Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Question on NTP Server Configuration

     
    Posted 12-02-2022 08:19

    Here is an example of NTP Server Configuration from Juniper documentation:

     

    [edit system ntp]

    authentication-key 1 type md5 value "$ABC123";

    server 10.1.1.1 key 1 prefer;

    trusted-key 1;

     

    What is the purpose of the trusted-key when we already have the authentication-key ?

     

    Thanks,

    Deepak


    Juniper Business Use Only



  • 2.  RE: Question on NTP Server Configuration

    Posted 12-03-2022 06:50
    The trusted-key   gives you the ability to use different keys for different servers .   Example . 3 keys 3 different servers.
    Also it give the ability to schedule rolling key changes

    authentication-key 30 type sha256 value "$w"; ## SECRET-DATA
    authentication-key 35 type sha256 value "$q"; ## SECRET-DATA
    authentication-key 40 type sha1 value "$g"; ## SECRET-DATA
    server 192.168.1.98 key 31 version 4 prefer; ## SECRET-DATA
    server 192.168.2.95 key 35 version 4 ; ## SECRET-DATA
    server 172.30.3.33 key 40 version 4 ; ## SECRET-DATA
    trusted-key [ 30 35 40 ];


  • 3.  RE: Question on NTP Server Configuration

    Posted 12-05-2022 10:19

    The documentation looks (unusually) clear on this topic.

    "To authenticate other time servers, include the trusted-key statement at the [edit system ntp] hierarchy level. "
    "Include the key option in the peerserver, or broadcast statements to transmit the specified authentication key when transmitting packets"

    i.e. "trusted-key" is what to accept, and "key" is what to send.
    Although you might expect that "key" means "what to send and receive" you actually need to include the same value in "trusted-key" if you want it to work.

    junos doesn't appear to populate the keys file with IP restrictions (or thinking about it... even have a config syntax that would make that sensible).

    As @tgeaser said, you can use it for changing a key (add to "trusted-key" first on both sides, and when both done, each side can update the "key" whenever).

    I *think* it's also how you configure a server to support symmetric auth for unconfigured clients (not explicit server/peer configs)

    server;

    set system ntp authentication-key 3 type md5
    set system ntp authentication-key 3 value "$9$whatever"
    set system ntp trusted-key 3
    set system ntp source-address 172.16.1.10


    client;

    set system ntp authentication-key 3 type md5
    set system ntp authentication-key 3 value "$9$whatever"
    set system ntp server 172.16.1.10 key 3
    set system ntp server 172.16.1.10 version 4
    set system ntp trusted-key 3
    set system ntp source-address 172.16.1.11