Now that we have enabled NTP authentication on our own stratum 1 NTP servers (Linux/Raspbian and Meinberg LANTIME) we need to set up this SHA-1 based authentication on our clients. Here we go for a standard Linux ntp setup:
Note that when you’re using multiple NTP servers (which I highly recommend, refer to Why should I run own NTP Servers?) you must use different keys/IDs for each of them. Obviously you can’t use the same “key number 11” for different NTP servers as far as they’re using different randomly generated keys. In my lab I’m using three stratum 1 NTP servers (Pi DCF77, Pi GPS, Meinberg M200) with the key IDs 11, 12, and 13.
NTP Client Setup
Everything takes place solely on the NTP client. The first step is to create the ntp.keys file with the needed keys.
sudo nano /etc/ntp.keysIn my case it’s:
#ntp1.weberlab.de 11 SHA1 7f3682c57faef9c87ea2eb473c393f5d61aa01ce # SHA1 key #ntp2.weberlab.de 12 SHA1 897a2dc01c9903a8eb89162410f9e40fecc59cee # SHA1 key #ntp3.weberlab.de 13 SHA1 01ff36b6b7bb0a9028e15cf1620b6308a901d3d2 # SHA1 key
The second step is to refer to this ntp.keys file, trusting those three keys, and using them on the appropriate NTP servers.
sudo nano /etc/ntp.conf, adding/modifying those lines:
#server statements with the key ID server ntp1.weberlab.de iburst key 11 server ntp2.weberlab.de iburst key 12 server ntp3.weberlab.de iburst prefer key 13 #path to the ntp.keys file keys /etc/ntp.keys #currently trusted keys out of that ntp.keys file trustedkey (11 ... 13)
Followed by a restart of ntp:
sudo service ntp restart.
Verify
Of course you should verify whether everything is working as expected. At first the well-known
ntpq -pto show the peers (but yet without the information whether NTP authentication is working). Lines 5-7 are my three stratum 1 NTP servers while I am also querying another pool:
pi@pi05-random:~ $ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
0.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001
+2003:de:2016:33 .DCFa. 1 u 2 64 177 55.803 -22.469 7.273
+2003:de:2016:33 .PPS. 1 u 5 64 177 3.748 0.741 0.607
*2003:de:2016:33 .PZF. 1 u 2 64 177 3.808 0.389 0.363
-217.79.179.106 192.53.103.104 2 u 2 64 177 5.468 0.753 0.331
-mail.morbitzer. 193.171.23.163 2 u 65 64 77 4.528 1.225 1.002
-ns1.customer-re 192.53.103.108 2 u 1 64 177 7.690 -0.213 1.960Displaying the associations shows a column “auth” which clearly states that those three NTP servers are “ok”, i.e., authenticated:
pi@pi05-random:~ $ ntpq -c asso ind assid status conf reach auth condition last_event cnt =========================================================== 1 34432 8811 yes none none reject mobilize 1 2 34433 f414 yes yes ok candidate reachable 1 3 34434 f41a yes yes ok candidate sys_peer 1 4 34435 f61a yes yes ok sys.peer sys_peer 1 5 34436 1314 no yes none outlier reachable 1 6 34437 1314 no yes none outlier reachable 1 7 34438 1314 no yes none outlier reachable 1
Furthermore you can display the authinfo section which shows the count of encryptions/decryptions. Both should increase over time:
pi@pi05-random:~ $ ntpq -c authinfo time since reset: 1486 stored keys: 3 free keys: 0 key lookups: 164 keys not found: 0 uncached keys: 112 expired keys: 0 encryptions: 82 decryptions: 82
If you’re interested in how authenticated NTP packets look on the wire, have a look at my downloadable pcap file at Packet Capture: Network Time Protocol (NTP).
Yo. Cheers.
Featured image “Unterschrift mit Füller” by Tim Reckmann is licensed under CC BY 2.0.