Project

General

Profile

Actions

Feature #8794

open

Support NTP authentication

Added by Tod L almost 6 years ago. Updated 3 days ago.

Status:
Feedback
Priority:
Low
Assignee:
Category:
NTPD
Target version:
Start date:
08/17/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.08
Release Notes:
Default

Description

NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.


Files

Authenticated NTP.JPG (58.8 KB) Authenticated NTP.JPG Jonathan Lee, 03/03/2023 08:57 AM
status_ntpd.php.auth.patch (3.58 KB) status_ntpd.php.auth.patch Adds output of 'ntpq -c associations' to /usr/local/www/status_ntpd.php LamaZ ., 03/03/2023 03:00 PM
system.inc.ntp-auth.23.01.patch (1.56 KB) system.inc.ntp-auth.23.01.patch Adds support for $ntp_key in function system_ntp_configure() LamaZ ., 03/03/2023 03:00 PM
Screenshot 2023-12-05 at 8.12.05 PM.png (498 KB) Screenshot 2023-12-05 at 8.12.05 PM.png GUI now has authentication key for auth-NTP Jonathan Lee, 12/06/2023 04:32 AM
Screenshot 2023-12-05 at 7.35.29 PM.png (172 KB) Screenshot 2023-12-05 at 7.35.29 PM.png Jonathan Lee, 12/06/2023 04:33 AM
Screenshot 2023-12-05 at 8.15.50 PM.png (87.6 KB) Screenshot 2023-12-05 at 8.15.50 PM.png Jonathan Lee, 12/06/2023 04:33 AM
8794.patch (7.6 KB) 8794.patch workaround patch Marcos M, 01/10/2024 07:51 PM
8794.patch (10.3 KB) 8794.patch Matthew Ray, 03/04/2024 01:03 AM
Actions #1

Updated by Jim Pingle almost 5 years ago

  • Category set to NTPD
Actions #2

Updated by Viktor Gurov over 4 years ago

Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only

Actions #3

Updated by Viktor Gurov over 3 years ago

Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472

Actions #4

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #5

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #6

Updated by Anonymous over 3 years ago

  • Assignee changed from Renato Botelho to Tod L
Actions #7

Updated by Viktor Gurov over 3 years ago

  • Status changed from Feedback to New
  • Target version changed from 2.5.0 to CE-Next

after configuring ntpd authentication on Debian peer I can see packets with MAC:

Network Time Protocol (NTP Version 4, server)
    Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
    Peer Clock Stratum: secondary reference (3)
    Peer Polling Interval: 6 (64 sec)
    Peer Clock Precision: 0.000015 sec
    Root Delay: 0.0244598388671875 seconds
    Root Dispersion: 0.07177734375 seconds
    Reference ID: 193.182.111.13
    Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC
    Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC
    Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC
    Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC
    Key ID: 00000001
    Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7

linux peer 'ntpq -c as' output:

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 59188  8811   yes  none  none    reject    mobilize  1
  2 59189  f31a   yes   yes   ok    outlier    sys_peer  1

pfSense 2.5.0.a.20201127.1850

pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next

Actions #8

Updated by LamaZ . about 3 years ago

Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.

Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.

[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp-g.nist.gov  .NIST.           1 u    7   64  377   10.865   -0.019   0.738

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 64816  f61a   yes   yes   ok   sys.peer    sys_peer  1

-LamaZ

Actions #9

Updated by Steve Wheeler about 3 years ago

  • % Done changed from 100 to 50

The ntp client auth is yet to be implemented.

Actions #10

Updated by Ansley Barnes almost 3 years ago

Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.

Actions #11

Updated by Viktor Gurov almost 3 years ago

Ansley Barnes wrote in #note-10:

Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.

see #12213

Actions #12

Updated by Jonathan Lee over 1 year ago

Is there any updates on this. I am also using Lamaz patch as it will not use authentication without both key and key value. Similar to Palo Alto

https://forum.netgate.com/topic/162746/authenicated-ntp/

He made a new patch for 23.01

Actions #13

Updated by LamaZ . over 1 year ago

Patch files for review attached.

All that is needed is to add the ntp key variable to be set from /usr/local/www/services_ntpd.php.

See https://forum.netgate.com/topic/162746/authenicated-ntp for details.

