[ntpwg] Autokey-related Questions

Chen Helen-A12587 Helen.Y.Chen at motorola.com
Wed May 30 13:44:13 PDT 2007 

Dave,

Thanks. I don't quite understand the connection between your response to
(5) and my question (5). Would you mind helping me understand what the
impact is of the server using the same password for all the clients in
the Trust Group when the server extracts the IFF group keys? What is the
impact of using no password when the server extracts the IFF group keys?

Helen

-----Original Message-----
From: ntpwg-bounces+helen.y.chen=motorola.com at support.ntp.org
[mailto:ntpwg-bounces+helen.y.chen=motorola.com at support.ntp.org] On
Behalf Of David L. Mills
Sent: Friday, May 25, 2007 10:42 PM
Cc: ntpwg at ntp.isc.org
Subject: Re: [ntpwg] Autokey-related Questions

Helen,

You cite documents at ntp.isc.org. Those documents were not written by
me and I have not read them. The only documents I personally swear by
come directly from ntp.org or the NTP project page
www.eecis.udel.edu/~mills/ntp.html.

1. Cryptographic media produced by the ntp-keygen program can optionally
be encripted with a password. This password must match the crypto pw
password in the configuration file. For this purpose, the configuration
file would ordinatily be restricted to root.

2. The leapsecond file is expected in the same directory as the crypto
keys.

3. The crypto keys file normally defaults to /usr/local/etc, but this
can be changed with a configuration command.

4. See 1. The file subcommands on the crypto configuration line are for
special cases and personal preference. The .rnd file is normally in the
root directory when the program is run as a daemon. The issues where to
put this file are determined by OpenSSL conventions.

5. The password used to encrypt the identity file is ordinarily provided
by the user to an encrypted web page.

Dave

Chen Helen-A12587 wrote:

> Hi,
>
> I have some questions related to the Autokey protocol and
configuration:
>
> 1) What exactly does "crypto pw clientpassword" in the autokey 
> configuration procedure do (mentioned in
> http://ntp.isc.org/bin/view/Support/ConfiguringAutokey#Section_6.7.1.2
> <http://ntp.isc.org/bin/view/Support/ConfiguringAutokey> .)? Does it 
> create (and encrypt) a new client password for the purpose of storing 
> it in ntp.conf for the autokey protocol? When is this password used? I

> noticed that when generating the host parameters, a password is passed

> to the utility, instead of getting it from ntp.conf.
>
> 2) When the server (manually) FTPs the leapseconds table from NIST NTP

> server or wherever, where must this file be stored in order for the 
> autokey protocol code to access it for the autokey dance (to send it 
> to the client)? Is the location detail documented somewhere?
>
> 3) I read somewhere on one of the NTP installation pages (I think) 
> that "Public key cryptography needs a key file (usually in
/usr/local/etc)".
> Does this just mean the key/parameter files generated by the 
> ntp-keygen utility must be stored at /usr/local/etc/? Is the random 
> seed file
> (.rnd) the ONLY file that needs to be created manually, besides the 
> exported IFF parameter file?
>
> 4) When is the following command used - crypto [cert file] [leap file]

> [randfile file] [host file] [sign file] [ident scheme] [iffpar file] 
> [gqpar file] [mvpar file] [pw password]? I am confused because it's 
> not mentioned in the autokey configuration procedure but it's 
> mentioned in http://www.eecis.udel.edu/~mills/ntp/html/authopt.html
> <http://www.eecis.udel.edu/~mills/ntp/html/authopt.html> . Is it just 
> used when we feel the need to encrypt certain files for storage? When 
> a file is encrypted, will the autokey software automatically decrypt 
> the file?
>
> 5) When the server extracts the IFF parameters for export to the 
> clients, what is the security impact of (1) using the same password 
> for all the clients in the Trust Group, and of (2) using no client
password?
>
> Thanks,
>
> Helen
>
>
>
>
>
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> ntpwg mailing list
> ntpwg at support.ntp.org
> https://support.ntp.org/mailman/listinfo/ntpwg

More information about the ntpwg mailing list