RE: NTP MD5

From: EricLiu@xxxxxxxxx (Eric Liu)
Date: Tue, 13 Sep 2005 05:48:32 GMT

Hello, everyone,

The error was caused by my carelessness. There is nothing wrong with NTP software package.
It was because I had used different keys on server and client. As you all know, the ending character under Linux/FreeBSD/Unix is 0x0a, and 0x0d0x0a under Windows. I had edited client ntp.keys under Windows, then sent the file to client machine by ftp, and server ntp.keys under Linux. Ntpd always think the ending character is 0x0a, so the two keys are different.

Anyway, I must think people here.

Thanks and Regards
Eric

> -----Original Message-----
> From: Danny Mayer [mailto:mayer@xxxxxxx]
> Sent: Tuesday, September 13, 2005 11:00 AM
> To: Eric Liu
> Cc: questions@xxxxxxxxxxxxxxxxx
> Subject: Re: [ntp:questions] NTP MD5
>
>
> Eric Liu wrote:
> > Hi all:
> >
> > Let's look into the source code of NTP package.
> > It is about file ntp-4.2.0/libntp/a_md5encrypt.c.
> > The function "MD5authdecrypt" works out different result under
> subtle conditions.
> >
> > I am testing authentication with ntp-4.2.0.
>
> Which specific version. Was it built with or without OpenSSL? If it's
> without SSL you won't be able to authenticate.

./configure --without-crypto
However, I am able to authenticate.

>
> > All configuration files, such as ntp.conf, ntp.key, are all ok.
>
> On what basis did you make this statement though I don't think that this
> has anything to do with the question.

I just mean the problem should has nothing to do with configureation files.
Ironically, the problem is finally proved to be caused by wrong ntp.keys.

>
> > But the server always think the packet from client is not
> > authenticated because function "MD5authdecrypt"
> > always returns 0. One proof is the debug output from ntpd
> > "receive: at 26 192.168.0.120<-192.168.0.47 mode 3 code 2 keyid
> 0000000a len 48 mac 20 auth 0".
> > Attention, here "auth 0" means unauthenticated.
> >
> It depends on what's being authenticated. The above doesn't just use
> MD5, it uses a bunch of code in ntp_crypto.c. MD5 is certainly not an
> authentication mechanism. MD stands for message digest.
>

I do use MD5. I added some debug code in MD5authdecrypt() function, and ntpd had output something on screen.

> > After 3 days hard work, I still get the same result.
> > I am testing under Redhat Linux7.2. So I decide to use ntpd distributed
> > with the OS. However, surprisingly, the authentication works very well
> > with the old ntpd.
>
> Which version is it.
>
> Then I reuse ntpd-4.2.0. And I find it becomes to work well.
> > It is because function "MD5authdecrypt" returns 1 indicating the
> packet from
> > client is authenticated.
> >
>
> Are you sure you are using that version and not the RedHat version?
>
> > I am quite confused with the result. Really very very confused!
> Probably it
> > is related to principle of MD5.
>
> Most unlikely since you can't authenticate with MD5.
>
> > Unfortunately, I know nothing about it.
> > I wish the coder of this function could see the post and find
> out what is wrong.
> >
> It's not clear that anything is wrong.
>
> > By the way, on page
http://ntp.isc.org/bin/view/Main/SoftwareDownloads there is
> a link to obsolete versions of NTP. However, neither the deprecated
FTP nor
> the deprecated HTTP are available. Where can I get old version NTP
package
> such as the version that distributed with Red hat linux 7.2 ? I mean
I can
> compare the source code of the two Ntp packages to find out something.
>
We have no idea what RedHat ships since they can and do make their own
changes. You have to ask RedHat. It may even be in the sources that
should come with your distribution. It almost certainly was built with
OpenSSL but you'd have to figure out which one.

Since you are looking in the wrong place, you are unlikely to find out.

> Thanks
> Eric
>
>
> _______________________________________________
> questions mailing list
> questions@xxxxxxxxxxxxxxxxx
> https://lists.ntp.isc.org/mailman/listinfo/questions
>

_______________________________________________
questions mailing list
questions@xxxxxxxxxxxxxxxxx
https://lists.ntp.isc.org/mailman/listinfo/questions

.

Follow-Ups:
- RE: NTP MD5
  - From: Martin Burnicki

References:
- Re: NTP MD5
  - From: Danny Mayer

Prev by Date: Re: NTP MD5
Next by Date: Re: Hardware SNTP server
Previous by thread: Re: NTP MD5
Next by thread: RE: NTP MD5
Index(es):
- Date
- Thread

Relevant Pages

Re: How to do better on Win2003s NTP?
... the web link of registry is helpful to me. ... And the question about the authentication key I asked about is for the Unix ... server's switch/router's NTP. ... the Windows Time service relies ...
(microsoft.public.windows.server.general)
Re: How to do better on Win2003s NTP?
... In the time service you have no option for adding authentication. ... See here how the authentication works, scroll down to"NTP Security": ... Unix server's switch/router's NTP. ...
(microsoft.public.windows.server.general)
Re: How to do better on Win2003s NTP?
... In the time service you have no option for adding authentication. ... how the authentication works, scroll down to"NTP Security": ... Unix server's switch/router's NTP. ...
(microsoft.public.windows.server.general)
Re: new email server
... BSD email platform to what I would expect from a brand new Microsoft ... and Mandrake and FC3 Linux platforms testing MTAs (Courier and Sendmail ... While I find that the Courier package is a more complete all ... authentication package and I recommend encrypting it all using SSL. ...
(Fedora)
Re: How to get credentials for network access in authentication package?
... package is supposed to allow the calling logon package to get a complete ... "The LSA calls the authentication package interface functions in the ... credentials for network access are missing. ...
(microsoft.public.platformsdk.security)