During my work with a couple of NTP servers, I had many situations in which I just wanted to know whether an NTP server is up and running or not. For this purpose, I used two small Linux tools that fulfill almost the same: single CLI command while not actually updating any clock but only displaying the result. That is: ntpdate & sntp. Of course, the usage of IPv6 is mandatory as well as the possibility to test NTP authentication.
Refer to my “Packet Capture: Network Time Protocol (NTP)” blogpost in order to download a pcap with different NTP packets, or at least heaving a view of them at the screenshots.
ntpdate
You can use ntpdate with the “-q” switch to “Query only – don’t set the clock”. This is a very basic run:
weberjoh@nb15-lx:~$ ntpdate -q ntp3.weberlab.de server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002689, delay 0.02620 21 Mar 16:56:05 ntpdate[30627]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002689 sec
When using an FQDN with a couple of A/AAAA records, ntpdate queries all of them:
weberjoh@nb15-lx:~$ ntpdate -q ntp.weberlab.de server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002768, delay 0.02623 server 2003:de:2016:336::dcf7:123, stratum 1, offset -0.024801, delay 0.07458 server 2003:de:2016:330::6b5:123, stratum 1, offset -0.002645, delay 0.02663 21 Mar 17:00:55 ntpdate[30631]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002768 sec
Furthermore, you can query several names at once:
weberjoh@nb15-lx:~$ ntpdate -q ntp.weberlab.de de.pool.ntp.org server 2003:de:2016:336::dcf7:123, stratum 1, offset -0.003254, delay 0.03484 server 2003:de:2016:330::6b5:123, stratum 1, offset -0.002702, delay 0.02657 server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002803, delay 0.02618 server 81.7.4.127, stratum 2, offset 0.000870, delay 0.03607 server 217.91.44.17, stratum 2, offset -0.000245, delay 0.03961 server 212.112.228.242, stratum 2, offset -0.003942, delay 0.03146 server 81.3.27.46, stratum 3, offset -0.001936, delay 0.03152 21 Mar 17:02:30 ntpdate[30636]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002803 sec
Debugging & NTP Authentication
Even more relevant for my lab tests is the ability to test NTP authentication. Therefore I am using the debugging mode “-d” which will print out all steps (while still not updating the local clock) in conjunction with
-a <key-id>and
-k <keyfile>. For this example I used two SHA1 keys from one of my NTP servers (ntp3.weberlab.de):
weberjoh@nb15-lx:~$ cat ntp3.keys 11 SHA1 c8ea1e9d5496925e12b903945a4d87c93450f37d # SHA1 key 12 SHA1 b8ea1e9d5496925e12b903945a4d87c93450f37d # SHA1 key
While key number 11 is indeed correct (receive: authentication passed):
weberjoh@nb15-lx:~$ ntpdate -a 11 -k ~/ntp3.keys -d ntp3.weberlab.de
21 Mar 17:08:34 ntpdate[30707]: ntpdate 4.2.8p4@1.3265-o Fri Jul 6 20:10:56 UTC 2018 (1)
Looking for host ntp3.weberlab.de and service ntp
host found : 2003:de:2016:330::dcfb:123
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication passed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication passed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication passed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication passed
server 2003:de:2016:330::dcfb:123, port 123
stratum 1, precision -18, leap 00, trust 000
refid [PZF], delay 0.02641, dispersion 0.00002
transmitted 4, in filter 4
reference time: e03e3586.0962cd3a Thu, Mar 21 2019 17:08:38.036
originate timestamp: e03e3588.28a90bc1 Thu, Mar 21 2019 17:08:40.158
transmit timestamp: e03e3588.290dd0a3 Thu, Mar 21 2019 17:08:40.160
filter delay: 0.02678 0.02641 0.02644 0.02647
0.00000 0.00000 0.00000 0.00000
filter offset: -0.00247 -0.00259 -0.00262 -0.00258
0.000000 0.000000 0.000000 0.000000
delay 0.02641, dispersion 0.00002
offset -0.002595
21 Mar 17:08:40 ntpdate[30707]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002595 secI falsified key number 12 on purpose to test the output (receive: authentication failed):
