Support Center > Search Results > SecureKnowledge Details
How to configure NTP authentication on Gaia OS
Solution

Table of Contents:

  • Procedure 
  • Related solutions and manual pages

 

Procedure

  1. On the NTP Client side:

    1. Put a key in the key file - /etc/ntp/keys file:

      [key number] M [key password]

      Make sure that:

      • the 'key number' is between 1 and 65535
      • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


    2. Configure the following in the /etc/ntp.conf file:
      
      restrict default ignore
      restrict -6 default ignore
      restrict 127.0.0.1
      restrict -6 ::1
      trustedkey [key number] [another key number] ...
      keys /etc/ntp/keys
      driftfile /var/lib/ntp/ntp.drift
      
      
    3. For every NTP server:

      • If it is IPv4 or Host name:
        
        server [IPv4 address or Host name of NTP server] version [version number 1...4] iburst key [key number]
        restrict [IPv4 address or Host name of NTP server] nomodify notrap nopeer noquery
        
        
      • If it is IPv6:
        
        server -6 [IPv6 address of NTP server] version 4 iburst key [key number]
        restrict -6 [IPv6 address of NTP server] nomodify notrap nopeer noquery
        


  2. On the NTP Server side:

    1. Put a key in the key file - /etc/ntp/keys file:

      [key number] M [key password]

      Make sure that:

      • the 'key number' is between 1 and 65535
      • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


    2. Configure the following in the /etc/ntp.conf file:
      
      restrict default kod limited notrap nomodify nopeer
      restrict -6 default kod limited notrap nomodify nopeer
      restrict 127.0.0.1
      restrict -6 ::1
      server 127.127.1.0 version 3
      fudge 127.127.1.0 stratum [stratum number 0...15]
      trustedkey [key number] [another key number] ...
      keys /etc/ntp/keys
      
      

      Notes:

      • If the NTP Server is also an NTP Client, then do NOT put:
        
        restrict default ignore
        restrict -6 default ignore
        
        
        Instead, put these lines:
        
        restrict default kod limited notrap nomodify nopeer
        restrict -6 default kod limited notrap nomodify nopeer
        
        
      • If you want the NTP Server to only serve an authenticated client, then add "notrust" at the end of the lines with "default".


  3. After making all the changes in the /etc/ntp.conf file, you have to write-protect it from being overwritten by Gaia OS daemon (confd).

    Add the Linux file system 'immutable' attribute:
    
    [Expert@HostName]# lsattr /etc/ntp.conf
    [Expert@HostName]# chattr +i /etc/ntp.conf
    [Expert@HostName]# lsattr /etc/ntp.conf
    
    

    Notes:

    • After this change you cannot configure NTP through Clish/Gaia Portal - the changes will not be saved.

    • To revert, remove the Linux file system 'immutable' attribute:
      
      [Expert@HostName]# lsattr /etc/ntp.conf
      [Expert@HostName]# chattr -i /etc/ntp.conf
      [Expert@HostName]# lsattr /etc/ntp.conf
      
      
  4. Restart the NTPD process:

    [Expert@HostName]# dbset process:ntpd
    [Expert@HostName]# dbset process:ntpd t
  5. Check the NTP synchronization:

    [Expert@HostName]# ntpq -pn
    [Expert@HostName]# ntpstat



 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment