NTP version 4 Release Notes HP-UX 11i v3 (5900-3073, March 2013)
3. Generate the client key /certificate using the following command:
cd /etc/ntp
ntp-keygen -H -p clientpassword
Obtain the IFF group key from your time server operator, copy the key file to the keysdir,
and create the standard symbolic link:
cd /etc/ntp
ln -s ntpkey_iffpar_server.3301264563 ntpkey_iffpar_server
4. Restart ntpd. See the output of ntpq -p to make sure that the server is able to start.
5. The client key and certificate are valid only for one year and must be updated periodically
for example, monthly) using the following command:
cd /etc/ntp
ntp-keygen -q `awk '/crypto pw/ { print $3 }'
<etc/ntp.conf'
Monitoring Authentication Status
Give ntpq -c "rv 0 cert" to view the Autokey certificates held by ntpd.
Give ntpq -c as for checking the authentication status of NTP associations. Authenticated
associations display OK in the auth column:
ind assID status conf reach auth condition last_event cnt
===========================================================
1 26132 f694 yes yes ok sys.peer reachable 9
Automatic NTP configuration schemes
NTP v4 includes three new server discovery schemes, which in most applications can avoid per-host
configuration altogether.
These three automatic server discovery schemes are Broadcast/Multicast, Many cast, and Server
Pool. The Broadcast/Multicast and Many cast schemes utilize the ubiquitous broadcast or
one-to-many paradigm native to IPv4 and IPv6. The Server Pool scheme uses DNS to resolve
addresses of multiple volunteer servers scattered throughout the world.
Broadcast/Multicast scheme
A broadcast server generates messages continuously at intervals, by default 64 seconds, and
time-to-live by default 127 seconds. These defaults can be overridden by the minpoll and ttl
options respectively. A broadcast client responds to the first message received by waiting a
randomized interval to avoid implosion at the server. It then polls the server in client/server mode
using the iburst option in order to quickly authenticate the server, calibrate the propagation
delay, and set the client clock. This normally results in a volley of six client/server exchanges at 2
seconds intervals during which both the synchronization and cryptographic protocols run
concurrently.
A server is configured in broadcast mode using the broadcast command and specifying the
broadcast address of a local interface. A broadcast client is configured using the
broadcastclient command.
A multicast server is configured using the broadcast command, but needs to specify a multicast
address instead of a broadcast address. A multicast client is configured using the
multicastclient command specifying a list of one or more multicast addresses.
Since an intruder can impersonate a broadcast server and inject false time values, the Broadcast
mode should always be cryptographically authenticated. By default, a broadcast association is
not mobilized unless cryptographically authenticated. When necessary, the auth option of the
disable command disables this feature. The feature can be selectively enabled using the notrust
option of the restrict command.
Utilities 11