NTP server permission denied when trying to read key file

by Andy   Last Updated January 30, 2017 14:00 PM

I'm trying to set up an NTP timeserver for hosts on my internal network to synchronise against.

I need to use authorisation in order to comply with PCI standards.

I've created a set of keys using ntp-keygen -M and added the below snippet to my /etc/ntp.conf file on the server.

enable auth
keys /etc/ntp.keys
trustedkey 1 7 17

I'm unable to connect to the server from a client. When I run "ntpq -c as" on the client I can see that auth is "bad" for my server. I have copied the key file that was generated on the server to the client and added the trusted key lines to the client too, like this:

server timeserver key 17
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
keys /etc/ntp.keys
trustedkey 1 7 17

Looking at the server logs I can see that I'm getting a permission denied fault when trying to read the file, as below.

Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Starting LSB: Start NTP daemon...
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:  * Starting NTP server ntpd
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: ntpd [email protected] Wed Oct  5 12:34:45 UTC 2016 (1): Starting
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: Command line: /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:116
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:    ...done.
Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Started LSB: Start NTP daemon.
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: proto: precision = 0.182 usec (-22)
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: authreadkeys: file /etc/ntp.keys: Permission denied

I have used ntpdate from the client machine to set the date from the server so I'm pretty confident that the networking is up and running. I've actually disabled iptables on both servers while I'm busy trying to set this up.

The key file is 600 on the server, like this:

-rw-------  1 root  root    1066 Jan 30 12:29 ntpkey_MD5key_timeserver.3694768152
lrwxrwxrwx  1 root  root      35 Jan 30 12:33 ntp.keys -> ntpkey_MD5key_timeserver.3694768152

I've tried changing the config to point to the actual file and not the symlink.

Can anybody help me work out what the error in the syslog means and how to resolve this?

EDIT: Looking at the source it looks like the "Permission denied" part of the error is coming from the OS.

Tags : ntp ntpd


Related Questions


ntpd: servers stuck on .INIT

Updated May 02, 2015 21:00 PM

NTP Server peering

Updated October 10, 2015 07:00 AM

Things to consider when running public NTP servers

Updated February 25, 2017 02:00 AM