NTP Server disallowed request (authentication?) 问题解决

以下方法在ntpd 4.2.6中可行，在4.2.4中依然不可行，如果有解决的办法，欢迎交流。

0.背景

ntpq中可以对server的一些参数进行写操作，即writevar（格式
writevar assocID variable_name [
= value [ ...]），还有:config 配置语句 和config-from-file 配置文件。后面这两个在4.2.4中没有。利用这些参数进行配置时，需要权限认证，否则会有如下错误信息

ntpq> writevar 0 poll=3

***Server disallowed request (authentication?)

1.解决办法

NTP利用key来实现认证，下面的配置都是围绕key的

1.1 在ntp.conf文件同目录下建立ntp.keys文件。我的是都在/etc下。ntp.keys是说明认证是使用的key，内容如下

11 M pass1

22 M pass2

  33 M pass3

44 M pass4

11代表keyid，M代表是MD5方式，pass1就代表keyid为11的对应的密码为pass1，下面相同。

在这里，一定要注意该文件的权限问题，请一定要使用如下命令修改文件权限

root@bt:~# chmod 600 /etc/ntp.keys

这里有一段血泪史，就是因为没有修改文件权限，导致一直出现认证不通过，查了好多资料才找到原因，声泪俱下啊~~~

1.2 修改ntp.conf文件

#restrict -4 default kod notrap nomodify nopeer noquery

#restrict -6 default kod notrap nomodify nopeer noquery

注释掉这两行，去掉对访问ip地址的限制，具体的意义请自行google。这种方式太过粗暴，很不安全，真正要用的话需要详细配置访问权限。这里只是示例。

下面需要加入key，摘一段对各种key的描述。

trustedkey [keyid | (lowid ... highid)] [...]
Specifies the key ID(s) which are trusted for the purposes of authenticating peers with symmetric key cryptography. Key IDs used to authenticate ntpq and ntpdcoperations must be listed here and additionally be enabled with controlkey and/or requestkey.
The authentication procedure for time transfer requires that both the local and remote NTP servers employ the same key ID and secret for this purpose, although different keys IDs may be used with different servers. Ranges of trusted key IDs may be specified: trustedkey
(1 ... 19) 1000 (100 ... 199) enables the lowest 120 key IDs which start with the digit 1. The spaces surrounding the ellipsis are required when specifying a range.    （ref：  http://www.eecis.udel.edu/~mills/ntp/html/authopt.html）

加入以下几行，来说明对该server访问时使用的key

keys /etc/ntp.keys    #说明key文件的位置

trustedkey 11 22 33 44   #可信任的key（ntp.keys文件中定义的key）

requestkey 11 22 33 44  #ntpdc可以用的key

controlkey 11                    #ntpq可以利用的key

authdelay 0.000094       #由于认证需要额外的时间来计算，定义这个时间

最后的ntp.conf配置文件大概看起来长这样

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.

#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).

server ntp.ubuntu.com

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for

# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>

# might also be helpful.

#

# Note that "restrict" applies to both servers and clients, so a configuration

# that might be intended to block requests from certain clients could also end

# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.

#restrict -4 default kod notrap nomodify nopeer noquery

#restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.

#restrict 172.24.20.0 255.255.255.0

#restrict 127.0.0.1

restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if

# cryptographically authenticated.

#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.

# (Again, the address is an example only.)

#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the

# next lines.  Please do this only if you trust everybody on the network!

#disable auth

#broadcastclient

keys /etc/ntp.keys

trustedkey 11 22 33 44

requestkey 11 22 33 44

controlkey 11

authdelay 0.000094

配好之后，重启服务。

service ntp restart

然后就可以了。

2.吐槽

嗯，NTP授权这事儿来来回回折腾了一个月，要吐血了，要放弃了。查了很多资料都说新建一个ntp.keys就好了，修改下ntp.conf就好了，可是就是不生效。在我将要放弃的时候不经意间看到了说要修改权限的问题，终于成功了，但是还是只限于4.2.6。4.2.4本身存在很多bug，在BT5上死活还装不上，就不搞了。