NTP Authentication
Posted by Uzair A., Last modified by Uzair A. on 21 August 2019 10:18

This article will show you how to set up NTP Authentication on your NTS-6002 or 6001.

Note: This article is aimed at NTS-6002/6001 running Firmware 11 or higher. If your unit is running an older firmware, we recommend upgrading the firmware on your unit:

NTS-6002 Upgrade Instructions

NTS-6001 Upgrade Instructions


NTP Authentication allows clients to verify that the time server is trusted before using it as a time source. This prevents clients from applying time from rogue NTP servers on your network. Read our NTP Authentication Explained article for more information.

1. In your time server's web interface, navigate to the NTP Keys page, located under the NTP Tab.

2. Click Generate Keys to generate a subset of random keys and click Update.

3. Navigate to the NTP Customisation page, located under NTP. Define the following parameters:

  • trustedkey - defines which key IDs to trust
  • requestkey - defines which key IDs can be used to query server variables
  • controlkey - defines which key IDs can be used to set server variables

For example:
trustedkey 1 2 5 7 12
requestkey 12
controlkey 12

Type the following in the NTP Customisation page: server <IP> key <key ID>

In the above server statement, specify the IP of the client that you wish to set up authentication with and the ID of the key you wish to use with the client. You will need to add multiple lines for each client you wish to set up NTP Authentication with.

Note: Ensure the key ID you specified is a trusted key.

Your NTP Customisation page should look similar to this:

Click Update to save the changes.

4. You now need to configure NTP Authentication on your client. We recommend referring to your client's documentation for this as the process varies depending on the client. Ensure the keys on both the server and client match exactly and are defined as trusted.

5. After you have configured NTP Authentication on the client, restart the NTP service on your client to apply any configured settings. You can use ntpq -p to monitor the progress of synchronisation. Note that synchronisation does not occur instantly, it does take some time. In my case, my Ubuntu virtual machine took around ten minutes to synchronise.

Once you have configured NTP Authentication on your clients, you can configure the server and client to ignore all NTP packets that are not cryptographically authenticated. Do this by adding the following lines to the NTP Customisation page in your time server's web interface and the ntp.conf file on your client:
restrict default notrust
restrict -6 default notrust

Note: if you are using 'notrust', it is possible to exclude certain devices from NTP Authentication. Type the following in the NTP Customisation page:
restrict <IP> notrap nomodify nopeer noquery

Add the IP of your client in the above statement. This will override the behaviour of the 'notrust' statement and should allow the clients you specified to synchronise to the NTP server without NTP Authentication.

If NTP Authentication is working, you should see output like this on the client:

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please complete the below captcha challenge (we use this to prevent automated submissions).