I'm trying to set up an NTP timeserver for hosts on my internal network to synchronise against.
I need to use authorisation in order to comply with PCI standards.
I've created a set of keys using ntp-keygen -M and added the below snippet to my /etc/ntp.conf file on the server.
enable auth keys /etc/ntp.keys trustedkey 1 7 17
I'm unable to connect to the server from a client. When I run "ntpq -c as" on the client I can see that auth is "bad" for my server. I have copied the key file that was generated on the server to the client and added the trusted key lines to the client too, like this:
server timeserver key 17 restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 keys /etc/ntp.keys trustedkey 1 7 17
Looking at the server logs I can see that I'm getting a permission denied fault when trying to read the file, as below.
Jan 30 12:38:01 ip-10-0-1-103 systemd: Starting LSB: Start NTP daemon... Jan 30 12:38:01 ip-10-0-1-103 ntp: * Starting NTP server ntpd Jan 30 12:38:01 ip-10-0-1-103 ntpd: ntpd [email protected] Wed Oct 5 12:34:45 UTC 2016 (1): Starting Jan 30 12:38:01 ip-10-0-1-103 ntpd: Command line: /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:116 Jan 30 12:38:01 ip-10-0-1-103 ntp: ...done. Jan 30 12:38:01 ip-10-0-1-103 systemd: Started LSB: Start NTP daemon. Jan 30 12:38:01 ip-10-0-1-103 ntpd: proto: precision = 0.182 usec (-22) Jan 30 12:38:01 ip-10-0-1-103 ntpd: authreadkeys: file /etc/ntp.keys: Permission denied
I have used ntpdate from the client machine to set the date from the server so I'm pretty confident that the networking is up and running. I've actually disabled iptables on both servers while I'm busy trying to set this up.
The key file is 600 on the server, like this:
-rw------- 1 root root 1066 Jan 30 12:29 ntpkey_MD5key_timeserver.3694768152 lrwxrwxrwx 1 root root 35 Jan 30 12:33 ntp.keys -> ntpkey_MD5key_timeserver.3694768152
I've tried changing the config to point to the actual file and not the symlink.
Can anybody help me work out what the error in the syslog means and how to resolve this?
EDIT: Looking at the source it looks like the "Permission denied" part of the error is coming from the OS.