[ntpwg] Autokey-related Questions
David L. Mills
mills at udel.edu
Fri May 25 20:41:46 PDT 2007
Helen,
You cite documents at ntp.isc.org. Those documents were not written by
me and I have not read them. The only documents I personally swear by
come directly from ntp.org or the NTP project page
www.eecis.udel.edu/~mills/ntp.html.
1. Cryptographic media produced by the ntp-keygen program can optionally
be encripted with a password. This password must match the crypto pw
password in the configuration file. For this purpose, the configuration
file would ordinatily be restricted to root.
2. The leapsecond file is expected in the same directory as the crypto keys.
3. The crypto keys file normally defaults to /usr/local/etc, but this
can be changed with a configuration command.
4. See 1. The file subcommands on the crypto configuration line are for
special cases and personal preference. The .rnd file is normally in the
root directory when the program is run as a daemon. The issues where to
put this file are determined by OpenSSL conventions.
5. The password used to encrypt the identity file is ordinarily provided
by the user to an encrypted web page.
Dave
Chen Helen-A12587 wrote:
> Hi,
>
> I have some questions related to the Autokey protocol and configuration:
>
> 1) What exactly does "crypto pw clientpassword" in the autokey
> configuration procedure do (mentioned in
> http://ntp.isc.org/bin/view/Support/ConfiguringAutokey#Section_6.7.1.2
> <http://ntp.isc.org/bin/view/Support/ConfiguringAutokey> .)? Does it
> create (and encrypt) a new client password for the purpose of storing it
> in ntp.conf for the autokey protocol? When is this password used? I
> noticed that when generating the host parameters, a password is passed
> to the utility, instead of getting it from ntp.conf.
>
> 2) When the server (manually) FTPs the leapseconds table from NIST NTP
> server or wherever, where must this file be stored in order for the
> autokey protocol code to access it for the autokey dance (to send it to
> the client)? Is the location detail documented somewhere?
>
> 3) I read somewhere on one of the NTP installation pages (I think) that
> "Public key cryptography needs a key file (usually in /usr/local/etc)".
> Does this just mean the key/parameter files generated by the ntp-keygen
> utility must be stored at /usr/local/etc/? Is the random seed file
> (.rnd) the ONLY file that needs to be created manually, besides the
> exported IFF parameter file?
>
> 4) When is the following command used - crypto [cert file] [leap file]
> [randfile file] [host file] [sign file] [ident scheme] [iffpar file]
> [gqpar file] [mvpar file] [pw password]? I am confused because it's not
> mentioned in the autokey configuration procedure but it's mentioned in
> http://www.eecis.udel.edu/~mills/ntp/html/authopt.html
> <http://www.eecis.udel.edu/~mills/ntp/html/authopt.html> . Is it just
> used when we feel the need to encrypt certain files for storage? When a
> file is encrypted, will the autokey software automatically decrypt the
> file?
>
> 5) When the server extracts the IFF parameters for export to the
> clients, what is the security impact of (1) using the same password for
> all the clients in the Trust Group, and of (2) using no client password?
>
> Thanks,
>
> Helen
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> ntpwg mailing list
> ntpwg at support.ntp.org
> https://support.ntp.org/mailman/listinfo/ntpwg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://support.ntp.org/pipermail/ntpwg/attachments/20070526/3f89c8e2/attachment.html
More information about the ntpwg
mailing list