How To
Summary
This document gives step-by-step instructions on how to set up NTP authentication between an AIX NTP server and client.
Objective
NTP authentication is a method of verifying timestamps from trusted sources to prevent tampering and attacks on time synchronization.
Steps
1) Here is an example of an NTP server with authentication configured. The NTP server name is tcp90 with IP 9.40.205.90.
# cat /etc/ntp.conf
#broadcastclient
server 127.127.1.0
keys /etc/ntp.keys
trustedkey 6
driftfile /etc/ntp.drift
logfile /etc/ntp.log
# Allow local system to query or modify the NTP service
restrict 127.0.0.1
# Do not allow any one to query or modify the NTP service
restrict default nomodify notrap nopeer noquery
# cat /etc/ntp.keys
6 SHA1 foofoo
Restart xntpd to effect changes to ntp.conf and ntp.keys files:
# stopsrc -s xntpd
# ntpdate <IP_of_NTP_Server> (to mannually sync NTP with the NTP Central Server)
# startsrc -s xntpd
(Kindly wait for 15 minutes so that ntp sync's up)
2) Here is the NTP client configuration.
# cat /etc/ntp.conf
#broadcastclient
server 9.40.205.90
logfile /etc/ntp.log
driftfile /etc/ntp.drift
enable auth
authenticate yes
trustedkey 6
requestkey 6
controlkey 6
keys /etc/ntp.keys
# Allow local system to query or modify the NTP service
restrict 127.0.0.1
# Do not allow any one to query or modify the NTP service
restrict default nomodify notrap nopeer noquery
# cat /etc/ntp.keys
6 SHA1 foofoo
Be sure to restart xntpd to effect changes to ntp.conf and ntp.keys files.
To test if the NTP authentication is successful, run this command on NTP client:
# ntpdate -a <key_id> -d -k /etc/ntp.keys <IP_of_NTP_Server>
and if it is displays "authentication passed", then the NTP authentication is successfully.
In this example, "authentication passed" is displayed, which confirms that NTP authentication is successful between client and server:
# ntpdate -a 6 -d -k /etc/ntp.keys tcp90
7 Dec 22:42:24 ntpdate[7733642]: ntpdate 4.2.8p15@1.3728-o Sat Aug 8 05:34:06 UTC 2020 (7)
Looking for host tcp90 and service ntp
9.40.205.90 reversed to tcp90.aus.stglabs.ibm.com
host found : tcp90.aus.stglabs.ibm.com
address: ::
address: 0.0.0.0
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
server 9.40.205.90, port 123
stratum 6, precision -20, leap 00, trust 000
refid [127.127.1.0], root delay 0.000000, root dispersion 0.011780
reference time: e91d1cfc.ef2db346 Thu, Dec 7 2023 22:41:32.934
originate timestamp: e91d1d36.93c27bd2 Thu, Dec 7 2023 22:42:30.577
transmit timestamp: e91d1d36.93abead5 Thu, Dec 7 2023 22:42:30.576
filter delay: 0.02626 0.02626 0.02626 0.02623
---- ---- ---- ----
filter offset: +0.000024 +0.000016 +0.000028 +0.000017
---- ---- ---- ----
delay 0.02623, dispersion 0.00000, offset +0.000017
7 Dec 22:42:30 ntpdate[7733642]: adjust time server 9.40.205.90 offset +0.000017 sec
Note:
1) The format of /etc/ntp.keys file is:
<Key is a 1-to-8 character ASCII string> <Authentication Algorithm> <Any set of characters>
2) The ntp.keys file on on server side should match ntp.keys content of client side.
Additional Information
NTP version 3 only supports MD5 authentication algorithm.
NTP version 4 supports both MD5 and SHA1 authentication algorithm.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxSAAQ","label":"Communication Applications-\u003ENTP\/TIMED"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
09 December 2023
UID
ibm17091187