List Info

Thread: Autokey-related Questions
Autokey-related Questions
country flaguser name
United States		 2007-05-25 16:35:16 

  


  

    

Hi,


I have some questions 
related to the Autokey protocol and configuration:


1) What exactly does "crypto pw clientpassword" in 
the autokey configuration procedure do (mentioned in http://ntp.isc.org/bin/view/Support/ConfiguringAutokey#Section_6.7.1.2.)? Does it create (and encrypt) a new client password for the 
purpose of storing it in ntp.conf for the autokey protocol? When is this 
password used? I noticed that when generating the host parameters, a password is 
passed to the utility, instead of getting it from ntp.conf.


2) When the server (manually) FTPs the leapseconds table from NIST NTP server or wherever, where must this file be 
stored in order for the autokey protocol code to access it for the autokey dance 
(to send it to the client)? Is the location detail documented 
somewhere?


3) I read somewhere on one of the NTP installation 
pages (I think) that "Public key cryptography needs a key file (usually in 
/usr/local/etc)". Does this just mean the key/parameter files generated by the 
ntp-keygen utility must be stored at /usr/local/etc/? Is the random seed file 
(.rnd) the ONLY file that needs to be created manually, besides the exported IFF 
parameter file?


4) When is the following command used - crypto [cert 
file] [leap file] [randfile file] [host file] [sign file] [ident scheme] [iffpar 
file] [gqpar file] [mvpar file] [pw password]? I am confused because it's not 
mentioned in the autokey configuration procedure but it's mentioned in http://www.eecis.udel.edu/~mills/ntp/html/authopt.html. Is it just used when we 
feel the need to encrypt certain files for storage? When a file is encrypted, 
will the autokey software automatically decrypt the 
file?


5) When the 
server extracts the IFF parameters for export to the clients, what is the 
security impact of (1) using the same password for all the clients in the Trust 
Group, and of (2) using no client password?


Thanks,


Helen


 



 


 

  

  
  
   
     
    

  

    Re:  Autokey-related Questions
  


  

     country flaguser name
United States		
     2007-05-25 22:41:46
  


  

    
Helen,

You cite documents at ntp.isc.org. Those documents were not
written by 
me and I have not read them. The only documents I personally
swear by 
come directly from ntp.org or the NTP project page 
www.eecis.udel.edu/~mills/ntp.html.

1. Cryptographic media produced by the ntp-keygen program
can optionally 
be encripted with a password. This password must match the
crypto pw 
password in the configuration file. For this purpose, the
configuration 
file would ordinatily be restricted to root.

2. The leapsecond file is expected in the same directory as
the crypto keys.

3. The crypto keys file normally defaults to /usr/local/etc,
but this 
can be changed with a configuration command.

4. See 1. The file subcommands on the crypto configuration
line are for 
special cases and personal preference. The .rnd file is
normally in the 
root directory when the program is run as a daemon. The
issues where to 
put this file are determined by OpenSSL conventions.

5. The password used to encrypt the identity file is
ordinarily provided 
by the user to an encrypted web page.

Dave

Chen Helen-A12587 wrote:

> Hi,
>
> I have some questions related to the Autokey protocol
and configuration:
>
> 1) What exactly does "crypto pw
clientpassword" in the autokey
> configuration procedure do (mentioned in
> http://ntp.isc.org/bin/view/Support/Config
uringAutokey#Section_6.7.1.2
> <http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
> .)? Does it
> create (and encrypt) a new client password for the
purpose of storing it
> in ntp.conf for the autokey protocol? When is this
password used? I
> noticed that when generating the host parameters, a
password is passed
> to the utility, instead of getting it from ntp.conf.
>
> 2) When the server (manually) FTPs the leapseconds
table from NIST NTP
> server or wherever, where must this file be stored in
order for the
> autokey protocol code to access it for the autokey
dance (to send it to
> the client)? Is the location detail documented
somewhere?
>
> 3) I read somewhere on one of the NTP installation
pages (I think) that
> "Public key cryptography needs a key file (usually
in /usr/local/etc)".
> Does this just mean the key/parameter files generated
by the ntp-keygen
> utility must be stored at /usr/local/etc/? Is the
random seed file
> (.rnd) the ONLY file that needs to be created manually,
besides the
> exported IFF parameter file?
>
> 4) When is the following command used - crypto [cert
file] [leap file]
> [randfile file] [host file] [sign file] [ident scheme]
[iffpar file]
> [gqpar file] [mvpar file] [pw password]? I am confused
because it's not
> mentioned in the autokey configuration procedure but
it's mentioned in
> http://www.eecis.udel.edu/~mills/ntp/html/authopt.html

