Manualshelf

HP-UX Internet Services Administrator's Guide (May 2010)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
61626364656667686970
Configuring Authentication
Authentication is a mechanism used to prevent unauthorized access to time servers.
Authentication is enabled on a system-by-system basis. Once enabled on a system,
authentication applies to all NTP relationships configured on the system. If you enable
authentication on a host, the host synchronizes time only with those time servers that
send messages encrypted with a configured key.
In an authenticated mode, each NTP packet transmitted by a host is appended by a
key number and an encrypted checksum of the packet contents. The key number is
specified in the peer, server, or broadcast statement for the remote host. You
specify use the Data Encryption Standard (DES) or the Message Digest (MD5) algorithm
to encrypt the NTP packets.
Upon receipt of an encrypted NTP packet, the receiving host recomputes the checksum
and compares it with the checksum included in the packet. Both, the sending and
receiving systems must use the same encryption key defined by the key number.
When authentication is enabled on a host, the host does not consider the following
time servers for synchronization:
Time servers that send unauthenticated NTP packets.
Time servers that send authenticated packets that the host is unable to decrypt.
Time servers that send authenticated packets encrypted using a non-trusted key.
An authentication key file is specified on the host and contains a list of keys and their
corresponding key numbers. Each key-key number pair is further defined by a key
format, which determines the encryption method. For more information about the
authentication key file, type man 1M xntpd at the HP-UX prompt. A sample key file
is provided in /usr/newconfig/etc/ntp.keys. HP recommends the location
/etc/ntp.keys for storing the key file. You must secure the key file by giving the
permission 600.
While the key file can contain many keys, you can declare a subset of these keys as
trusted keys. Trusted keys are used to determine if a time server is trusted as a potential
synchronization candidate. Only time servers that use a specified trusted key for
encryption, and whose authenticity is verified by successful decryption, are considered
synchronization candidates.
Figure 4-5 illustrates how authentication works.
64 Configuring NTP