How to configure ntp authentication.

This document (7017993) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11

Situation

NTP client should be able to verify server via authentication keys (no autokey).
In this sample case, id 1 is NTP server, and id 2 and 3 are NTP clients.

Resolution

Both NTP server and NTP client need the same /etc/ntp.keys file (keys in identical order) :

1 M bad2f48
2 M be45b2e
3 M 4e3e952

(no spaces at line end or blank lines)

Server configuration:

/etc/ntp.conf :

    keys /etc/ntp.keys              # path for keys file
    trustedkey 1 2 3                # define trusted keys
    requestkey 1                    # key (7) for accessing server variables
    controlkey 1                    # key (6) for accessing server variables

Client configuration:

/etc/ntp.conf:

    keys /etc/ntp.keys              # path for keys file
    trustedkey 1 2                  # define trusted keys
    requestkey 2                    # key (7) for accessing server variables
    controlkey 2                    # key (6) for accessing server variables
    server <server-ip-address> key 1

(As eh NTP server has id 1, the NTP client id would be 2 or 3.)

Cause

Client unable to prove auth - "ntpq -p" show INIT.
When running NTP in debug mode, the client prints : "bad auth crypto_NAK".

Additional Information

To enable debug on either NTP client, or server, add option "-d" to "NTPD_OPTIONS" in /etc/sysconfig/ntp

To generate symmetric md5 keys:

for i in `seq 1 10`; do tmp=$(dd if=/dev/urandom count=1 2>/dev/null | md5sum); tmp=${tmp:0:7}; echo "$i M $tmp"; done

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.