Feature #8794
open
NTP authentiction
50%
Description
NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.
Files
| Authenticated NTP.JPG (58.8 KB) Authenticated NTP.JPG | |||
| status_ntpd.php.auth.patch (3.58 KB) status_ntpd.php.auth.patch | Adds output of 'ntpq -c associations' to /usr/local/www/status_ntpd.php | ||
| system.inc.ntp-auth.23.01.patch (1.56 KB) system.inc.ntp-auth.23.01.patch | Adds support for $ntp_key in function system_ntp_configure() |
Updated by Viktor Gurov about 3 years ago
Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only
Updated by Viktor Gurov over 2 years ago
Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho over 2 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous over 2 years ago
- Assignee changed from Renato Botelho to Tod L
Updated by Viktor Gurov over 2 years ago
- Status changed from Feedback to New
- Target version changed from 2.5.0 to CE-Next
after configuring ntpd authentication on Debian peer I can see packets with MAC:
Network Time Protocol (NTP Version 4, server)
Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
Peer Clock Stratum: secondary reference (3)
Peer Polling Interval: 6 (64 sec)
Peer Clock Precision: 0.000015 sec
Root Delay: 0.0244598388671875 seconds
Root Dispersion: 0.07177734375 seconds
Reference ID: 193.182.111.13
Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC
Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC
Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC
Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC
Key ID: 00000001
Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7
linux peer 'ntpq -c as' output:
ind assid status conf reach auth condition last_event cnt =========================================================== 1 59188 8811 yes none none reject mobilize 1 2 59189 f31a yes yes ok outlier sys_peer 1
pfSense 2.5.0.a.20201127.1850
pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next
Updated by LamaZ . almost 2 years ago
Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.
Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.
[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp-g.nist.gov .NIST. 1 u 7 64 377 10.865 -0.019 0.738
ind assid status conf reach auth condition last_event cnt
===========================================================
1 64816 f61a yes yes ok sys.peer sys_peer 1
-LamaZ
Updated by Steve Wheeler almost 2 years ago
- % Done changed from 100 to 50
The ntp client auth is yet to be implemented.
Updated by Ansley Barnes over 1 year ago
Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.
Updated by Viktor Gurov over 1 year ago
Updated by Jonathan Lee 30 days ago
- File Authenticated NTP.JPG Authenticated NTP.JPG added
Is there any updates on this. I am also using Lamaz patch as it will not use authentication without both key and key value. Similar to Palo Alto
https://forum.netgate.com/topic/162746/authenicated-ntp/
He made a new patch for 23.01
Updated by LamaZ . 30 days ago
- File status_ntpd.php.auth.patch status_ntpd.php.auth.patch added
- File system.inc.ntp-auth.23.01.patch system.inc.ntp-auth.23.01.patch added
Patch files for review attached.
All that is needed is to add the ntp key variable to be set from /usr/local/www/services_ntpd.php.
See https://forum.netgate.com/topic/162746/authenicated-ntp for details.
-LamaZ
Updated by Jonathan Lee 20 days ago
I can confirm this issue still occurs in version 23