NTP Server disallowed request (authentication?) 问题解决
2015-06-15 10:45
666 查看
以下方法在ntpd 4.2.6中可行,在4.2.4中依然不可行,如果有解决的办法,欢迎交流。
0.背景
ntpq中可以对server的一些参数进行写操作,即writevar(格式
writevar assocID variable_name [
= value [ ...]),还有:config 配置语句 和config-from-file 配置文件。后面这两个在4.2.4中没有。利用这些参数进行配置时,需要权限认证,否则会有如下错误信息
ntpq> writevar 0 poll=3
***Server disallowed request (authentication?)
1.解决办法
NTP利用key来实现认证,下面的配置都是围绕key的
1.1 在ntp.conf文件同目录下建立ntp.keys文件。我的是都在/etc下。ntp.keys是说明认证是使用的key,内容如下
11 M pass1
22 M pass2
33 M pass3
44 M pass4
11代表keyid,M代表是MD5方式,pass1就代表keyid为11的对应的密码为pass1,下面相同。
在这里,一定要注意该文件的权限问题,请一定要使用如下命令修改文件权限
root@bt:~# chmod 600 /etc/ntp.keys
这里有一段血泪史,就是因为没有修改文件权限,导致一直出现认证不通过,查了好多资料才找到原因,声泪俱下啊~~~
1.2 修改ntp.conf文件
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
注释掉这两行,去掉对访问ip地址的限制,具体的意义请自行google。这种方式太过粗暴,很不安全,真正要用的话需要详细配置访问权限。这里只是示例。
下面需要加入key,摘一段对各种key的描述。
trustedkey [keyid | (lowid ... highid)] [...]
Specifies the key ID(s) which are trusted for the purposes of authenticating peers with symmetric key cryptography. Key IDs used to authenticate ntpq and ntpdcoperations must be listed here and additionally be enabled with controlkey and/or requestkey.
The authentication procedure for time transfer requires that both the local and remote NTP servers employ the same key ID and secret for this purpose, although different keys IDs may be used with different servers. Ranges of trusted key IDs may be specified: trustedkey
(1 ... 19) 1000 (100 ... 199) enables the lowest 120 key IDs which start with the digit 1. The spaces surrounding the ellipsis are required when specifying a range. (ref: http://www.eecis.udel.edu/~mills/ntp/html/authopt.html)
加入以下几行,来说明对该server访问时使用的key
keys /etc/ntp.keys #说明key文件的位置
trustedkey 11 22 33 44 #可信任的key(ntp.keys文件中定义的key)
requestkey 11 22 33 44 #ntpdc可以用的key
controlkey 11 #ntpq可以利用的key
authdelay 0.000094 #由于认证需要额外的时间来计算,定义这个时间
最后的ntp.conf配置文件大概看起来长这样
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
#restrict 172.24.20.0 255.255.255.0
#restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
keys /etc/ntp.keys
trustedkey 11 22 33 44
requestkey 11 22 33 44
controlkey 11
authdelay 0.000094
配好之后,重启服务。
service ntp restart
然后就可以了。
2.吐槽
嗯,NTP授权这事儿来来回回折腾了一个月,要吐血了,要放弃了。查了很多资料都说新建一个ntp.keys就好了,修改下ntp.conf就好了,可是就是不生效。在我将要放弃的时候不经意间看到了说要修改权限的问题,终于成功了,但是还是只限于4.2.6。4.2.4本身存在很多bug,在BT5上死活还装不上,就不搞了。
0.背景
ntpq中可以对server的一些参数进行写操作,即writevar(格式
writevar assocID variable_name [
= value [ ...]),还有:config 配置语句 和config-from-file 配置文件。后面这两个在4.2.4中没有。利用这些参数进行配置时,需要权限认证,否则会有如下错误信息
