Feature #8794
open
NTP authentiction
50%
Description
NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.
Files
| Authenticated NTP.JPG (58.8 KB) Authenticated NTP.JPG | |||
| status_ntpd.php.auth.patch (3.58 KB) status_ntpd.php.auth.patch | Adds output of 'ntpq -c associations' to /usr/local/www/status_ntpd.php | ||
| system.inc.ntp-auth.23.01.patch (1.56 KB) system.inc.ntp-auth.23.01.patch | Adds support for $ntp_key in function system_ntp_configure() | ||
| Screenshot 2023-12-05 at 8.12.05 PM.png (498 KB) Screenshot 2023-12-05 at 8.12.05 PM.png | GUI now has authentication key for auth-NTP | ||
| Screenshot 2023-12-05 at 7.35.29 PM.png (172 KB) Screenshot 2023-12-05 at 7.35.29 PM.png | |||
| Screenshot 2023-12-05 at 8.15.50 PM.png (87.6 KB) Screenshot 2023-12-05 at 8.15.50 PM.png | |||
| 8794.patch (7.6 KB) 8794.patch | workaround patch | ||
| 8794.patch (10.3 KB) 8794.patch |
Updated by Viktor Gurov about 4 years ago
Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only
Updated by Viktor Gurov over 3 years ago
Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous over 3 years ago
- Assignee changed from Renato Botelho to Tod L
Updated by Viktor Gurov over 3 years ago
- Status changed from Feedback to New
- Target version changed from 2.5.0 to CE-Next
after configuring ntpd authentication on Debian peer I can see packets with MAC:
Network Time Protocol (NTP Version 4, server)
Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
Peer Clock Stratum: secondary reference (3)
Peer Polling Interval: 6 (64 sec)
Peer Clock Precision: 0.000015 sec
Root Delay: 0.0244598388671875 seconds
Root Dispersion: 0.07177734375 seconds
Reference ID: 193.182.111.13
Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC
Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC
Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC
Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC
Key ID: 00000001
Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7
linux peer 'ntpq -c as' output:
ind assid status conf reach auth condition last_event cnt =========================================================== 1 59188 8811 yes none none reject mobilize 1 2 59189 f31a yes yes ok outlier sys_peer 1
pfSense 2.5.0.a.20201127.1850
pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next
Updated by LamaZ . about 3 years ago
Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.
Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.
[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp-g.nist.gov .NIST. 1 u 7 64 377 10.865 -0.019 0.738
ind assid status conf reach auth condition last_event cnt
===========================================================
1 64816 f61a yes yes ok sys.peer sys_peer 1
-LamaZ
Updated by Steve Wheeler almost 3 years ago
- % Done changed from 100 to 50
The ntp client auth is yet to be implemented.
Updated by Ansley Barnes almost 3 years ago
Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.
Updated by Viktor Gurov over 2 years ago
Updated by Jonathan Lee about 1 year ago
- File Authenticated NTP.JPG Authenticated NTP.JPG added
Is there any updates on this. I am also using Lamaz patch as it will not use authentication without both key and key value. Similar to Palo Alto
https://forum.netgate.com/topic/162746/authenicated-ntp/
He made a new patch for 23.01
Updated by LamaZ . about 1 year ago
- File status_ntpd.php.auth.patch status_ntpd.php.auth.patch added
- File system.inc.ntp-auth.23.01.patch system.inc.ntp-auth.23.01.patch added
Patch files for review attached.
All that is needed is to add the ntp key variable to be set from /usr/local/www/services_ntpd.php.
See https://forum.netgate.com/topic/162746/authenicated-ntp for details.
