Subject: Serious problems with ntpd authentication in 1.5
To: None <current-users@netbsd.org>
From: Alexis Rosen <alexis@panix.com>
List: current-users
Date: 08/21/2000 06:24:35
[CC: simonb@netbsd.org]

I am having major problems with ntpd in 1.5, from 07/25/00. I did some
research by looking in the archives of this list and found what appears
to be the beginning of an answer in messages from Simon Burge and others,
but I don't think this issue is even close to settled. Before I open a PR
I'd like to know what others think, and if anyone knows offhand what
exactly is happening with authentication at the moment.

Apparently, ntpd 4.x comes with DES support disabled by default, and this
configuration is maintained within NetBSD. I suggest that this is a very
bad decision; people using DES authentication will find that their timeservers
are broken once they upgrade, and they're unlikely to discover the cause
without serious headaches. (Yes, despite the syslog message about the bad
key.)

Whatever is decided about compiling in DES, I bit the bullet and decided to
convert from DES to MD5. And I've run into some problems. I have a 1.4.2
system ("juggler") and a 1.5 7/25/00 system ("trinity") talking to each other
using MD5, so that's fixed. But I also have both of them multicasting, the 1.5
system using an MD5 key and the 1.4.2 using DES. A 1.4.3 system (recent
vintage, exact date unknown) doesn't seem to like the MD5 multicast. It says:

> input_handler: fd=9 length 48 from a65400d8 166.84.0.216
> receive from 166.84.0.216
> poll_update(166.84.0.216, 6, 1)
> invalid packet header 166.84.0.216 0x14 0.076782 0.011169
> - peer authentication failure

This despite having the same keyfile as the two servers, and "trustedkey 1 2"
in the conf file, where key 1 is the DES key and key 2 is the MD5 key.

Another 1.5 7/25/00 multicast client fails too, but differently. It says:
> receive: at 40 166.84.0.216 mode 5 code 5
> receive: bad protocol 5

Does anyone know what either of these mean? If there is an enlightening FM to
R, could someone point me at it? (Other than "UTSL", I mean.)

BTW, since (as I understand it) 1.5 is going to be released after the RSA
patent expires, are there any plans to build ntpd with autokey support by
default in 1.5? I'm not all that anxious to use it, but it seems like a
natural thing to include.

Thanks,
/a
---
Alexis Rosen
PANIX Public Access Unix & Internet, NYC.
alexis@panix.com