Feature #8794
closedNTP authentication support
100%
Description
NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.
Files
Updated by Viktor Gurov over 4 years ago
Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only
Updated by Viktor Gurov about 4 years ago
Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472
Updated by Jim Pingle about 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous about 4 years ago
- Assignee changed from Renato Botelho to Tod L
Updated by Viktor Gurov almost 4 years ago
- Status changed from Feedback to New
- Target version changed from 2.5.0 to CE-Next
after configuring ntpd authentication on Debian peer I can see packets with MAC:
Network Time Protocol (NTP Version 4, server) Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server Peer Clock Stratum: secondary reference (3) Peer Polling Interval: 6 (64 sec) Peer Clock Precision: 0.000015 sec Root Delay: 0.0244598388671875 seconds Root Dispersion: 0.07177734375 seconds Reference ID: 193.182.111.13 Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC Key ID: 00000001 Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7
linux peer 'ntpq -c as' output:
ind assid status conf reach auth condition last_event cnt =========================================================== 1 59188 8811 yes none none reject mobilize 1 2 59189 f31a yes yes ok outlier sys_peer 1
pfSense 2.5.0.a.20201127.1850
pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next
Updated by LamaZ . over 3 years ago
Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.
Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.
[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp-g.nist.gov .NIST. 1 u 7 64 377 10.865 -0.019 0.738
ind assid status conf reach auth condition last_event cnt
===========================================================
1 64816 f61a yes yes ok sys.peer sys_peer 1
-LamaZ
Updated by Steve Wheeler over 3 years ago
- % Done changed from 100 to 50
The ntp client auth is yet to be implemented.
Updated by Ansley Barnes over 3 years ago
Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.
Updated by Viktor Gurov over 3 years ago
Updated by Jonathan Lee over 1 year ago
- File Authenticated NTP.JPG Authenticated NTP.JPG added
Is there any updates on this. I am also using Lamaz patch as it will not use authentication without both key and key value. Similar to Palo Alto
https://forum.netgate.com/topic/162746/authenicated-ntp/
He made a new patch for 23.01
Updated by LamaZ . over 1 year ago
- File status_ntpd.php.auth.patch status_ntpd.php.auth.patch added
- File system.inc.ntp-auth.23.01.patch system.inc.ntp-auth.23.01.patch added
Patch files for review attached.
All that is needed is to add the ntp key variable to be set from /usr/local/www/services_ntpd.php.
See https://forum.netgate.com/topic/162746/authenicated-ntp for details.
-LamaZ
Updated by Jonathan Lee over 1 year ago
I can confirm this issue still occurs in version 23
Updated by Matthew Ray 12 months ago
Added NTP Authentication key ID field to the GUI and config
https://github.com/pfsense/pfsense/pull/4658
Updated by Jonathan Lee 12 months ago
- File Screenshot 2023-12-05 at 8.12.05 PM.png Screenshot 2023-12-05 at 8.12.05 PM.png added
- File Screenshot 2023-12-05 at 7.35.29 PM.png Screenshot 2023-12-05 at 7.35.29 PM.png added
- File Screenshot 2023-12-05 at 8.15.50 PM.png Screenshot 2023-12-05 at 8.15.50 PM.png added
Thanks Matthew and Lamar I have confirmed this works as expected with GUI entry in pfSense Plus also patch needs to strip off /src
Patches have been tested in 23.05.01 (Jonathan Lee's Everything Bagel Version I can't move to 23.09)
Updated by Marcos M 12 months ago
- The authentication key is only supported with the
peer
andserver
types according to the man page. - Loading
Services > NTP
ignores the type and sets the selected Time Server Type toPool
. - Setting the type to
Server
does not work - the server config is removed fromconfig.xml
and/var/etc/ntpd.conf
ends up usingpool
instead. - I'm not sure what the distinction is between the "NTP client" and "NTP server"; the NTP servers configured under
System > General Setup
andServices > NTP
both share the same ntpd config file (/var/etc/ntpd.conf
).
