Authenticated Public NTP server howto

The ntpd client

Edit file ntp.conf with the following lines:

Add your NTP server address:

#this is your NTP server
server your.ntp.server.com key 1

Then, add the file containing keys and the list of valid keys:

keys /etc/ntp/keys
#trust keys number 1, 2 and 10
trusted key 1 2 10

Create a file containing keys, and in this case it needs to have at least one key shared with the server

1 M f6fd1939bdf31481d27ac4344a2aab58

This ends the client configuration. Now we can test it in the client, using ntpdate, on debug mode:

ntpdate -d -k /etc/ntp.keys -a 1 your.ntpserver.com
-d - Debug mode. Will not actually update your clock
-k file - Location of your NTP key files
-a index - Key index number
server - Your NTP server FQDN

This is a standard output of using ntpdate:

Ad
ntpdate -d -k /etc/ntp.keys -a 10 your.ntpserver.com
 9 Jul 23:24:33 ntpdate[19359]: ntpdate [email protected] Fri May 28 01:20:57 UTC 2010 (1)
Looking for host your.ntpserver.com and service ntp
host found : 13.3.150.148
transmit(13.3.150.148)
receive(13.3.150.148)
receive: authentication passed
transmit(13.3.150.148)
receive(13.3.150.148)
receive: authentication passed
transmit(13.3.150.148)
receive(13.3.150.148)
receive: authentication passed
transmit(13.3.150.148)
receive(13.3.150.148)
receive: authentication passed
transmit(13.3.150.148)
server 13.3.150.148, port 123
stratum 3, precision -20, leap 00, trust 000
refid [13.3.150.148], delay 0.02808, dispersion 0.00026
transmitted 4, in filter 4
reference time:    d9496883.8f133740  Thu, Jul  9 2015 22:39:15.558
originate timestamp: d9497321.88632434  Thu, Jul  9 2015 23:24:33.532
transmit timestamp:  d9497321.9e90eed0  Thu, Jul  9 2015 23:24:33.619
filter delay:  0.03183  0.03014  0.02870  0.02808 
         0.00000  0.00000  0.00000  0.00000 
filter offset: -0.08837 -0.08714 -0.08785 -0.08788
         0.000000 0.000000 0.000000 0.000000
delay 0.02808, dispersion 0.00026
offset -0.087880

 9 Jul 23:24:33 ntpdate[19359]: adjust time server 13.3.150.148 offset -0.087880 sec

Which works 🙂

If you mistake the keys, the result are similar to the following:

ntpdate -d -k /etc/ntp.keys -a 1 23.121.12.1
 9 Mar 22:58:55 ntpdate[12723]: ntpdate [email protected] Fri May 28 01:20:57 UTC 2010 (1)
 Looking for host 23.121.12.1 and service ntp
 host found : 23.121.12.1
 transmit(23.121.12.1)
 receive(23.121.12.1)
 receive: authentication failed
 transmit(23.121.12.1)
 receive(23.121.12.1)
 receive: authentication failed
 transmit(23.121.12.1)
 receive(23.121.12.1)
 receive: authentication failed
 transmit(23.121.12.1)
 receive(23.121.12.1)
 receive: authentication failed
 transmit(23.121.12.1)
 23.121.12.1: Server dropped: Server is untrusted
 server 23.121.12.1, port 123
 stratum 3, precision -20, leap 00, trust 017
 refid [23.121.12.1], delay 0.02893, dispersion 0.00049
 transmitted 4, in filter 4
 reference time: da8b2189.8f0d0ae8 Wed, Mar 9 2016 22:26:17.558
 originate timestamp: da8b292f.f261390f Wed, Mar 9 2016 22:58:55.946
 transmit timestamp: da8b292f.f3b40b34 Wed, Mar 9 2016 22:58:55.951
 filter delay: 0.03029 0.02893 0.03110 0.03084
 0.00000 0.00000 0.00000 0.00000
 filter offset: -0.00627 -0.00659 -0.00704 -0.00778
 0.000000 0.000000 0.000000 0.000000
 delay 0.02893, dispersion 0.00049
 offset -0.006598

9 Mar 22:58:55 ntpdate[12723]: no server suitable for synchronization found

Finally, you can restart the client ntpd and confirm everything is OK with ntpdc:

ntpdc -p
     remote           local      st poll reach  delay   offset    disp
=======================================================================
*23.121.12.1     192.168.1.70     3   64  377 0.00365 -0.006066 0.04741

Leave a Reply

Back to Top