I'm trying to set up an NTP timeserver for hosts on my internal network to synchronise against.
I need to use authorisation in order to comply with PCI standards.
I've created a set of keys using ntp-keygen -M and added the below snippet to my /etc/ntp.conf file on the server.
enable auth
keys /etc/ntp.keys
trustedkey 1 7 17
I'm unable to connect to the server from a client. When I run "ntpq -c as" on the client I can see that auth is "bad" for my server. I have copied the key file that was generated on the server to the client and added the trusted key lines to the client too, like this:
server timeserver key 17
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
keys /etc/ntp.keys
trustedkey 1 7 17
Looking at the server logs I can see that I'm getting a permission denied fault when trying to read the file, as below.
Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Starting LSB: Start NTP daemon...
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]: * Starting NTP server ntpd
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: ntpd [email protected] Wed Oct 5 12:34:45 UTC 2016 (1): Starting
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: Command line: /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:116
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]: ...done.
Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Started LSB: Start NTP daemon.
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: proto: precision = 0.182 usec (-22)
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: authreadkeys: file /etc/ntp.keys: Permission denied
I have used ntpdate from the client machine to set the date from the server so I'm pretty confident that the networking is up and running. I've actually disabled iptables on both servers while I'm busy trying to set this up.
The key file is 600 on the server, like this:
-rw------- 1 root root 1066 Jan 30 12:29 ntpkey_MD5key_timeserver.3694768152
lrwxrwxrwx 1 root root 35 Jan 30 12:33 ntp.keys -> ntpkey_MD5key_timeserver.3694768152
I've tried changing the config to point to the actual file and not the symlink.
Can anybody help me work out what the error in the syslog means and how to resolve this?
EDIT: Looking at the source it looks like the "Permission denied" part of the error is coming from the OS.
If the key file is readable by
root
only, butntpd
is running as non-root user, e.g. using-u ntp:ntp
, make sure the effective user can read the key file.For example you could use
chmod u=rw,g=r,o= keyfile
for the key file to allow the group to read, and then do achgrp ntp keyfile
to assign groupntp
to the file, effectively allowing groupntp
to access the file (but you knew that already, right?).Still it may be worth to check for additional restrictions imposed by apparmor or selinux. For the former you can try
aa-status | grep ntpd
to check.I spun up an Ubuntu 14.04 instance and noticed that an app armor message in the logs after the same "permission denied" message.
Disabling the ntp profile for apparmor resolved the issue.