1

I'm trying to set up an NTP timeserver for hosts on my internal network to synchronise against.

I need to use authorisation in order to comply with PCI standards.

I've created a set of keys using ntp-keygen -M and added the below snippet to my /etc/ntp.conf file on the server.

enable auth
keys /etc/ntp.keys
trustedkey 1 7 17

I'm unable to connect to the server from a client. When I run "ntpq -c as" on the client I can see that auth is "bad" for my server. I have copied the key file that was generated on the server to the client and added the trusted key lines to the client too, like this:

server timeserver key 17
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
keys /etc/ntp.keys
trustedkey 1 7 17

Looking at the server logs I can see that I'm getting a permission denied fault when trying to read the file, as below.

Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Starting LSB: Start NTP daemon...
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:  * Starting NTP server ntpd
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: ntpd 4.2.8p4@1.3265-o Wed Oct  5 12:34:45 UTC 2016 (1): Starting
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: Command line: /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:116
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:    ...done.
Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Started LSB: Start NTP daemon.
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: proto: precision = 0.182 usec (-22)
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: authreadkeys: file /etc/ntp.keys: Permission denied

I have used ntpdate from the client machine to set the date from the server so I'm pretty confident that the networking is up and running. I've actually disabled iptables on both servers while I'm busy trying to set this up.

The key file is 600 on the server, like this:

-rw-------  1 root  root    1066 Jan 30 12:29 ntpkey_MD5key_timeserver.3694768152
lrwxrwxrwx  1 root  root      35 Jan 30 12:33 ntp.keys -> ntpkey_MD5key_timeserver.3694768152

I've tried changing the config to point to the actual file and not the symlink.

Can anybody help me work out what the error in the syslog means and how to resolve this?

EDIT: Looking at the source it looks like the "Permission denied" part of the error is coming from the OS.

Andy
  • 317
  • 2
  • 5
  • 16
  • NTP is interesting in that the client drives this, not the server. NTP servers are happy to serve NTP to anyone, but the client is the one that needs to trust the source. – Ron Maupin Jan 30 '17 at 13:57
  • Any idea why the server would be getting "Permission denied" when trying to open the key file? It will need to have access to the keys in order to "sign" the responses it sends won't it? – Andy Jan 30 '17 at 14:09
  • This was also asked on [Ask Ubuntu](https://askubuntu.com/) as [Ubuntu 16.04 NTP server cannot read the key file](https://askubuntu.com/q/877926/604086). – Lance U. Matthews Jun 10 '20 at 23:02

2 Answers2

1

If the key file is readable by root only, but ntpd is running as non-root user, e.g. using -u ntp:ntp, make sure the effective user can read the key file.

For example you could use chmod u=rw,g=r,o= keyfile for the key file to allow the group to read, and then do a chgrp ntp keyfile to assign group ntp to the file, effectively allowing group ntp to access the file (but you knew that already, right?).

Still it may be worth to check for additional restrictions imposed by apparmor or selinux. For the former you can try aa-status | grep ntpd to check.

U. Windl
  • 366
  • 3
  • 17
0

I spun up an Ubuntu 14.04 instance and noticed that an app armor message in the logs after the same "permission denied" message.

Disabling the ntp profile for apparmor resolved the issue.

Andy
  • 317
  • 2
  • 5
  • 16
  • 2
    Augmenting the apparmor profile by editing /etc/apparmor.d/local/usr.sbin.ntpd would be a much better solution. The apparmor profile is an important mitigation against possible buffer overflow attacks and the like. – Paul Gear Jan 31 '17 at 02:51