-LamaZ
Updated by Jonathan Lee about 1 year ago
I can confirm this issue still occurs in version 23
Updated by Matthew Ray 5 months ago
Added NTP Authentication key ID field to the GUI and config
https://github.com/pfsense/pfsense/pull/4658
Updated by Jonathan Lee 5 months ago
- File Screenshot 2023-12-05 at 8.12.05 PM.png Screenshot 2023-12-05 at 8.12.05 PM.png added
- File Screenshot 2023-12-05 at 7.35.29 PM.png Screenshot 2023-12-05 at 7.35.29 PM.png added
- File Screenshot 2023-12-05 at 8.15.50 PM.png Screenshot 2023-12-05 at 8.15.50 PM.png added
Thanks Matthew and Lamar I have confirmed this works as expected with GUI entry in pfSense Plus also patch needs to strip off /src
Patches have been tested in 23.05.01 (Jonathan Lee's Everything Bagel Version I can't move to 23.09)
Updated by Marcos M 5 months ago
- The authentication key is only supported with the
peerandservertypes according to the man page. - Loading
Services > NTPignores the type and sets the selected Time Server Type toPool. - Setting the type to
Serverdoes not work - the server config is removed fromconfig.xmland/var/etc/ntpd.confends up usingpoolinstead. - I'm not sure what the distinction is between the "NTP client" and "NTP server"; the NTP servers configured under
System > General SetupandServices > NTPboth share the same ntpd config file (/var/etc/ntpd.conf).
The attached workaround patch may be applied using the System Patches package until (if/when) the feature is properly implemented.
Simply add a new patch using the URL https://redmine.pfsense.org/attachments/download/5805/8794.patch, save, then apply.
Updated by Jonathan Lee 5 months ago
Just to confirm Marcos M, I could not use NTP authentication direct for NIST.GOV without the two part key entry, without the patch seen here it is not useable. Palo Alto authenticated NTP also has a two part entry in GUI. It does work as it shows AUTH ok when I run the following command with the patch in use...
ntpq -c associations
This shows ok for auth when the two part key entry is used. Normally pfSense GUI does not provide a location to input the KEY ID area, two parts of this are required for NIST.GOV authenticated NTP server use.
It requires
1. KEY ID
2. Authentication KEY
for use of authenticated NTP service with NIST.GOV
Updated by Jonathan Lee 4 months ago
https://github.com/pfsense/pfsense/pull/4658
User MatthewA1 has merged Marcos's requests as well as added the missing GUI item to make this work correctly.
Updated by Matthew Ray 3 months ago
@Marcos M
Is there something I need to do to get this merged? The PR still has the changes requested label applied even though I incorporated the changes you suggested with your patch.
I know this patch does not fully resolve all the issues, but it at least makes this feature function whereas right now it is essentially broken.
If there is some minimum level of the additional changes that need to be made, please let me know so I can focus on getting those in.
Updated by Matthew Ray about 2 months ago
- File 8794.patch 8794.patch added
I've added a checkbox for each time server called "Authenticated" so that NTP authentication can be enabled/disabled on a per server/peer basis. It also validates that authentication is not enabled for an NTP pool.
Attached is a new patch file.
Marcos M, but to properly do so, I think some significant changes to the @config.xml are needed. I don't want to start down that road without some direction/approval from the pfSense maintainers, but here is my general idea:
- Remove the
<timeservers>element entirely and instead store the time servers in<ntpd>. The only reason I can see to keep this around is if there are plans to implement a service such as chrony that actually is a client only. - Restructure
<ntpd>to have a an element that contains each server as its own individual elements (e.g.,<ntpd>/<timeservers>/<timeserver>) - Restructure
<ntpd>'s authentication details to allow multiple NTP keys (e.g.,<ntpd>/<serverauthkeys>/<key>)
I think it would end up looking something like this:
<ntpd>
<enabled>enabled</enabled>
<gps></gps>
<orphan></orphan>
<ntpminpoll></ntpminpoll>
<ntpmaxpoll></ntpmaxpoll>
<dnsresolv>auto</dnsresolv>
<timeservers>
<timeserver>
<type>[server|pool|peer]</type>
<server>[FQDN|IP]</server>
(<prefer/>)
(<noselect/>)
(<authkey>[#]</authkey>)
</timeserver>
...
</timeservers>
<serverauth>[yes|no]</serverauth>
<serverauthkeys>
<key>
<id>[#]</id>
<key>[keystring]</key>
<algo>[md5|sha1|sha256]</algo>
</key>
...
</serverauthkeys>
</ntpd>
I think this is necessary for all the changes to be implemented, but it also expands the scope of this ticket a bit. Do I need to open a separate ticket to suggest this?