Access to Crypto NTP Server (User Guide)
|(News) (Tools) (Service)|
|eCSIRT.net > Tools > Crypto-NTP|
The eCSIRT.net project operates a timeserver that offers a cryptographically authenticated time service. The server receives its time signal from a DCF-77 (also here) Radio Clock. This documentation describes how to compile and configure an NTP client on Linux to use this service.
Our timeserver time.pre-secure.de offers a cryptographically authenticated time service via the Network Time Protocol (NTP) and its identity mechanism "Autokey Version 2".
A general description of autokey and its schemes can be found under:
From the different identity schemes which are supported by the autokey mechanism, time.pre-secure.de only offers the "Schnorr (IFF) Cryptosystem". In this cryptosystem, each host holds its own private hostkey and a matching certificate. This keypair can be generated (and regenerated at any time) by each individual system taking part in the identity scheme. Additionally, each host that wants to join the group needs to hold a group key, the IFF-key.
Setting up a system to use the IFF scheme is relatively simple, but
currently only the development version of ntpd supports autokey 2. We
have tested the timeserver with client versions 4.1.74 and 4.1.80-rc1.
We recommend you use 4.1.80-rc1 or any more recent development
This documentation assumes you are familiar with NTP and the ntpd in general. (If you are not, further documentation can be found at http://www.ntp.org for example.)
First you need to download the ntpd sources from http://www.ntp.org/development.html and the files specific to time.pre-secure.de from this site.
The files you need are from this site:
From the NTPD site you need to following files:
This documentation assumes you will compile ntpd on some kind of *NIX system. If you want to compile ntpd under some other OS (e.g. windows), send me (ntpadmin@pre-secure) a mail and we will try to give you any help I can.
The host you install ntpd on also needs a recent installation of OpenSSL for the cryptographic algorithms ntpd needs. Most current systems should already have that. If not, download it from their website and install it before continuing with the installation of ntpd.
In its operation ntpd uses as hostname whatever is returned by the gethostname system call. Some systems have the hostname set to just the simple hostname without any domain part, other systems return a FQDN. By default, ntpd does not allow the administrator to influence that value through the configuration file. We wrote a patch to ntpd that adds a new configuration directive hostname that can be used to manually set the hostname that is used by ntpd. You can use this patch to make ntpd not use the hostname but a name that reflects a DNS name that stands for one of the systems IP adresses or even some host alias, like we do with time.pre-secure.de. In almost all cases this is more of a cosmetic than a functional issue.
To use the hostname patch, download it via the link above, put it in the same directory as the other files. Then set the variable WITH_HOSTNAME_PATCH to "yes" and set the variable "HOSTNAME" to whatever hostname which you want your client to use in its communication. The build skript takes care of the rest.
If you experience difficulties, drop us a mail to firstname.lastname@example.org.
NTP with Autokey does not work from a host that is behind a masquerading or NAT host!
Once ntpd is running, you can see some logging in <installpath>/var/log/ntp. A startup should look something like this. Note the long time this log snippet covers. It can take up to 10 minutes after startup until the client has established an authenticated association with the server.
27 Aug 15:49:55 ntpd: frequency initialized 27.710 PPM from /services/daemon/ntp/var/log/ntp.drift 27 Aug 15:49:55 ntpd: system event 'event_restart' (0x01) status 'sync_alarm, sync_unspec, 1 event, event_unspec' (0xc010) 27 Aug 15:52:05 ntpd: peer 18.104.22.168 event 'event_reach' (0x84) status 'unreach, conf, auth, 1 event, event_reach' (0xe014) 27 Aug 15:56:25 ntpd: system event 'event_peer/strat_chg' (0x04) status 'sync_alarm, sync_ntp, 2 events, event_restart' (0xc621) 27 Aug 15:56:25 ntpd: kernel time discipline status change 41 27 Aug 15:56:25 ntpd: system event 'event_sync_chg' (0x03) status 'leap_none, sync_ntp, 3 events, event_peer/strat_chg' (0x634) 27 Aug 15:56:25 ntpd: system event 'event_peer/strat_chg' (0x04) status 'leap_none, sync_ntp, 4 events, event_sync_chg' (0x643)
You can use the ntpq utility to check the status of your client. Use the "assoc" command to do this. Just after startup you should get the first of the two outputs below. After the association is in place, you should get the second output. At some point (after 5-10 minutes) the condition field should change to sys.peer. If this does not happen, something is wrong with your installation.
user@system:~> /usr/local/ntp/bin/ntpq localhost ind assID status conf reach auth condition last_event cnt =========================================================== 1 34772 e000 yes yes ok reject ntpq> assoc ind assID status conf reach auth condition last_event cnt =========================================================== 1 55524 f614 yes yes ok sys.peer reachable 1
The default configuration that is created by build_ntp.sh is a pretty restrictive setup. By default, the client talks to the server and accepts queries from 127.0.0.1, that's it. If you want to further distribute the time to other machines, you will have to change the settings in the config file <installpath>/etc/ntpd.conf. How access-control is handled is described on the Access Control Options Page (http://www.eecis.udel.edu/~mills/ntp/html/accopt.html) of the ntpd documentation.
Please send us a note!
If you use our NTP service, please drop us a mail to email@example.com and tell us so. Just to make it easier for us to track how many systems use our service. Thanks.
This concludes the short installation documentation. Comments and suggestions are always welcome. Send them to the address above. If you have problems compiling or using ntpd with our timeserver, feel free to contact us as well.
|eCSIRT.net > Tools > Crypto-NTP|
|(News) (Tools) (Service)|
The European Computer Security Incident Response Team Network
News | Sitemap | Impress | Contact | Top
Last changed: March 16, 2004 / AL
Copyright © 2002-2004 by PRESECURE Consulting GmbH, Germany
|Signed with PGP!|