Feature #8794: NTP authentication support - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #8794

closed

NTP authentication support

Added by Tod L over 6 years ago. Updated 21 days ago.

Status:

Resolved

Priority:

Low

Assignee:

Marcos M

Category:

NTPD

Target version:

2.8.0

Start date:

08/17/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

24.11

Release Notes:

Default

Description

NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.

Files

Download all files

Authenticated NTP.JPG (58.8 KB) Authenticated NTP.JPG		Jonathan Lee, 03/03/2023 08:57 AM
status_ntpd.php.auth.patch (3.58 KB) status_ntpd.php.auth.patch	Adds output of 'ntpq -c associations' to /usr/local/www/status_ntpd.php	LamaZ ., 03/03/2023 03:00 PM
system.inc.ntp-auth.23.01.patch (1.56 KB) system.inc.ntp-auth.23.01.patch	Adds support for $ntp_key in function system_ntp_configure()	LamaZ ., 03/03/2023 03:00 PM
Screenshot 2023-12-05 at 8.12.05 PM.png (498 KB) Screenshot 2023-12-05 at 8.12.05 PM.png	GUI now has authentication key for auth-NTP	Jonathan Lee, 12/06/2023 04:32 AM
Screenshot 2023-12-05 at 7.35.29 PM.png (172 KB) Screenshot 2023-12-05 at 7.35.29 PM.png		Jonathan Lee, 12/06/2023 04:33 AM
Screenshot 2023-12-05 at 8.15.50 PM.png (87.6 KB) Screenshot 2023-12-05 at 8.15.50 PM.png		Jonathan Lee, 12/06/2023 04:33 AM
8794.patch (7.6 KB) 8794.patch	workaround patch	Marcos M, 01/10/2024 07:51 PM
8794.patch (10.3 KB) 8794.patch		Matthew Ray, 03/04/2024 01:03 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 5 years ago

Category set to NTPD

Actions

Copy link

Updated by Viktor Gurov over 4 years ago

Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only

Actions

Copy link

Updated by Viktor Gurov about 4 years ago

Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472

Actions

Copy link

Updated by Jim Pingle about 4 years ago

Status changed from New to Pull Request Review
Target version set to 2.5.0

Actions

Copy link

Updated by Renato Botelho about 4 years ago

Status changed from Pull Request Review to Feedback
Assignee set to Renato Botelho
% Done changed from 0 to 100

PR has been merged. Thanks!

Actions

Copy link

Updated by Anonymous about 4 years ago

Assignee changed from Renato Botelho to Tod L

Actions

Copy link

Updated by Viktor Gurov almost 4 years ago

Status changed from Feedback to New
Target version changed from 2.5.0 to CE-Next

after configuring ntpd authentication on Debian peer I can see packets with MAC:

Network Time Protocol (NTP Version 4, server)
    Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
    Peer Clock Stratum: secondary reference (3)
    Peer Polling Interval: 6 (64 sec)
    Peer Clock Precision: 0.000015 sec
    Root Delay: 0.0244598388671875 seconds
    Root Dispersion: 0.07177734375 seconds
    Reference ID: 193.182.111.13
    Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC
    Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC
    Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC
    Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC
    Key ID: 00000001
    Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7

linux peer 'ntpq -c as' output:

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 59188  8811   yes  none  none    reject    mobilize  1
  2 59189  f31a   yes   yes   ok    outlier    sys_peer  1

pfSense 2.5.0.a.20201127.1850

pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next

Actions

Copy link

Updated by LamaZ . over 3 years ago

Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.

Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.

[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp-g.nist.gov  .NIST.           1 u    7   64  377   10.865   -0.019   0.738

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 64816  f61a   yes   yes   ok   sys.peer    sys_peer  1

-LamaZ

Actions

Copy link

Updated by Steve Wheeler over 3 years ago

% Done changed from 100 to 50

The ntp client auth is yet to be implemented.

Actions

Copy link

#10

Updated by Ansley Barnes over 3 years ago

Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.

Actions

Copy link

#11

Updated by Viktor Gurov over 3 years ago

Ansley Barnes wrote in #note-10:

Is it possible to add the option for SHA256 authentication? The underlying NTPd version appears to support it.

see #12213

Actions

Copy link

#12

Updated by Jonathan Lee over 1 year ago

File Authenticated NTP.JPG Authenticated NTP.JPG added

Is there any updates on this. I am also using Lamaz patch as it will not use authentication without both key and key value. Similar to Palo Alto

https://forum.netgate.com/topic/162746/authenicated-ntp/

He made a new patch for 23.01

Actions

Copy link

#13

Updated by LamaZ . over 1 year ago

File status_ntpd.php.auth.patch status_ntpd.php.auth.patch added
File system.inc.ntp-auth.23.01.patch system.inc.ntp-auth.23.01.patch added

Patch files for review attached.

All that is needed is to add the ntp key variable to be set from /usr/local/www/services_ntpd.php.

See https://forum.netgate.com/topic/162746/authenicated-ntp for details.

