How To Configure Authenticated NTP Using Symmetric Keys (compatibility with FIPS 140-2)

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • ntp-4.2.6
  • ntp-4.2.4

Issue

  • NTP should only be used via symmetric authentication
    • Increases likelihood of reliable timesource
    • Lessens chance of attackers broadcasting incorrect time
    • Symmetric key encryption is generally faster than asymmetric

Resolution

Server Configuration

  • Ensure the following entries are in /etc/ntp.conf:
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
restrict <client.subnet.ip> mask <subnet.mask>
server <ntp.server>
keys /etc/ntp/keys
trustedkey 1
controlkey 1
requestkey 1
  • Specify the server-side key:
# vim /etc/ntp/keys
  • Example keys file:
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE.
#
#65535  M  akey
#1      M  pass
1  M  <password>
  • Restart the NTP service
# service ntpd restart
  • Ensure that the service started:
# ntpq -p
    remote       refid     st  t  when  poll  reach  delay  offset  jitter
==============================================================================
<ntp.server.com> <refid>     5  u  17     64     377  0.000  0.000   0.000

Client Configuration

  • Ensure the following entries are in /etc/ntp.conf:
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
keys /etc/ntp/keys
server <ntp.server.com> key 1
trustedkey 1
controlkey 1
requestkey 1
  • Specify the client-side keys:
# vim /etc/ntp/keys
  • Example keys file:
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE.
#
#65535  M  akey
#1      M  pass
1  M  <password>
  • Restart the NTP service
# service ntpd restart
  • Ensure authenticated NTP is connecting successfully
# ntpq -c as
ind  assID  status  conf  reach  auth  condition  last_event  cnt
=================================================================
 1   64605   f614   yes    yes   ok    sys.peer   reachable    1

If compatibility with FIPS 140-2 is required.

  • Ntp must be supported to SHA & SHA1 authentication.

  • It is not supported prior to ntp 4.2.6. Red Hat has fixed this and now supported..

  • More information about Ntp Auth.

Key Explanation

  • Keys file:
1  M  key

#1 = the key value
#M = the type of key
#key = the actual key or password
  • Types of key:
    • M = MD5 key, ASCII format
  • Key value:
    • Any number 1-65535
    • Multiple keys can be used on the same server
    • Max 20-character printable ASCII string or a 40-character hex string
  • For more information please see man 5 ntp_auth

Diagnostic Steps

  • We can find out which systems are working as peer and which ones are not from the associations command inside of the ntpq prompt. Here is a sample example.
ntpq> as

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 10596  f414   yes   yes   ok   candidat   reachable  1
  2 10597  f014   yes   yes   ok     reject   reachable  1
  3 10598  f414   yes   yes   ok   candidat   reachable  1
  4 10599  c000   yes   yes   bad    reject
  5 10600  f614   yes   yes   ok   sys.peer   reachable  1

  • The status field shows the peer status code in hexadecimal, where each bit is an independent flag. The field is 5 bit wide and combines with the three bit wide select field to create the first full byte (8 bits). In our case, we see that sys.peer is denoted by f614.

    • The string format is: status - select - count - code
    • Here, 6 is select. Let's check from David Mills' ntp documentation.

  • The Select Field displays the current selection status. (The T Field in the following table gives the corresponding tally codes used in the ntpq peers display.) The values are coded as follows:

Code Message T Description
0 sel_reject discarded as not valid (TEST10-TEST13)
1 sel_falsetick x discarded by intersection algorithm
2 sel_excess . discarded by table overflow (not used)
3 sel_outlyer - discarded by the cluster algorithm
4 sel_candidate + included by the combine algorithm
5 sel_backup # backup (more than tos maxclock sources)
6 sel_sys.peer * system peer
7 sel_pps.peer o PPS peer (when the prefer peer is valid)

  • See that sel_sys.peer is equivalent to code 6 and so we have it.

  • Take this f414

    • 4 stands for sel_candidate and 10596 and 10598 are both candidate peers.

    • A very detailed explanation is given here: Peer Status Word

  • Component
  • ntp

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments