How to Configure Authenticated NTP Using Autokey

Solution Unverified - Updated

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • NTP connections should only be used via authentication
    • Increases likelihood of reliable timesource
    • Lessens chance of attackers broadcasting incorrect time

Resolution

Server Configuration

  • Ensure the following entries are in /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server <ntp.server.com>
broadcast <broadcast/multicast ip> autokey
crypto
includefile /etc/ntp/crypto/pw
keysdir /etc/ntp/
  • Generate the server-side keys
# cd /etc/ntp
# ntp-keygen -T -p password
  • Restart the NTP service
# service ntpd restart
  • Ensure that the service started
# ntpq -p
    remote       refid     st  t  when  poll  reach  delay  offset  jitter
==============================================================================
<brdcst.address> .BCST.    16  u   -     64     0    0.000  0.000   0.000
<ntp.server.com> <refid>     5  u  17     64     377  0.000  0.000   0.000

Client Configuration

  • Ensure the following entries are in /etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
crypto
includefile /etc/ntp/crypto/pw
keysdir /etc/ntp/
server <ntp.server.com> autokey
  • Generate the client-side keys
# cd /etc/ntp
# ntp-keygen -H -p clientpassword
  • Restart the NTP service
  • Ensure authenticated NTP is connecting successfully
# ntpq -c as
ind  assID  status  conf  reach  auth  condition  last_event  cnt
=================================================================
  1  12345   f123   yes    yes   ok    sys.peer   reachable    1

Crypto Configuration

  • Sample /etc/ntp/crypto/pw file
# Specify the password to decrypt files containing private keys and identity
# parameters.  This is required only if these files have been encrypted.
#
crypto pw <password>

Diagnostic Steps

Troubleshooting the Configuration

  • For error: "RAND_load_file /root/.rnd not found or empty"
dd if=/dev/urandom of=/root/.rnd bs=512 count=1
  • For error: "crypto_setup: random seed file not found error:"
    • Add crypto randfile /dev/urandom entry to /etc/ntp.conf
  • Important: Ensure that no keys, key directories, or files containing passwords are world readable
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.