-LamaZ

Actions

Copy link

#14

Updated by Jonathan Lee over 1 year ago

I can confirm this issue still occurs in version 23

Actions

Copy link

#15

Updated by Matthew Ray 12 months ago

Added NTP Authentication key ID field to the GUI and config
https://github.com/pfsense/pfsense/pull/4658

Actions

Copy link

#16

Updated by Jonathan Lee 12 months ago

File Screenshot 2023-12-05 at 8.12.05 PM.png Screenshot 2023-12-05 at 8.12.05 PM.png added
File Screenshot 2023-12-05 at 7.35.29 PM.png Screenshot 2023-12-05 at 7.35.29 PM.png added
File Screenshot 2023-12-05 at 8.15.50 PM.png Screenshot 2023-12-05 at 8.15.50 PM.png added

Thanks Matthew and Lamar I have confirmed this works as expected with GUI entry in pfSense Plus also patch needs to strip off /src

Patches have been tested in 23.05.01 (Jonathan Lee's Everything Bagel Version I can't move to 23.09)

Actions

Copy link

#17

Updated by Marcos M 12 months ago

Some general notes:

The authentication key is only supported with the peer and server types according to the man page.
Loading Services > NTP ignores the type and sets the selected Time Server Type to Pool.
Setting the type to Server does not work - the server config is removed from config.xml and /var/etc/ntpd.conf ends up using pool instead.
I'm not sure what the distinction is between the "NTP client" and "NTP server"; the NTP servers configured under System > General Setup and Services > NTP both share the same ntpd config file (/var/etc/ntpd.conf).

The attached workaround patch may be applied using the System Patches package until (if/when) the feature is properly implemented.

Simply add a new patch using the URL https://redmine.pfsense.org/attachments/download/5805/8794.patch, save, then apply.

Actions

Copy link

#18

Updated by Jonathan Lee 12 months ago

Just to confirm Marcos M, I could not use NTP authentication direct for NIST.GOV without the two part key entry, without the patch seen here it is not useable. Palo Alto authenticated NTP also has a two part entry in GUI. It does work as it shows AUTH ok when I run the following command with the patch in use...

ntpq -c associations

This shows ok for auth when the two part key entry is used. Normally pfSense GUI does not provide a location to input the KEY ID area, two parts of this are required for NIST.GOV authenticated NTP server use.

It requires
1. KEY ID
2. Authentication KEY
for use of authenticated NTP service with NIST.GOV

Actions

Copy link

#19

Updated by Jonathan Lee 11 months ago

https://github.com/pfsense/pfsense/pull/4658

User MatthewA1 has merged Marcos's requests as well as added the missing GUI item to make this work correctly.

Actions

Copy link

#20

Updated by Marcos M 11 months ago

File 8794.patch 8794.patch added

Actions

Copy link

#21

Updated by Marcos M 11 months ago

Assignee deleted (~~Tod L~~)
Priority changed from Normal to Low

Actions

Copy link

#22

Updated by Matthew Ray 10 months ago

@Marcos M
Is there something I need to do to get this merged? The PR still has the changes requested label applied even though I incorporated the changes you suggested with your patch.
I know this patch does not fully resolve all the issues, but it at least makes this feature function whereas right now it is essentially broken.
If there is some minimum level of the additional changes that need to be made, please let me know so I can focus on getting those in.

Actions

Copy link

#23

Updated by Matthew Ray 9 months ago

File 8794.patch 8794.patch added

I've added a checkbox for each time server called "Authenticated" so that NTP authentication can be enabled/disabled on a per server/peer basis. It also validates that authentication is not enabled for an NTP pool.
Attached is a new patch file.

Some additional changes need to be made to allow for further improvements (such as per-server keys) and to resolve the other issues pointed out by Marcos M, but to properly do so, I think some significant changes to the @config.xml are needed. I don't want to start down that road without some direction/approval from the pfSense maintainers, but here is my general idea:

Remove the <timeservers> element entirely and instead store the time servers in <ntpd>. The only reason I can see to keep this around is if there are plans to implement a service such as chrony that actually is a client only.
Restructure <ntpd> to have a an element that contains each server as its own individual elements (e.g., <ntpd>/<timeservers>/<timeserver>)
Restructure <ntpd>'s authentication details to allow multiple NTP keys (e.g., <ntpd>/<serverauthkeys>/<key>)

I think it would end up looking something like this:

<ntpd>
    <enabled>enabled</enabled>
    <gps></gps>
    <orphan></orphan>
    <ntpminpoll></ntpminpoll>
    <ntpmaxpoll></ntpmaxpoll>
    <dnsresolv>auto</dnsresolv>
    <timeservers>
        <timeserver>
            <type>[server|pool|peer]</type>
            <server>[FQDN|IP]</server>
            (<prefer/>)
            (<noselect/>)
            (<authkey>[#]</authkey>)
        </timeserver>
        ...
    </timeservers>
    <serverauth>[yes|no]</serverauth>
    <serverauthkeys>
        <key>
            <id>[#]</id>
            <key>[keystring]</key>
            <algo>[md5|sha1|sha256]</algo>
        </key>
        ...
    </serverauthkeys>
</ntpd>

I think this is necessary for all the changes to be implemented, but it also expands the scope of this ticket a bit. Do I need to open a separate ticket to suggest this?

Actions

Copy link

#24