Additional testing for ntpq authentication to ensure MD5 still works for ntpq in archive
NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure all still works. Testing with ntpq + fips-openssl was also done successfully.
VM-A (ntp server)
1. Edit /etc/ntp.keys to include,
1 SHA1 austintexas 2 MD5 cedarpark
2. Edit /etc/ntp.conf to include.
keys /etc/ntp.keys trustedkey 2 controlkey 2 requestkey 2
3. restart ntp sudo service ntp restart
VM-B (ntp client)
$ dpkg -l | grep ntp ii ntp 1:4.2.8p10+dfsg-5ubuntu7.1+ppa1 amd64 Network Time Protocol daemon and utility programs
2. Edit /etc/ntp.conf to include, keys /etc/ntp.keys server <VM-B ipaddress> key 2 trustedkey 2 controlkey 2 requestkey 2
3. I commented out all the "pool" entries in /etc/ntp.conf
4. restart ntp sudo service ntp restart
On the client,
$ ntpq -c as
ind assid status conf reach auth condition last_event cnt =========================================================== 1 46728 f014 yes yes ok reject reachable 1
Notice that "auth" is ok.
$ ntpq ntpq> keytype keytype is MD5 with 16 octet digests ntpq> keyid 2 ntpq> ifstats MD5 Password: <enter "cedarpark"> interface name send # address/broadcast drop flag ttl mc received sent failed peers uptime ============================================================================== 0 v6wildcard D 81 0 0 0 0 0 0 96 [::]:123 1 v4wildcard D 89 0 0 0 0 0 0 96 0.0.0.0:123 2 lo . 5 0 0 2 1 0 0 96 127.0.0.1:123 3 ens3 . 19 0 0 2 2 0 1 96 192.168.122.105:123 4 lo . 5 0 0 0 0 0 0 96 [::1]:123 5 ens3 . 11 0 0 0 0 0 0 96 [fe80::5054:ff:fefe:b092%2]:123 ntpq>
Note: issuing "ifstats" requires authentication.
I also tested with SHA1 and it worked as well.
And last test on client, ntpq -p
remote refid st t when poll reach delay offset jitter ============================================================================== 192.168.122.106 204.11.201.12 3 u 56 64 7 1.541 2.723 0.826
Additional testing for ntpq authentication to ensure MD5 still works for ntpq in archive
NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure all still works.
Testing with ntpq + fips-openssl was also done successfully.
VM-A (ntp server)
1. Edit /etc/ntp.keys to include,
1 SHA1 austintexas
2 MD5 cedarpark
2. Edit /etc/ntp.conf to include.
keys /etc/ntp.keys
trustedkey 2
controlkey 2
requestkey 2
3. restart ntp
sudo service ntp restart
VM-B (ntp client)
$ dpkg -l | grep ntp dfsg-5ubuntu7. 1+ppa1 amd64 Network Time Protocol daemon and utility programs
ii ntp 1:4.2.8p10+
1. Edit /etc/ntp.keys to include,
1 SHA1 austintexas
2 MD5 cedarpark
2. Edit /etc/ntp.conf to include,
keys /etc/ntp.keys
server <VM-B ipaddress> key 2
trustedkey 2
controlkey 2
requestkey 2
3. I commented out all the "pool" entries in /etc/ntp.conf
4. restart ntp
sudo service ntp restart
On the client,
$ ntpq -c as
ind assid status conf reach auth condition last_event cnt ======= ======= ======= ======= ======= ======= ======= ===
=======
1 46728 f014 yes yes ok reject reachable 1
Notice that "auth" is ok.
$ ntpq ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= = 168.122. 105:123 :5054:ff: fefe:b092% 2]:123
ntpq> keytype
keytype is MD5 with 16 octet digests
ntpq> keyid 2
ntpq> ifstats
MD5 Password: <enter "cedarpark">
interface name send
# address/broadcast drop flag ttl mc received sent failed peers uptime
=======
0 v6wildcard D 81 0 0 0 0 0 0 96
[::]:123
1 v4wildcard D 89 0 0 0 0 0 0 96
0.0.0.0:123
2 lo . 5 0 0 2 1 0 0 96
127.0.0.1:123
3 ens3 . 19 0 0 2 2 0 1 96
192.
4 lo . 5 0 0 0 0 0 0 96
[::1]:123
5 ens3 . 11 0 0 0 0 0 0 96
[fe80:
ntpq>
Note: issuing "ifstats" requires authentication.
I also tested with SHA1 and it worked as well.
And last test on client,
ntpq -p
remote refid st t when poll reach delay offset jitter ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =
=======
192.168.122.106 204.11.201.12 3 u 56 64 7 1.541 2.723 0.826