Installing and Administering Internet Services

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software

221

222

223

224

225

226

227

228

229

230

Chapter 7 221

Conﬁguring NTP

Conﬁguration

Conﬁguring Authentication

Authentication is a mechanism that helps protect against

unauthorized access to time servers. Authentication is enabled on a

system-by-system basis. Once enabled on a system, authentication

applies to all NTP relationships conﬁgured on the system. When

authentication is enabled on a host, only those time servers that send

messages encrypted with a conﬁgured key are considered as candidates

to which the host would be synchronized.

In authenticated mode, each NTP packet transmitted by a host has

appended to it a key number and an encrypted checksum of the

packet contents. The key number is speciﬁed in the peer, server, or

broadcast statement for the remote host. You specify either the Data

Encryption Standard (DES) or the Message Digest (MD5) algorithm to

be used for the encryption of NTP packets.

Upon receipt of an encrypted NTP packet, the receiving host recomputes

the checksum and compares it with the one included in the packet. Both

the sending and receiving systems must use the same encryption key,

deﬁned by the key number.

When authentication is enabled on a host, the following time servers will

not be considered by the host for synchronization:

• Time servers that send unauthenticated NTP packets.

• Time servers that send authenticated packets that the host is unable

to decrypt.

• Time servers that send authenticated packets encrypted using a

non-trusted key.

An authentication key ﬁle is speciﬁed on the host. The key ﬁle

contains a list of keys and their corresponding key numbers. Each

key-key number combination is further deﬁned by a key format, which

determines the encryption method being used. See the xntpd man page

for more information about the content of the authentication key ﬁle. A

sample key ﬁle is provided in /usr/newconfig/etc/ntp.keys. The

recommended location for the key ﬁle is /etc/ntp.keys. The key ﬁle

should be secured to allow only the system administrator to have read

and write access (mode 600).

While the key ﬁle can contain many keys, you can declare a subset of

these keys as trusted keys. Trusted keys are used to determine if a time

server is “trusted” as a potential synchronization candidate. Only time