[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: [pfSense] [Fwd: Re: enabling authenticated ntp ?]
From: Valerio Bellizzomi <valerio () selnet ! org>
Date: 2016-06-08 13:09:56
Message-ID: 1465391396.3337.10.camel () noc1 ! sel
[Download RAW message or body]
Is there any news on the authenticated ntp side ?
Regards
-------- Forwarded Message --------
> From: Valerio Bellizzomi <valerio@selnet.org>
> Reply-to: pfSense Support and Discussion Mailing List
> <list@lists.pfsense.org>
> To: pfSense Support and Discussion Mailing List
> <list@lists.pfsense.org>
> Subject: Re: [pfSense] enabling authenticated ntp ?
> Date: Mon, 30 May 2016 18:37:31 +0200
>
> The procedure to add authenticated ntp is like the following:
>
>
> NTP PUBLIC KEY AUTHENTICATION
>
> To use public-key authentication you have to use the NTP software -
> version 1.4.74 or higher; the server identification with the IFF scheme
> is however only available for version 4.2.6.
>
> They will have to remove and install the encryption libraries in the
> OpenSSL software. These libraries can be taken freely from
> www.openssl.org site.
>
> Then you can proceed with the compilation and installation of NTP
> Software.
>
> Among the various programs that make up the NTP software is also
> ntp-keygen that is needed to generate keys and certificates needed to
> activate this mode of ntpd daemon.
> The keys and the certificate must be stored in a folder that is visible
> only to 'root; usually this directory is / etc / ntp.
> To generate the keys you have to give the following command from the
> folder that contains the keys (/ etc / ntp):
> cd / etc / ntp
> ntp-keygen
>
> In this way, a file containing the private key is generated
> (ntpkey_RSAkey_hostname.timestamp) and a certificate with the RSA-MD5
> scheme (ntpkey_RSA-MD5cert_hostname.timestamp).
>
> You will have to store the parameters of IFF files
> (ntpkey_IFFkey_servername) which was taken from dell'I.N.RI.M site. in
> the folder that contains the keys (/ etc / ntp). The file starts with
> the line containing # ntpkey_iffpar_ntp ... and ends with ----- END DSA
> PRIVATE KEY -----
>
> Finally, you must add the following directives in /etc/ntp.conf
> configuration file:
>
> crypto # Enable Autokey Protocol
>
> keysdir / etc / ntp / # Define the location of the keys and
> cryptographic file
>
> statistics sysstats cryptostats # Enable event logging
>
> filegen sysstats file SysStats type day enable # Defines how event
> logging
>
> filegen cryptostats file cryptostats type day enable # Defines how
> event logging
>
> server server1.com autokey # Associate the Autokey Protocol to
> server1.com server
>
> server server2.com autokey # Associate the Autokey Protocol to
> server2.com server
>
>
>
>
>
>
>
>
> On Mon, 2016-05-30 at 09:17 -0700, Walter Parker wrote:
> > Not that I have seen.
> >
> > I had an idea for authenticated NTP awhile back, but was waiting until I
> > had upgraded to 2.3 before I looked at what it would take to add. This
> > weekend I had the time to build a test environment, so I might try doing it
> > over the next few months.
> >
> >
> > Walter
> >
> > On Mon, May 30, 2016 at 3:46 AM, Valerio Bellizzomi <valerio@selnet.org>
> > wrote:
> >
> > > Hello, there is a ntp authenticated with public key feature in ntp, does
> > > pfsense support that?
> > >
> > > thanks
> > >
> > >
> > > On Thu, 2016-05-26 at 20:18 +0200, Valerio Bellizzomi wrote:
> > > > Is it possible to do from the web interface?
> > > >
> > > > thanks
> > > >
> > > >
> > > > _______________________________________________
> > > > pfSense mailing list
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > Support the project with Gold! https://pfsense.org/gold
> > >
> > >
> > >
> > > _______________________________________________
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> >
> >
> >
>
>
>
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic