The NTP protocol permits the use of crypto to authenticate clients and servers to each other, as well as between time servers. By default, SLES10 is set up to allow the v3 method of using symmetric keys, but not the v4 method that uses public/private keys. If you want to use the v4 method, this is the tip for you.
Background
Additionally, ntp runs with an AppArmor profile loaded against it for added security.
Getting NTPv4 auth to work
There are 4 steps to get this to work.
- Copy the .rnd file to the chroot jail
- Run ntp-keygen
- Modify the AppArmor profile for /usr/sbin/ntpd to allow read access to the new files
- Modify the /etc/ntp.conf file to enable v4 auth.
Copy the .rnd file to the chroot jail
timehost:~ # openssl rand -out /var/lib/ntp/etc/.rnd 1
Run ntp-keygen
Change-directory to /var/lib/ntp/etc, and execute the following command:
timehost:~ # ntp-keygen -T
Modify the AppArmor profile
- Launch YaST
- Go to the "Novell AppArmor" section, and enter the "Edit Profile" tool.
- Select "/usr/sbin/ntpd" and click Next.
- Click the "Add Entry" button and select File.
- Browse to /var/lib/ntp/etc/.rnd and click the "Read" permissions check-box, and click OK
- Repeat the previous two steps to add the two files created by ntp-keygen, named "ntpkey_cert_[hostname]" and "ntpkey_host_[hostname]".
- Note: AppArmor behavior changes between SP1 and SP2. In SP1 you can use the link files, in SP2 you need to specify the link targets.
- Click Done on the main Profile Dialog
- Agree to reload the AppArmor profile
Modify /etc/ntp.conf
keysdir /var/lib/ntp/etc/
crypto randfile /var/lib/ntp/etc/.rnd