Support Center > Search Results > SecureKnowledge Details
How to configure NTP authentication on Gaia OS / IPSO OS
Solution

Table of Contents:

  • Procedure for Gaia OS
  • Procedure for IPSO 6.2 OS
  • Related solutions
  • Related manual pages

 

Click Here to Show Entire Article

 

Procedure

  • Show / Hide instructions for Gaia OS

    1. On the NTP Client side:

      1. Put a key in the key file - /etc/ntp/keys file:

        [key number] M [key password]

        Make sure that:

        • the 'key number' is between 1 and 65535
        • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


      2. Configure the following in the /etc/ntp.conf file:
        
        restrict default ignore
        restrict -6 default ignore
        restrict 127.0.0.1
        restrict -6 ::1
        trustedkey [key number] [another key number] ...
        keys /etc/ntp/keys
        driftfile /var/lib/ntp/ntp.drift
        
        
      3. For every NTP server:

        • If it is IPv4 or Host name:
          
          server [IPv4 address or Host name of NTP server] version [version number 1...4] iburst key [key number]
          
          restrict [IPv4 address or Host name of NTP server] nomodify notrap nopeer noquery
          
          
        • If it is IPv6:
          
          server -6 [IPv6 address of NTP server] version 4 iburst key [key number]
          
          restrict -6 [IPv6 address of NTP server] nomodify notrap nopeer noquery
          
          


    2. On the NTP Server side:

      1. Put a key in the key file - /etc/ntp/keys file:

        [key number] M [key password]

        Make sure that:

        • the 'key number' is between 1 and 65535
        • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


      2. Configure the following in the /etc/ntp.conf file:
        
        restrict default kod limited notrap nomodify nopeer
        restrict -6 default kod limited notrap nomodify nopeer
        restrict 127.0.0.1
        restrict -6 ::1
        server 127.127.1.0 version 3
        fudge 127.127.1.0 stratum [stratum number 0...15]
        trustedkey [key number] [another key number] ...
        keys /etc/ntp/keys
        
        

        Notes:

        • If the NTP Server is also an NTP Client, then do NOT put:
          
          restrict default ignore
          restrict -6 default ignore
          
          
          Instead, put these lines:
          
          restrict default kod limited notrap nomodify nopeer
          restrict -6 default kod limited notrap nomodify nopeer
          
          
        • If you want the NTP Server to only serve an authenticated client, then add "notrust" at the end of the lines with "default".


    3. After making all the changes in the /etc/ntp.conf file, you have to write-protect it from being overwritten by Gaia OS daemon (confd).

      Add the Linux file system 'immutable' attribute:
      
      [Expert@HostName]# lsattr /etc/ntp.conf
      [Expert@HostName]# chattr +i /etc/ntp.conf
      [Expert@HostName]# lsattr /etc/ntp.conf
      
      

      Notes:

      • After this change you cannot configure NTP through Clish/Gaia Portal - the changes will not be saved.

      • To revert, remove the Linux file system 'immutable' attribute:
        
        [Expert@HostName]# lsattr /etc/ntp.conf
        [Expert@HostName]# chattr -i /etc/ntp.conf
        [Expert@HostName]# lsattr /etc/ntp.conf
        
        
    4. Restart the NTPD process:

      [Expert@HostName]# dbset process:ntpd
      [Expert@HostName]# dbset process:ntpd t
      
    5. Check the NTP synchronization:

      [Expert@HostName]# ntpq -pn
      [Expert@HostName]# ntpstat
      


  • Show / Hide instructions for IPSO 6.2 OS

    1. On the NTP Client side:

      1. Put a key in the key file - /etc/ntp.keys file:

        [key number] M [key password]

        Make sure that:

        • the 'key number' is between 1 and 65535
        • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


      2. Configure the following in the /var/etc/ntp.conf file:
        
        restrict default ignore
        restrict -6 default ignore
        restrict 127.0.0.1
        restrict -6 ::1
        
        
      3. For every NTP server:
        
        server [IPv4 address or Host name of NTP server] version [version number 1...4] iburst key [key number]
        
        restrict [IPv4 IP address or host name of NTP server] nomodify notrap nopeer noquery
        
        


    2. On the NTP Server side:

      1. Put a key in the key file - /etc/ntp.keys file:

        [key number] M [key password]

        Make sure that:

        • the 'key number' is between 1 and 65535
        • the 'key password' is between 1 and 31 characters (spaces or '#' character are not allowed)


      2. Configure the following in the /var/etc/ntp.conf file:
        
        restrict default kod limited notrap nomodify nopeer
        restrict -6 default kod limited notrap nomodify nopeer
        restrict 127.0.0.1
        restrict -6 ::1
        server 127.127.1.0 version 3
        fudge 127.127.1.0 stratum [stratum number 0...15]
        trustedkey [key number],[another key number],...
        keys /etc/ntp.keys
        
        

        Notes:

        • If the NTP Server is also an NTP Client, then do NOT put:
          
          restrict default ignore
          restrict -6 default ignore
          
          
          Instead, put these lines:
          
          restrict default kod limited notrap nomodify nopeer
          restrict -6 default kod limited notrap nomodify nopeer
          
          
        • If you want the NTP Server to only serve an authenticated client, then add "notrust" at the end of the lines with "default".


    3. After making all the changes in the /var/etc/ntp.conf file, you have to write-protect it from being overwritten by IPSO OS.

      Add the IPSO file system 'immutable' attributes:
      
      HostName[admin]# ls -lo /var/etc/ntp.conf
      HostName[admin]# chflags schg,uchg /var/etc/ntp.conf
      HostName[admin]# ls -lo /var/etc/ntp.conf
      
      

      Notes:

      • After this change you cannot configure NTP through Clish/IPSO Voyager - the changes will not be saved.

      • To revert, remove the IPSO file system 'immutable' attributes:
        
        HostName[admin]# ls -lo /var/etc/ntp.conf
        HostName[admin]# chflags noschg,nouchg /var/etc/ntp.conf
        HostName[admin]# ls -lo /var/etc/ntp.conf
        
        
    4. Restart the NTPD process:

      HostName[admin]# dbset process:ntpd
      HostName[admin]# dbset process:ntpd t
      
    5. Check the NTP synchronization:

      HostName[admin]# ntpq -pn
      

 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment