NTP Authentication: Client Side

Now that we have enabled NTP authentication on our own stratum 1 NTP servers (Linux/Raspbian and Meinberg LANTIME) we need to set up this SHA-1 based authentication on our clients. Here we go for a standard Linux ntp setup:

This article is one of many blogposts within this NTP series. Please have a look!

Note that when you’re using multiple NTP servers (which I highly recommend, refer to Why should I run own NTP Servers?) you must use different keys/IDs for each of them. Obviously you can’t use the same “key number 11” for different NTP servers as far as they’re using different randomly generated keys. In my lab I’m using three stratum 1 NTP servers (Pi DCF77, Pi GPS, Meinberg M200) with the key IDs 11, 12, and 13.

NTP Client Setup

Everything takes place solely on the NTP client. The first step is to create the ntp.keys file with the needed keyssudo nano /etc/ntp.keys In my case it’s:

The second step is to refer to this ntp.keys file, trusting those three keys, and using them on the appropriate NTP servers. sudo nano /etc/ntp.conf, adding/modifying those lines:

Followed by a restart of ntp: sudo service ntp restart.

Verify

Of course you should verify whether everything is working as expected. At first the well-known ntpq -p to show the peers (but yet without the information whether NTP authentication is working). Lines 5-7 are my three stratum 1 NTP servers while I am also querying another pool:

Displaying the associations shows a column “auth” which clearly states that those three NTP servers are “ok”, i.e., authenticated:

Furthermore you can display the authinfo section which shows the count of encryptions/decryptions. Both should increase over time:

If you’re interested in how authenticated NTP packets look on the wire, have a look at my downloadable pcap file at Packet Capture: Network Time Protocol (NTP).

Yo. Cheers.

Featured image “Unterschrift mit Füller” by Tim Reckmann is licensed under CC BY 2.0.

Leave a Reply

Your email address will not be published.