> <http://www.eecis.udel.edu/~mills/ntp/html/authopt.html
> . Is it just
> used when we feel the need to encrypt certain files for
storage? When a
> file is encrypted, will the autokey software
automatically decrypt the
> file?
>
> 5) When the server extracts the IFF parameters for
export to the
> clients, what is the security impact of (1) using the
same password for
> all the clients in the Trust Group, and of (2) using no
client password?
>
> Thanks,
>
> Helen
>
>
>
>
>
>
>
------------------------------------------------------------
------------
>
> _______________________________________________
> ntpwg mailing list
> ntpwglists.ntp.isc.org
> http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg



_______________________________________________
ntpwg mailing list
ntpwglists.ntp.isc.org
http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg


  


  

    
  

  
  
   
     
    
 
        
    

    
    

  

    Re:  Autokey-related Questions
  


  

     country flaguser name
United States		
     2007-05-30 15:44:13
  


  

    
Dave,

Thanks. I don't quite understand the connection between your
response to
(5) and my question (5). Would you mind helping me
understand what the
impact is of the server using the same password for all the
clients in
the Trust Group when the server extracts the IFF group keys?
What is the
impact of using no password when the server extracts the IFF
group keys?

Helen

-----Original Message-----
From: ntpwg-bounces+helen.y.chen=motorola.comlists.ntp.isc.org
[mailto:ntpwg-bounces+helen.y.chen=motorola.comlists.ntp.isc.org] On
Behalf Of David L. Mills
Sent: Friday, May 25, 2007 10:42 PM
Cc: ntpwgntp.isc.org
Subject: Re: [ntpwg] Autokey-related Questions

Helen,

You cite documents at ntp.isc.org. Those documents were not
written by
me and I have not read them. The only documents I personally
swear by
come directly from ntp.org or the NTP project page
www.eecis.udel.edu/~mills/ntp.html.

1. Cryptographic media produced by the ntp-keygen program
can optionally
be encripted with a password. This password must match the
crypto pw
password in the configuration file. For this purpose, the
configuration
file would ordinatily be restricted to root.

2. The leapsecond file is expected in the same directory as
the crypto
keys.

3. The crypto keys file normally defaults to /usr/local/etc,
but this
can be changed with a configuration command.

4. See 1. The file subcommands on the crypto configuration
line are for
special cases and personal preference. The .rnd file is
normally in the
root directory when the program is run as a daemon. The
issues where to
put this file are determined by OpenSSL conventions.

5. The password used to encrypt the identity file is
ordinarily provided
by the user to an encrypted web page.

Dave

Chen Helen-A12587 wrote:

> Hi,
>
> I have some questions related to the Autokey protocol
and
configuration:
>
> 1) What exactly does "crypto pw
clientpassword" in the autokey 
> configuration procedure do (mentioned in
> http://ntp.isc.org/bin/view/Support/Config
uringAutokey#Section_6.7.1.2
> <http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
> .)? Does it 
> create (and encrypt) a new client password for the
purpose of storing 
> it in ntp.conf for the autokey protocol? When is this
password used? I

> noticed that when generating the host parameters, a
password is passed

> to the utility, instead of getting it from ntp.conf.
>
> 2) When the server (manually) FTPs the leapseconds
table from NIST NTP

> server or wherever, where must this file be stored in
order for the 
> autokey protocol code to access it for the autokey
dance (to send it 
> to the client)? Is the location detail documented
somewhere?
>
> 3) I read somewhere on one of the NTP installation
pages (I think) 
> that "Public key cryptography needs a key file
(usually in
/usr/local/etc)".
> Does this just mean the key/parameter files generated
by the 
> ntp-keygen utility must be stored at /usr/local/etc/?
Is the random 
> seed file
> (.rnd) the ONLY file that needs to be created manually,
besides the 
> exported IFF parameter file?
>
> 4) When is the following command used - crypto [cert
file] [leap file]

> [randfile file] [host file] [sign file] [ident scheme]
[iffpar file] 
> [gqpar file] [mvpar file] [pw password]? I am confused
because it's 
> not mentioned in the autokey configuration procedure
but it's 
> mentioned in http://www.eecis.udel.edu/~mills/ntp/html/authopt.html

> <http://www.eecis.udel.edu/~mills/ntp/html/authopt.html
> . Is it just 
> used when we feel the need to encrypt certain files for
storage? When 
> a file is encrypted, will the autokey software
automatically decrypt 
> the file?
>
> 5) When the server extracts the IFF parameters for
export to the 
> clients, what is the security impact of (1) using the
same password 
> for all the clients in the Trust Group, and of (2)
using no client
password?
>
> Thanks,
>
> Helen
>
>
>
>
>
>
>
------------------------------------------------------------
----------
> --
>
> _______________________________________________
> ntpwg mailing list
> ntpwglists.ntp.isc.org
> http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg


_______________________________________________
ntpwg mailing list
ntpwglists.ntp.isc.org
http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg



  


  

    
  

  
  
   
     
    

  

    Re:  Autokey-related Questions
  


  

     country flaguser name
United States		
     2007-05-31 20:13:59
  


  

    
Helen,

The secret password used to encrypt the private keys and
group key is 
selected by each client separately. The trusted host
encrypts the group 
key with the password supplied by the client. Each client
can use a 
different password.

