Installing and Administering Internet Services
306 Chapter7
Configuring the Network Time Protocol (NTP)
Advanced NTP Topics
When authentication is enabled on a host, the following time servers will
not be considered by the host for synchronization:
• Time servers that send unauthenticated NTP packets.
• Time servers that send authenticated packets that the host is unable
to decrypt.
• Time servers that send authenticated packets encrypted using a
non-trusted key.
An authentication key file is specified on the host. The key file
contains a list of keys and their corresponding key numbers. Each
key-key number combination is further defined by a key format, which
determines the encryption method being used. See the xntpd man page
for more information about the content of the authentication key file. A
sample key file is provided in /usr/newconfig/etc/ntp.keys. The
recommended location for the key file is /etc/ntp.keys. The key file
should be secured to allow only the system administrator to have read
and write access (mode 600).
While the key file can contain many keys, you can declare a subset of
these keys as trusted keys. Trusted keys are used to determine if a time
server is “trusted” as a potential synchronization candidate. Only time
servers that use a specified trusted key for encryption, and whose
authenticity is verified by successful decryption, are considered
synchronization candidates.
Figure 7-5 illustrates how authentication works.
Figure 7-5 Authentication Example
Penelope
Golden
/etc/ntp.keys
authenticate yes
/etc/ntp.keys
authenticate yes
NTP Packet
+
Key Num. (10)
+
Encrypted
Checksum
server golden key 10
keys /etc/ntp.keys
keys /etc/ntp.keys
server 127.127.1.1
key# Format Key
10 M tickle
key# Format Key
10 M tickle
trustedkey 10