ntpq> writevar 0 poll=3
***Server disallowed request (authentication?)
1.解决办法
NTP利用key来实现认证,下面的配置都是围绕key的
1.1 在ntp.conf文件同目录下建立ntp.keys文件。我的是都在/etc下。ntp.keys是说明认证是使用的key,内容如下
11 M pass1
22 M pass2
33 M pass3
44 M pass4
11代表keyid,M代表是MD5方式,pass1就代表keyid为11的对应的密码为pass1,下面相同。
在这里,一定要注意该文件的权限问题,请一定要使用如下命令修改文件权限
root@bt:~# chmod 600 /etc/ntp.keys
这里有一段血泪史,就是因为没有修改文件权限,导致一直出现认证不通过,查了好多资料才找到原因,声泪俱下啊~~~
1.2 修改ntp.conf文件
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
注释掉这两行,去掉对访问ip地址的限制,具体的意义请自行google。这种方式太过粗暴,很不安全,真正要用的话需要详细配置访问权限。这里只是示例。
下面需要加入key,摘一段对各种key的描述。
trustedkey [keyid | (lowid ... highid)] [...]
Specifies the key ID(s) which are trusted for the purposes of authenticating peers with symmetric key cryptography. Key IDs used to authenticate ntpq and ntpdcoperations must be listed here and additionally be enabled with controlkey and/or requestkey.
The authentication procedure for time transfer requires that both the local and remote NTP servers employ the same key ID and secret for this purpose, although different keys IDs may be used with different servers. Ranges of trusted key IDs may be specified: trustedkey
(1 ... 19) 1000 (100 ... 199) enables the lowest 120 key IDs which start with the digit 1. The spaces surrounding the ellipsis are required when specifying a range. (ref: http://www.eecis.udel.edu/~mills/ntp/html/authopt.html)
加入以下几行,来说明对该server访问时使用的key
keys /etc/ntp.keys #说明key文件的位置
trustedkey 11 22 33 44 #可信任的key(ntp.keys文件中定义的key)
requestkey 11 22 33 44 #ntpdc可以用的key
controlkey 11 #ntpq可以利用的key
authdelay 0.000094 #由于认证需要额外的时间来计算,定义这个时间
最后的ntp.conf配置文件大概看起来长这样
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
#restrict -4 default kod notrap nomodify nopeer noquery
#restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
#restrict 172.24.20.0 255.255.255.0
#restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
keys /etc/ntp.keys
trustedkey 11 22 33 44
requestkey 11 22 33 44
controlkey 11
authdelay 0.000094
配好之后,重启服务。
service ntp restart
然后就可以了。
2.吐槽
嗯,NTP授权这事儿来来回回折腾了一个月,要吐血了,要放弃了。查了很多资料都说新建一个ntp.keys就好了,修改下ntp.conf就好了,可是就是不生效。在我将要放弃的时候不经意间看到了说要修改权限的问题,终于成功了,但是还是只限于4.2.6。4.2.4本身存在很多bug,在BT5上死活还装不上,就不搞了。
相关文章推荐
- SUSE 11 & RedHat 6.1 & HP-UX B.11.31 NTP时间同步服务实施案例集锦
- Seafile Server本地权限提升漏洞(CVE-2014-5443)
- 从USB安装Ubuntu Server 10.04.3 图文详解
- 使用zabbix监控Nginx活动状态--Part1
- 高效访问Internet-启用ISA Server的缓存
- windows server域用户提升到本地更高权限组中的方法
- 完美解决SQL Server 安装问题:以前的某个程序安装已在安装计算机上创建挂起的文件操作
- IIS 错误 Server Application Error 详细解决方法
- 在WINXP系统上安装SQL Server企业版的方法
- SQL Server 存储过程的分页
- SQL Server复制需要有实际的服务器名称才能连接到服务器
- SQL Server 2000向SQL Server 2008 R2推送数据图文教程
- SQL server 表操作介绍
- SQL Server 2000 注入防护大全(二)
- SQL Server 2000 注入防护大全(一)
- 怎样把Windows server 2003转换成工作站系统
- Windows Server 2007四月CTP发布 下载
- IIS运行错误 Server Application Error 错误代码 Error: 8004的解决方法
- Microsoft SQL Server 2008安装图解教程(Windows 7)
- ISA Server 的故障排除工具(2)