As already pointed out in my NTP intro blogpost Why should I run own NTP Servers? it is crucial to leverage NTP authentication to have the highest trustworthiness of your time distribution all over your network. Hence the first step is to enable NTP authentication on your own stratum 1 NTP servers, in my case two Raspberry Pis with DCF77/GPS reference clocks.
Luckily it is quite easy to deploy NTP authentication. You only need to generate some NTP keys and trusting them in your ntp.conf configuration file.
You can use the tool
ntp-keygen -Min order to “Generate a new symmetric keys file containing 10 MD5 keys, and if OpenSSL is available, 10 SHA keys”. I’m doing it in the /etc/ folder to have the key file in the correct place. Note that ntp-keygen in fact generates a keyfile as well as a link called “ntp.keys”. Finally, I am showing the keys here:
pi@ntp1-dcf77:~ $ cd /etc/
pi@ntp1-dcf77:/etc $ sudo ntp-keygen -M
Using OpenSSL version OpenSSL 1.1.0f 25 May 2017
Generating new md5 file and link
ntp.keys->ntpkey_MD5key_ntp1-dcf77.3762232712
pi@ntp1-dcf77:/etc $
pi@ntp1-dcf77:/etc $
pi@ntp1-dcf77:/etc $ ls -ahl ntp*
-rw-r--r-- 1 root root 3.0K Dec 6 18:09 ntp.conf
-rw-r----- 1 root root 1.1K Mar 22 09:38 ntpkey_MD5key_ntp1-dcf77.3762232712
lrwxrwxrwx 1 root root 35 Mar 22 09:38 ntp.keys -> ntpkey_MD5key_ntp1-dcf77.3762232712
pi@ntp1-dcf77:/etc $
pi@ntp1-dcf77:/etc $
pi@ntp1-dcf77:/etc $ sudo cat ntp.keys
# ntpkey_MD5key_ntp1-dcf77.3762232712
# Fri Mar 22 09:38:32 2019
1 MD5 3P4Z3D6~!23CxA_^H7{8 # MD5 key
2 MD5 S?X=L^k6su;LCB}wzx's # MD5 key
3 MD5 ZZW"/]O>"(Lb_sRj2_H6 # MD5 key
4 MD5 [,eZMJ2HVp%8a$iv$}_* # MD5 key
5 MD5 ay4SZtX$VuooRx9XD+d+ # MD5 key
6 MD5 &3'[?OHG-S_{,N2]ww3a # MD5 key
7 MD5 no12'j{YT//-_{Cc_roz # MD5 key
8 MD5 ,r^m&o*ja)(8uY_Oh0b^ # MD5 key
9 MD5 aT'2I}5,H\H5}[=<7Xf& # MD5 key
10 MD5 /E~SJtQ?N=}u_CabM.w. # MD5 key
11 SHA1 7f3682c57faef9c87ea2eb473c393f5d61aa01ce # SHA1 key
12 SHA1 c131d3fd7d2124e1a1ed79f749dea029a3cd96ab # SHA1 key
13 SHA1 106dd966568a4b1a1d16b455ec6c5b68d1dee9dd # SHA1 key
14 SHA1 30ebd563e8011674b713d137dbea7d066cdadb63 # SHA1 key
15 SHA1 5f05e14049f8184dc0e3005f6b5983648558773a # SHA1 key
16 SHA1 f7da7094edecb54c5b7dacc1c49d19b211542361 # SHA1 key
17 SHA1 7bdcb8a174678ed68dbbbb6f575c23e734ede64f # SHA1 key
18 SHA1 19128492659fbec92fa85319f4429a9f3954c92a # SHA1 key
19 SHA1 16fa1955a34bd5b03116e1b43cfccbb1e73e8cd0 # SHA1 key
20 SHA1 e54d088aa387b2cc94943055fd8877249d55ba6d # SHA1 key
The second step is to enable NTP authentication by telling ntp which keyfile to use and which keys to trust:
sudo nano /etc/ntp.confadding these lines:
# Specifies the complete directory path for the key file containing the key IDs, # key types and keys used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. keys /etc/ntp.keys # Specifies the key ID(s) which are trusted for the purposes of authenticating peers # with symmetric key cryptography. trustedkey (11 ... 20)
Followed by a restart of ntp:
sudo service ntp restart.
That’s it. You can now use those SHA-1 keys on your NTP clients to authenticate the replies from this specific NTP server. In case you need more keys, simply run
ntp-keygen -Mone more time in another folder (e.g., your home directory), while adding the new keys to the initial generated keyfile – of course only the SHA-1 ones with increased key IDs, such as 21-30.
For further details please refer to the official Authentication Support documentation from ntp. “By default, the client sends non-authenticated packets and the server responds with non-authenticated packets. If the client sends authenticated packets, the server responds with authenticated packets if correct, or a crypto-NAK packet if not.”
If you’re interested in how those authenticated NTP packets look on the wire download an appropriate pcap file here: Packet Capture: Network Time Protocol (NTP).
Featured image “Verträge sind gemacht” by Rolf van Melis is licensed under CC BY-NC-ND 2.0.