Previous Section  < Day Day Up >  Next Section

Recipe 19.8. Using NTP Keys for Authentication

19.8.1 Problem

You're not comfortable running your local servers without some sort of authentication scheme. While ntp exploits are rare, you would feel better having some method of ensuring that your clients and servers can verify that they are who they claim to be.

19.8.2 Solution

Use ntp's built-in key authentication scheme, ntpkeys.

First, configure the server (in this example server1):

# /etc/ntp.conf

...

crypto pw seekritword

keysdir /etc/ntp/keys

...

Because the password is stored in cleartext, ntp.conf should be chmod 600.

Create the key on server1:

# ntp-keygen -T -I -p seekritword

This may take a few minutes. Now, copy the newly generated file ntpkey_IFFpar_server1.4558615255 to /etc/ntp on all clients of server1. (Your timestamp will be different.) Because this is a secret key, you'll want to transfer it in a secure manner. Floppy disks work fine. (Don't forget to secure the floppy disk when you're finished.)

Now configure the client machines. First, create two symlinks to the new key:

# ln -s ntpkey_IFFpar_server1.4558615255 ntpkey_iff_server1

# ln -s ntpkey_IFFpar_server1.4558615255 ntpkey_iff_client1

Now edit the server line in the client's /etc/ntp.conf, adding the autokey keyword:

server server1 autokey

Restart ntpd on all participating machines and find something else to do for awhile, as the server and clients will take a little time to get the new authentication scheme synchronized and working. Within an hour or two, everything will be operating normally.

19.8.3 Discussion

This is what the ntp-keygen flags mean:


-T

Generate a trusted certificate. By default, the program generates a nontrusted certificate.


-I

Use the IFF identification scheme, overwriting any key files that already exist.


-p

Set the password.

If you want to use authentication with public time servers, you'll need to do two things:

  1. Find public servers that support authentication.

  2. Configure the servers individually in ntp.conf, instead of using ntp pools.

See http://www.eecis.udel.edu/~mills/ntp/servers.html for a current list of public time servers. Warning: pay attention to their access policies! Do not connect to Stratum 1 servers, unless you meet their criteria. Always use Stratum 2 for ordinary time service.

The keys file is the obvious headache and weak point of this whole scheme. As the ntp documentation says, "The big trouble with the authentication facility is the keys file. It is a maintenance headache and a security problem. This should be fixed some day. Presumably, this whole bag of worms goes away if/when a generic security regime for the Internet is established."

In the real world, the chances of ntp being exploited are low. Even if a public time server is spoofed and sends you wrong time signals, you have some built-in protections: ntp makes small changes, and you're getting service from a pool of servers, so any mistakes, whether deliberate or not, are quickly corrected.

19.8.4 See Also

    Previous Section  < Day Day Up >  Next Section