HP-UX Internet Services Administrator's Guide (August 2003)
Configuring NTP
Advanced NTP Topics
Chapter 484
/usr/newconfig/etc/ntp.keys. HP recommends the location
/etc/ntp.keys for storing the key file. You must secure the key file by
giving the permission 600.
While the key file can contain many keys, you can declare a subset of
these keys as trusted keys. Trusted keys are used to determine if a time
server is trusted as a potential synchronization candidate. Only time
servers that use a specified trusted key for encryption, and whose
authenticity is verified by successful decryption, are considered
synchronization candidates.
Figure 4-5 illustrates how authentication works.
Figure 4-5 Authentication Example
In Figure 4-5, authentication is enabled for both Penelope and Golden.
An NTP time request from Penelope to Golden includes the
authentication fields – key ID (10), and a checksum, tickle, encrypted
with the key corresponding to the key ID 10. When Golden receives this
request, it recomputes the checksum using the packet’s key ID field (10)
to look up for the key ID 10 in its key file (tickle) and compares the
checksum with the authentication field in the request.
Golden sends back time information with the key ID 10 and a checksum
encrypted using the encryption key tickle.
Additionally, Penelope accepts time synchronizations from hosts that
have used the key ID 10 and the corresponding encryption key tickle.
To enable authentication on the local host, include the following
statement in the /etc/ntp.conf configuration file:
Penelope
Golden
/etc/ntp.keys
authenticate yes
/etc/ntp.keys
authenticate yes
NTP Packet
+
Key Num. (10)
+
Encrypted
Checksum
server golden key 10
keys /etc/ntp.keys
keys /etc/ntp.keys
server 127.127.1.1
key# Format Key
10 M tickle
key# Format Key
10 M tickle
trustedkey 10