-LamaZ

Actions #14

Updated by Jonathan Lee over 1 year ago

I can confirm this issue still occurs in version 23

Actions #15

Updated by Matthew Ray 7 months ago

Added NTP Authentication key ID field to the GUI and config
https://github.com/pfsense/pfsense/pull/4658

Actions #16

Updated by Jonathan Lee 7 months ago

Thanks Matthew and Lamar I have confirmed this works as expected with GUI entry in pfSense Plus also patch needs to strip off /src

Patches have been tested in 23.05.01 (Jonathan Lee's Everything Bagel Version I can't move to 23.09)

Actions #17

Updated by Marcos M 7 months ago

Some general notes:
  • The authentication key is only supported with the peer and server types according to the man page.
  • Loading Services > NTP ignores the type and sets the selected Time Server Type to Pool.
  • Setting the type to Server does not work - the server config is removed from config.xml and /var/etc/ntpd.conf ends up using pool instead.
  • I'm not sure what the distinction is between the "NTP client" and "NTP server"; the NTP servers configured under System > General Setup and Services > NTP both share the same ntpd config file (/var/etc/ntpd.conf).

The attached workaround patch may be applied using the System Patches package until (if/when) the feature is properly implemented.

Simply add a new patch using the URL https://redmine.pfsense.org/attachments/download/5805/8794.patch, save, then apply.

Actions #18

Updated by Jonathan Lee 7 months ago

Just to confirm Marcos M, I could not use NTP authentication direct for NIST.GOV without the two part key entry, without the patch seen here it is not useable. Palo Alto authenticated NTP also has a two part entry in GUI. It does work as it shows AUTH ok when I run the following command with the patch in use...

ntpq -c associations

This shows ok for auth when the two part key entry is used. Normally pfSense GUI does not provide a location to input the KEY ID area, two parts of this are required for NIST.GOV authenticated NTP server use.

It requires
1. KEY ID
2. Authentication KEY
for use of authenticated NTP service with NIST.GOV

Actions #19

Updated by Jonathan Lee 6 months ago

https://github.com/pfsense/pfsense/pull/4658

User MatthewA1 has merged Marcos's requests as well as added the missing GUI item to make this work correctly.

Actions #20

Updated by Marcos M 6 months ago

Actions #21

Updated by Marcos M 6 months ago

  • Assignee deleted (Tod L)
  • Priority changed from Normal to Low
Actions #22

Updated by Matthew Ray 5 months ago

@Marcos M
Is there something I need to do to get this merged? The PR still has the changes requested label applied even though I incorporated the changes you suggested with your patch.
I know this patch does not fully resolve all the issues, but it at least makes this feature function whereas right now it is essentially broken.
If there is some minimum level of the additional changes that need to be made, please let me know so I can focus on getting those in.

Actions #23

Updated by Matthew Ray 4 months ago

I've added a checkbox for each time server called "Authenticated" so that NTP authentication can be enabled/disabled on a per server/peer basis. It also validates that authentication is not enabled for an NTP pool.
Attached is a new patch file.

Some additional changes need to be made to allow for further improvements (such as per-server keys) and to resolve the other issues pointed out by Marcos M, but to properly do so, I think some significant changes to the @config.xml are needed. I don't want to start down that road without some direction/approval from the pfSense maintainers, but here is my general idea:
  1. Remove the <timeservers> element entirely and instead store the time servers in <ntpd>. The only reason I can see to keep this around is if there are plans to implement a service such as chrony that actually is a client only.
  2. Restructure <ntpd> to have a an element that contains each server as its own individual elements (e.g., <ntpd>/<timeservers>/<timeserver>)
  3. Restructure <ntpd>'s authentication details to allow multiple NTP keys (e.g., <ntpd>/<serverauthkeys>/<key>)

I think it would end up looking something like this:

<ntpd>
    <enabled>enabled</enabled>
    <gps></gps>
    <orphan></orphan>
    <ntpminpoll></ntpminpoll>
    <ntpmaxpoll></ntpmaxpoll>
    <dnsresolv>auto</dnsresolv>
    <timeservers>
        <timeserver>
            <type>[server|pool|peer]</type>
            <server>[FQDN|IP]</server>
            (<prefer/>)
            (<noselect/>)
            (<authkey>[#]</authkey>)
        </timeserver>
        ...
    </timeservers>
    <serverauth>[yes|no]</serverauth>
    <serverauthkeys>
        <key>
            <id>[#]</id>
            <key>[keystring]</key>
            <algo>[md5|sha1|sha256]</algo>
        </key>
        ...
    </serverauthkeys>
</ntpd>

I think this is necessary for all the changes to be implemented, but it also expands the scope of this ticket a bit. Do I need to open a separate ticket to suggest this?

Actions #24

Updated by Marcos M 3 days ago

  • Status changed from New to Feedback
  • Assignee set to Marcos M
  • Target version changed from CE-Next to 2.8.0
  • Plus Target Version set to 24.08
Actions #25

Updated by Marcos M 3 days ago

  • Subject changed from NTP authentiction to Support NTP authentication
Actions #26

Updated by Marcos M 3 days ago

  • % Done changed from 50 to 100
Actions

Also available in: Atom PDF