Authenticating NTP

Problem

You want to make sure that the router gets time updates only from known and trusted NTP servers.

Solution

Set up NTP authentication:

[edit system ntp] aviva@router1# set authentication-key 12 type md5 value $1991poppI aviva@router1# set server 172.10.23.196 key 12 aviva@router1# set trusted-key 12 aviva@router1# show authentication-key 12 type md5 value "$9$G4UjHqmfT365TIEhcMW4aZGHmP5Fn/A"; ## SECRET- DATA server 172.10.23.196 key 12; ## SECRET-DATA trusted-key 12;

 

Discussion

By default, your router queries time to whichever NTP servers appear to be most accurate. To ensure that routers receive time only from known and trusted sources, enable NTP authentication. The JUNOS implementation of NTP uses MD5 for authentication. You set up one or more trusted keys. Each key is identified by a number, here 12, and you establish a password for each key in the value option of the authentication-key statement. We are using a password of $1991poppI. When you configure the NTP server's address, you also set which NTP key the local router will send in all NTP updates. Finally, you configure in the trusted-key statement which NTP keys the router accepts so that when it receives NTP updates, it can authenticate and accept them. You have to configure the same trusted keys and passwords on all the NTP server and peer routers on your network. Based on the example here, you need to configure the router 172.10.23.196 to accept trusted key 12 and you need to configure the same MD5 password ($1991poppI) so that it can exchange NTP updates with your local router.

After you type the plain-text version MD5 password, when you display the configuration, you see the encrypted version of the password. You can use the encrypted version (the string that starts with $9$G) when you configure the same password on other routers, or you can also use the plain-text password. In the configuration, the JUNOS software marks all encrypted information with the string ## SECRET-DATA. You can use this additional text as a way to hide these portions of the configuration when you have to share the configuration file with an insecure source or when you want to locate and remove this information before archiving the configuration in a location that might not be secure.

aviva@router1> show configuration system ntp | except SECRET-DATA server 172.10.23.196; trusted-key 123456;

Notice that while the authentication-key statement is not shown at all, the server statement is shown, but you see only the server's address. The password information is removed.

Категории