IBM Support

IBM AIX: How to configure NTP Authentication

How To


Summary

This document provides step-by-step instructions on how to set up symmetric-key NTP authentication between an NTP server and NTP client.

Objective

Configure NTP authentication to ensure device synchronize time only from trusted NTP sources, preventing unauthorized or spoofed time updates.

Steps

1) Here is an example of an AIX NTP server with authentication configured; the NTP server's hostname is tcp90 with IP 9.40.205.90:

/etc/ntp.conf 
 
#broadcastclient
server 127.127.1.0
keys /etc/ntp.keys
trustedkey 6
requestkey 6
controlkey 6
driftfile /etc/ntp.drift
logfile /etc/ntp.log

# Allow local system to query or modify the NTP service
restrict 127.0.0.1

# Do not allow anyone else to query or modify the NTP service
restrict default nomodify notrap nopeer noquery

The relevant NTP auth options and their purpose:

REQUIRED

keys key_file
Specifies the complete path and location of the key file containing the keys and key identifiers to be used by xntpd and ntpq. This is the same operation as the -k command line option.

trustedkey key_id
Specifies the key identifiers to be trusted for the purposes of authenticating other peers and for use with the ntpq command. Multiple key identifiers should be separated by spaces. Key ranges can also be specified as key_id1 ... key_id2 (with spaces around the triple dots).

OPTIONAL

controlkey key_id
request key_id
These options specify the key identifiers to be used with the ntpq command and xntpdc utility for control & management functions. These functions should usually be restricted to the NTP peer's localhost, so using keys for authenticating them is optional.

/etc/ntp.keys 
6  SHA1  foofoo


The format of the /etc/ntp.keys file is:

key_id key_type key_string

  • Key_ID is a positive integer number used to identify the key for the NTP commands and within /etc/ntp.conf.
  • Key_Type denotes the type of algorithm to be used to compute the NTP auth message-digest.
  • Key_String is the actual key.
  • For MD5 digest, the key type can be either M or MD5 and the actual key needs to be a printable ASCII string.
  • For SHA1/SHA256 digest, the key type is SHA1/SHA256 and the actual key can be a printable ASCII string or a HEX string.
  • Strings longer than 20 characters are interpreted as HEX.
     

EXAMPLES 

1 M      foofoo
2 MD5    passw0rd!
3 SHA1   s3cr3tpassw0rd
4 SHA256 2897E4020EF42DE249FE0C5AF31092859BA9A83E

Note: The NTP server and NTP client must agree on key and key ID to authenticate exchanged data, but they must each learn them separately. Therefore, the key ID, key type and actual key must match exactly in /etc/ntp.keys on both NTP client and server peers for authentication to be successful.

Note: NTP versions and their supported algorithms for NTP authentication:

  • NTPv3 only supports the MD5 authentication algorithm.
  • NTPv4 supports MD5, SHA1 and SHA256 authentication algorithm. NTPv4 is the default version on AIX 7.3
  • To check which NTP version is in use:
     

NTPv3 (AIX 7.2)

# ls -ld /usr/sbin/xntpd
lrwxrwxrwx 1 root  system    20 Jan 21 2025  /usr/sbin/xntpd -> /usr/sbin/ntp3/xntpd

NTPv4 (AIX 7.2, AIX 7.3)

# ls -ld /usr/sbin/xntpd
lrwxrwxrwx 1 root system   20 Jan 12 02:05 /usr/sbin/xntpd -> /usr/sbin/ntp4/ntpd4

# xntpd --version
ntpd 4.2.8p17@1.4004-o Mon Jun 17 18:36:08 UTC 2024 (1)

Note: When making changes to /etc/ntp.conf and /etc/ntp.keys files, the xntpd daemon needs to be restarted before they take effect.

# stopsrc -s xntpd
# startsrc -s xntpd

2) Here's the AIX NTP client configuration:

/etc/ntp.conf
#broadcastclient
server 9.40.205.90 key 6
keys /etc/ntp.keys
trustedkey 6
requestkey 6
controlkey 6
logfile  /etc/ntp.log
driftfile /etc/ntp.drift

# Allow local system to query or modify the NTP service
restrict 127.0.0.1

# Do not allow anyone else to query or modify the NTP service
restrict default nomodify notrap nopeer noquery

 

/etc/ntp.keys

6 SHA1 foofoo

The same NTP auth options were added to the client, in addition to matching the contents of the server's /etc/ntp.keys file.

To specify which key should be used for authenticating with the NTP server, the following format should be used:

server NTP_server key key_id
 
 

3) Before restarting xntpd on the NTP client, a manual test can be performed to check if the NTP auth configuration is working:

# ntpdate -a <key_id> -d -k /etc/ntp.keys <IP_of_NTP_Server>

In this example, "authentication passed" is returned, which confirms that NTP authentication is successful:

# ntpdate -a 6 -d -k /etc/ntp.keys tcp90
 7 Dec 22:42:24 ntpdate[7733642]: ntpdate 4.2.8p15@1.3728-o Sat Aug  8 05:34:06 UTC 2020 (7)
Looking for host tcp90 and service ntp
9.40.205.90 reversed to tcp90.aus.stglabs.ibm.com
host found : tcp90.aus.stglabs.ibm.com
address: ::
address: 0.0.0.0
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
transmit(9.40.205.90)
receive(9.40.205.90)
receive: authentication passed
server 9.40.205.90, port 123
stratum 6, precision -20, leap 00, trust 000
refid [127.127.1.0], root delay 0.000000, root dispersion 0.011780
reference time:      e91d1cfc.ef2db346  Thu, Dec  7 2023 22:41:32.934
originate timestamp: e91d1d36.93c27bd2  Thu, Dec  7 2023 22:42:30.577
transmit timestamp:  e91d1d36.93abead5  Thu, Dec  7 2023 22:42:30.576
filter delay:  0.02626    0.02626    0.02626    0.02623
               ----       ----       ----       ----
filter offset: +0.000024  +0.000016  +0.000028  +0.000017
               ----       ----       ----       ----
delay 0.02623, dispersion 0.00000, offset +0.000017
 7 Dec 22:42:30 ntpdate[7733642]: adjust time server 9.40.205.90 offset +0.000017 sec

 

The xntpd daemon can now be started on the client. Its status can be queried to verify that time is synchronized with the NTP server:

# startsrc -s xntpd 
# lssrc -ls xntpd
# ntpq -p


Note: Allow some time for synchronization. It may take up to 10 minutes for xntpd to calculate an accurate approximation of 'real' time and return a synchronized status. 

Additional Information

If you encounter any issues with configuring NTP authentication on AIX, collect NTP MustGather data and open an IBM Support case to receive assistance. 

IBM AIX CommApps MustGather: Data collection for NTP sync issues

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxSAAQ","label":"Communication Applications-\u003ENTP\/TIMED"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
30 January 2026

UID

ibm17091187

Page Feedback