The attached workaround patch may be applied using the System Patches package until (if/when) the feature is properly implemented.
Simply add a new patch using the URL https://redmine.pfsense.org/attachments/download/5805/8794.patch
, save, then apply.
Updated by Jonathan Lee 12 months ago
Just to confirm Marcos M, I could not use NTP authentication direct for NIST.GOV without the two part key entry, without the patch seen here it is not useable. Palo Alto authenticated NTP also has a two part entry in GUI. It does work as it shows AUTH ok when I run the following command with the patch in use...
ntpq -c associations
This shows ok for auth when the two part key entry is used. Normally pfSense GUI does not provide a location to input the KEY ID area, two parts of this are required for NIST.GOV authenticated NTP server use.
It requires
1. KEY ID
2. Authentication KEY
for use of authenticated NTP service with NIST.GOV
Updated by Jonathan Lee 11 months ago
https://github.com/pfsense/pfsense/pull/4658
User MatthewA1 has merged Marcos's requests as well as added the missing GUI item to make this work correctly.
Updated by Matthew Ray 10 months ago
@Marcos M
Is there something I need to do to get this merged? The PR still has the changes requested label applied even though I incorporated the changes you suggested with your patch.
I know this patch does not fully resolve all the issues, but it at least makes this feature function whereas right now it is essentially broken.
If there is some minimum level of the additional changes that need to be made, please let me know so I can focus on getting those in.
Updated by Matthew Ray 9 months ago
- File 8794.patch 8794.patch added
I've added a checkbox for each time server called "Authenticated" so that NTP authentication can be enabled/disabled on a per server/peer basis. It also validates that authentication is not enabled for an NTP pool.
Attached is a new patch file.
Marcos M, but to properly do so, I think some significant changes to the @config.xml
are needed. I don't want to start down that road without some direction/approval from the pfSense maintainers, but here is my general idea:
- Remove the
<timeservers>
element entirely and instead store the time servers in<ntpd>
. The only reason I can see to keep this around is if there are plans to implement a service such as chrony that actually is a client only. - Restructure
<ntpd>
to have a an element that contains each server as its own individual elements (e.g.,<ntpd>/<timeservers>/<timeserver>
) - Restructure
<ntpd>
's authentication details to allow multiple NTP keys (e.g.,<ntpd>/<serverauthkeys>/<key>
)
I think it would end up looking something like this:
<ntpd>
<enabled>enabled</enabled>
<gps></gps>
<orphan></orphan>
<ntpminpoll></ntpminpoll>
<ntpmaxpoll></ntpmaxpoll>
<dnsresolv>auto</dnsresolv>
<timeservers>
<timeserver>
<type>[server|pool|peer]</type>
<server>[FQDN|IP]</server>
(<prefer/>)
(<noselect/>)
(<authkey>[#]</authkey>)
</timeserver>
...
</timeservers>
<serverauth>[yes|no]</serverauth>
<serverauthkeys>
<key>
<id>[#]</id>
<key>[keystring]</key>
<algo>[md5|sha1|sha256]</algo>
</key>
...
</serverauthkeys>
</ntpd>
I think this is necessary for all the changes to be implemented, but it also expands the scope of this ticket a bit. Do I need to open a separate ticket to suggest this?
Updated by Marcos M 5 months ago
- Status changed from New to Feedback
- Assignee set to Marcos M
- Target version changed from CE-Next to 2.8.0
- Plus Target Version set to 24.08
Implemented with abdf94d9b09a6378b771a210bd57df65ce038843.
Updated by Marcos M 5 months ago
- % Done changed from 50 to 100
Applied in changeset abdf94d9b09a6378b771a210bd57df65ce038843.
Updated by Jim Pingle about 2 months ago
- Subject changed from Support NTP authentication to NTP authentication support
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.08 to 24.11