ntp authentication - MD5 - freeBSD

Question

NTP claims to support md5 authentication. The docs I've found aren't clear enough for my level of luserhood. How would I go about using it, with a collection of freebsd clients, and a couple of freebsd servers (getting their time from servers outside my network)? Everything's on ntp 4.2.* - 4.2.6p*, 4.2.7p*, and 4.2.8. And how would I go about verifying that they really were authenticating each other; is there some way to ask them what they think they are doing, or will I need to do negative testing (a client and/or server with the wrong keys)?

A good RTFM link would be sufficient; I'm feeling like an idiot asking, but ntp.org is better at explaining theory than practice, and frequently seems to be describing ntp 3 or even earlier. What I've set up keeps time quite happily - but it still kept time with a broken client config that didn't tell the client where to find the keys file :-(

In the same vein, what do I need to lock up, assuming I don't want any of them participating in DDOS attacks? (Assume for the moment I'm not just relying on a firewall - I'm looking for a "best practice" FAQ type answer.) And with late 4.2.7 builds or 4.2.8, what do I need to unlock to get reasonable behaviour. (I've already found that "restrict 127.0.0.1 mask 255.255.255.255" doesn't let me do much from localhost. Looks like it has noquery and perhaps more turned on by default.)

score 0 · Answer 1 · answered Dec 30 '14 at 09:53

0

Recommended /etc/ntp.conf is like that

#######
driftfile /etc/ntp.drift
disable         monitor

server          0.pool.ntp.org
server          1.pool.ntp.org
server          2.pool.ntp.org

# deny client access by default
restrict -4     default ignore
restrict -6     default ignore

# allow access for localhost...
restrict        127.0.0.1
restrict        127.127.1.0
restrict -6     ::1

# and local subnet
restrict        10.0.0.0        mask 255.0.0.0  nomodify notrap
#######

answered Dec 30 '14 at 09:53

Kondybas

6,964
2
20
24

I don't see any authentication here. And my experiments suggest that on recent 4.2.7* and 4.2.8 this will give very little access for localhost. – Arlie Stephens Dec 30 '14 at 16:34
You do not need any auth to prevent DDoS participating with ntpd. Just restrict access to your server. No auth required. – Kondybas Dec 30 '14 at 16:46

score 0 · Answer 2 · answered Dec 31 '14 at 23:30

The following web page appears to describe the basics of setting up an ntp client to use md5/symmetric key authentication.

http://www.nist.gov/pml/div688/grp40/upload/-Instructions-for-using-the-NIST-authenticated-Network-Time-Protocol-NTP-server.pdf

It is specific to a particular server's clients, but should be adaptable. I have not yet tested it.

ntp authentication - MD5 - freeBSD

2 Answers2