To configure symmetric key NTP authentication for the RedHat NTP client, the following 2 files need to be configured.
/etc/ntp.conf
#symmetric key authentication
restrict -6 default kod nomodify nopeer notrap noquery
restrict 127.0.0.1
restrict -6 ::1
tinker panic 0
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
server 10.10.10.1 version 2 key 2
server 10.0.10.1 version 2 key 2
trustedkey 2
requestkey 2
controlkey 2
/etc/ntp/keys
#key_number key_type Key
2 M !@#$%^&*()
Unfortunately the default logging level and debug mode of the redhat ntp client does not output any useful messages to syslog regarding symmetric key authentication. Therefore to fault find you will have to use a combination of...
- ntpq -p ## print list of peers and their state
- ntpq -c as ## print a list of association identifiers and peer statuses
- ntpd in debug mode ## probably best to just ignore this option or anything else in syslog besides the message indicating a successful sync
Example of outputs when everything is working
When using the correct key, after starting the ntpd you should immediately see the output for
[root@linuxserver1 ~]# ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 16777 f014 yes yes ok reject reachable 1
2 16778 f014 yes yes ok reject reachable 1
- reach = yes
- auth = ok
- condition = reject
- last_event = reachable
The ntp -q wont show an asterix (sys.peer) until the client has had enough time to validate the stability of the ntp server and sync its clock
[root@linuxserver1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
router1. 10.10.0.1 2 u 17 64 1 0.622 0.502 0.001
router2. 10.11.0.1 2 u 16 64 1 16.264 -0.395 0.001
After a few minutes (depending on the time disparity) the clocks should sync and the outputs should be...
[root@linuxserver1 ~]# ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 16777 f414 yes yes ok candidat reachable 1
2 16778 f614 yes yes ok sys.peer reachable 1
[root@linuxserver1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
+router1. 10.10.0.1 2 u 56 64 377 0.615 0.767 0.127
*router2. 10.11.0.1 2 u 59 64 377 15.865 -0.095 0.134
When the client has been synchronized you should see a message similar to the following
syslog message
Aug 5 12:22:53 linuxserver1 ntpd[32065]: synchronized to 10.10.10.1, stratum 2
Possible error scenarios
1. Specifying a key number that doesn't match on the ntp server,
eg... client specifies key number 1 server has key number 2
[root@linuxserver1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
router1. .AUTH. 16 u - 64 0 0.000 0.000 0.000
router2. .AUTH. 16 u - 64 0 0.000 0.000 0.000
[root@linuxserver1 ~]# ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 62393 c000 yes yes bad reject
2 62394 c000 yes yes bad reject
syslog message
Aug 8 11:30:30 linuxserver1 ntpd[20387]: transmit: 10.10.0.1 key 1 not found
2. When using an incorrect or corrupted key (eg...if using a script to deploy the key have you escaped the extended ascii values in the key)
[root@linuxserver1 ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
router1. .AUTH. 16 u - 64 0 0.000 0.000 0.001
router2. .AUTH. 16 u - 64 0 0.000 0.000 0.001
[root@linuxserver1 ~]# ntpq -c as
ind assID status conf reach auth condition last_event cnt
===========================================================
1 62393 c000 yes yes bad reject
2 62394 c000 yes yes bad reject
~~Note there is no indication in /var/log/messages that the key is bad~~
3. Specifying an NTP server device IP when that device dose not have symmetric authentication turned on
~~ the client authenticates even though it should not ~~
Aug 9 13:55:17 linuxserver1 ntpd[4101]: synchronized to router3, stratum 2
remote refid st t when poll reach delay offset jitter
==============================================================================
+router3. 10.10.0.1 2 u 2 64 377 0.566 -1.045 1.085
*router4. 10.11.0.1 2 u 6 64 377 15.751 1.584 1.122
ind assID status conf reach auth condition last_event cnt
===========================================================
1 61738 f414 yes yes ok candidat reachable 1
2 61739 f614 yes yes ok sys.peer reachable 1
~~ it appears that the device may authenticate to the local router that is using symmetric authentication to its upstream device
4. When specifying a windows domain controller that does not support symmetric key authentication
remote refid st t when poll reach delay offset jitter
==============================================================================
router1. .INIT. 16 u - 64 0 0.000 0.000 0.000
router2. .INIT. 16 u - 64 0 0.000 0.000 0.000
ind assID status conf reach auth condition last_event cnt
===========================================================
1 30681 c000 yes yes bad reject
2 30682 c000 yes yes bad reject
5. Specifying the incorrect IP or the IP of a non reachable NTP device
remote refid st t when poll reach delay offset jitter
==============================================================================
100.80.88.255 .INIT. 16 u - 64 0 0.000 0.000 0.000
100.80.88.254 .INIT. 16 u - 64 0 0.000 0.000 0.000
ind assID status conf reach auth condition last_event cnt
===========================================================
1 47581 c000 yes yes bad reject
2 47582 c000 yes yes bad reject