP server which is on a different physical box with its own IP address. I followed the steps below but I get the following result. How can I get this working?
Expected (on workstation):
ind assID status conf reach auth condition last_event cnt
=================================================================
1 12345 f123 yes yes ok sys.peer reachable 1
Result:
ind assID status conf reach auth condition last_event cnt
=================================================================
1 12345 c000 yes yes bad reject
Directions followed:
Server Configuration
� Ensure the following entries are in /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server <ntp.server.com>
broadcast <broadcast/multicast ip> autokey
crypto
includefile /etc/ntp/crypto/pw
keysdir /etc/ntp/
� Generate the server-side keys
# cd /etc/ntp
# ntp-keygen -T -p password
� Restart the NTP service
# service ntpd restart
� Ensure that the service started
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
<brdcst.address> .BCST. 16 u - 64 0 0.000 0.000 0.000
<ntp.server.com> <refid> 5 u 17 64 377 0.000 0.000 0.000
Client Configuration
� Ensure the following entries are in /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
crypto
includefile /etc/ntp/crypto/pw
keysdir /etc/ntp/
server <ntp.server.com> autokey
� Generate the client-side keys
# cd /etc/ntp
# ntp-keygen -H -p clientpassword
� Restart the NTP service
� Ensure authenticated NTP is connecting successfully
# ntpq -c as
ind assID status conf reach auth condition last_event cnt
=================================================================
1 12345 f123 yes yes ok sys.peer reachable 1
Crypto Configuration
� Sample /etc/ntp/crypto/pw file
# Specify the password to decrypt files containing private keys and identity
# parameters. This is required only if these files have been encrypted.
#
crypto pw <password>
Diagnostic Steps
Troubleshooting the Configuration
� For error: "RAND_load_file /root/.rnd not found or empty"
dd if=/dev/urandom of=/root/.rnd bs=512 count=1
� For error: "crypto_setup: random seed file not found error:"
Add crypto
randfile /dev/urandom entry to /etc/ntp.conf
� Important: Ensure that no keys, key directories, or files containing passwords are world readable