weberjoh@nb15-lx:~$ ntpdate -a 12 -k ~/ntp3.keys -d ntp3.weberlab.de
21 Mar 17:14:13 ntpdate[30778]: ntpdate 4.2.8p4@1.3265-o Fri Jul 6 20:10:56 UTC 2018 (1)
Looking for host ntp3.weberlab.de and service ntp
host found : 2003:de:2016:330::dcfb:123
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication failed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication failed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication failed
transmit(2003:de:2016:330::dcfb:123)
receive(2003:de:2016:330::dcfb:123)
receive: authentication failed
2003:de:2016:330::dcfb:123: Server dropped: Server is untrusted
server 2003:de:2016:330::dcfb:123, port 123
stratum 1, precision -18, leap 00, trust 017
refid [PZF], delay 0.02647, dispersion 0.00002
transmitted 4, in filter 4
reference time: e03e36d6.096369ef Thu, Mar 21 2019 17:14:14.036
originate timestamp: e03e36db.eeb096a4 Thu, Mar 21 2019 17:14:19.932
transmit timestamp: e03e36db.eefa3bbd Thu, Mar 21 2019 17:14:19.933
filter delay: 0.02681 0.02658 0.02650 0.02647
0.00000 0.00000 0.00000 0.00000
filter offset: -0.00200 -0.00217 -0.00213 -0.00214
0.000000 0.000000 0.000000 0.000000
delay 0.02647, dispersion 0.00002
offset -0.002146
21 Mar 17:14:19 ntpdate[30778]: no server suitable for synchronization foundMission accomplished.
sntp
Just as an alternative you can use sntp as well. Sntp by default writes “the estimated correct local date and time (i.e. not UTC) to the standard output”:
pi@pi05-random:~ $ sntp ntp3.weberlab.de sntp 4.2.8p10@1.3728-o Sat Mar 10 17:59:48 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory 2019-03-21 17:23:56.922791 (-0100) +0.00035 +/- 0.000474 ntp3.weberlab.de 2003:de:2016:330::dcfb:123 s1 no-leap
The “kod_init_kod_db” warning is normal and can be ignored.
Debugging & NTP Authentication
Fortunately, the options are quite the same when it comes to debugging and NTP authentication. That is:
-d -a <key-id> -k <keyfile>. Having the same two keys (11 ok, 12 not ok) in place, this gives the following output for “authenticated using key id 11“:
pi@ntp2-gps:~ $ sntp -d -a 11 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p12@1.3728-o Thu Nov 8 11:39:41 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) move_fd: estimated max descriptors: 1024, initial socket boundary: 16 generate_pkt: key_id 11, key pointer 0x2416878 generate_pkt: mac_size is 20 sntp sendpkt: Sending packet to [2003:de:2016:330::dcfb:123]:123 ... Packet sent. sock_cb: ntp3.weberlab.de [2003:de:2016:330::dcfb:123]:123 sntp sock_cb: packet from 2003:de:2016:330::dcfb:123 authenticated using key id 11. 2019-03-21 17:37:39.872110 (-0100) +0.00241 +/- 0.001833 ntp3.weberlab.de 2003:de:2016:330::dcfb:123 s1 no-leap
as well as for “Crypto NAK“:
pi@ntp2-gps:~ $ sntp -d -a 12 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p12@1.3728-o Thu Nov 8 11:39:41 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) move_fd: estimated max descriptors: 1024, initial socket boundary: 16 generate_pkt: key_id 12, key pointer 0x10018e0 generate_pkt: mac_size is 20 sntp sendpkt: Sending packet to [2003:de:2016:330::dcfb:123]:123 ... Packet sent. sock_cb: ntp3.weberlab.de [2003:de:2016:330::dcfb:123]:123 Crypto NAK = 0x00000000 from 2003:de:2016:330::dcfb:123 sock_cb: handle_pkt() returned 1
Please note that to my mind there was a bug at least in sntp version 4.2.8p10, since I got this “Segmentation fault” output from another machine (while the above listed outputs were from version 4.2.8p12):
pi@pi05-random:~ $ sntp -d -a 11 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p10@1.3728-o Sat Mar 10 17:59:48 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) Segmentation fault
That’s it. ;) Happy troubleshooting.
Featured image “Reading glasses over a book” by Marco Verch is licensed under CC BY 2.0.