The procedures work just as well if no password is used, but
that would 
not be a good idea except for testing.

Perhaps the most useful way to clarify these issues is to
read the 
autokey ditections at the ISC wiki site.

Dave

Chen Helen-A12587 wrote:

> Dave,
>
> Thanks. I don't quite understand the connection between
your response to
> (5) and my question (5). Would you mind helping me
understand what the
> impact is of the server using the same password for all
the clients in
> the Trust Group when the server extracts the IFF group
keys? What is the
> impact of using no password when the server extracts
the IFF group keys?
>
> Helen
>
> -----Original Message-----
> From: ntpwg-bounces+helen.y.chen=motorola.comlists.ntp.isc.org
> [mailto:ntpwg-bounces+helen.y.chen=motorola.comlists.ntp.isc.org] On
> Behalf Of David L. Mills
> Sent: Friday, May 25, 2007 10:42 PM
> Cc: ntpwgntp.isc.org
> Subject: Re: [ntpwg] Autokey-related Questions
>
> Helen,
>
> You cite documents at ntp.isc.org. Those documents were
not written by
> me and I have not read them. The only documents I
personally swear by
> come directly from ntp.org or the NTP project page
> www.eecis.udel.edu/~mills/ntp.html.
>
> 1. Cryptographic media produced by the ntp-keygen
program can optionally
> be encripted with a password. This password must match
the crypto pw
> password in the configuration file. For this purpose,
the configuration
> file would ordinatily be restricted to root.
>
> 2. The leapsecond file is expected in the same
directory as the crypto
> keys.
>
> 3. The crypto keys file normally defaults to
/usr/local/etc, but this
> can be changed with a configuration command.
>
> 4. See 1. The file subcommands on the crypto
configuration line are for
> special cases and personal preference. The .rnd file is
normally in the
> root directory when the program is run as a daemon. The
issues where to
> put this file are determined by OpenSSL conventions.
>
> 5. The password used to encrypt the identity file is
ordinarily provided
> by the user to an encrypted web page.
>
> Dave
>
> Chen Helen-A12587 wrote:
>
>> Hi,
>>
>> I have some questions related to the Autokey
protocol and
>
> configuration:
>
>> 1) What exactly does "crypto pw
clientpassword" in the autokey
>> configuration procedure do (mentioned in
>> http://ntp.isc.org/bin/view/Support/Config
uringAutokey#Section_6.7.1.2
>> <http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
> .)? Does it
>> create (and encrypt) a new client password for the
purpose of storing
>> it in ntp.conf for the autokey protocol? When is
this password used? I
>
>
>> noticed that when generating the host parameters, a
password is passed
>
>
>> to the utility, instead of getting it from
ntp.conf.
>>
>> 2) When the server (manually) FTPs the leapseconds
table from NIST NTP
>
>
>> server or wherever, where must this file be stored
in order for the
>> autokey protocol code to access it for the autokey
dance (to send it
>> to the client)? Is the location detail documented
somewhere?
>>
>> 3) I read somewhere on one of the NTP installation
pages (I think)
>> that "Public key cryptography needs a key file
(usually in
>
> /usr/local/etc)".
>
>> Does this just mean the key/parameter files
generated by the
>> ntp-keygen utility must be stored at
/usr/local/etc/? Is the random
>> seed file
>> (.rnd) the ONLY file that needs to be created
manually, besides the
>> exported IFF parameter file?
>>
>> 4) When is the following command used - crypto
[cert file] [leap file]
>
>
>> [randfile file] [host file] [sign file] [ident
scheme] [iffpar file]
>> [gqpar file] [mvpar file] [pw password]? I am
confused because it's
>> not mentioned in the autokey configuration
procedure but it's
>> mentioned in http://www.eecis.udel.edu/~mills/ntp/html/authopt.html

>> <http://www.eecis.udel.edu/~mills/ntp/html/authopt.html
> . Is it just
>> used when we feel the need to encrypt certain files
for storage? When
>> a file is encrypted, will the autokey software
automatically decrypt
>> the file?
>>
>> 5) When the server extracts the IFF parameters for
export to the
>> clients, what is the security impact of (1) using
the same password
>> for all the clients in the Trust Group, and of (2)
using no client
>
> password?
>
>> Thanks,
>>
>> Helen
>>
>>
>>
>>
>>
>>
>>
------------------------------------------------------------
----------
>> --
>>
>> _______________________________________________
>> ntpwg mailing list
>> ntpwglists.ntp.isc.org
>> http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg
>
>
>


_______________________________________________
ntpwg mailing list
ntpwglists.ntp.isc.org
http
s://lists.ntp.isc.org/mailman/listinfo/ntpwg


  


  

    
  

  
  
   
     
    
 
        
    

    
    






 [1-4]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )