• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Authenicated NTP

Scheduled Pinned Locked Moved General pfSense Questions
78 Posts 11 Posters 18.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JonathanLee @LamaZ
    last edited by Mar 2, 2023, 5:29 PM

    @lamaz I just got my official secure email from NIST and was given a key and a value, do I only use the value inside of pfsense, it seems to work correctly with that again I will need your patch to see if it authenticated correctly. COOL encrypted secure time!!

    Make sure to upvote

    1 Reply Last reply Reply Quote 0
    • J
      JonathanLee @LamaZ
      last edited by JonathanLee Mar 2, 2023, 6:21 PM Mar 2, 2023, 5:33 PM

      @lamaz

      Screenshot 2023-03-02 at 9.32.26 AM.png

      I added my key however it is not using auth

      Screenshot 2023-03-02 at 10.09.57 AM.png
      With your patch so I can add my key number to use with key value now it works !!! Thanks

      Make sure to upvote

      1 Reply Last reply Reply Quote 1
      • J
        JonathanLee @LamaZ
        last edited by Mar 2, 2023, 6:22 PM

        @lamaz I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this.

        Make sure to upvote

        L 1 Reply Last reply Mar 3, 2023, 10:37 AM Reply Quote 0
        • J
          JonathanLee @LamaZ
          last edited by Mar 2, 2023, 9:03 PM

          @lamaz

          Yeah!!!

          Screenshot 2023-03-02 at 1.03.24 PM.png

          Make sure to upvote

          D 1 Reply Last reply Mar 4, 2023, 5:02 PM Reply Quote 1
          • L
            LamaZ @JonathanLee
            last edited by Mar 3, 2023, 10:37 AM

            Awesome! Warms my heart to see someone else getting value out of these patches and that they are working for others.

            @jonathanlee said I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this

            Let me know how that goes. I tried many moons ago to get it added with no luck. Here is the last time I tried: https://redmine.pfsense.org/issues/8794

            I'd follow up myself, but I somehow can't reset my redmine password. I'm guessing too many recent reset password attempts from my IP. The password apparently can't be too complex.

            -LamaZ

            J 2 Replies Last reply Mar 3, 2023, 3:00 PM Reply Quote 1
            • J
              JonathanLee @LamaZ
              last edited by Mar 3, 2023, 3:00 PM

              @lamaz that is from 2018 ?? Wow I added some notes in your older ticket just now.

              Make sure to upvote

              L 1 Reply Last reply Mar 3, 2023, 8:55 PM Reply Quote 0
              • J
                JonathanLee @LamaZ
                last edited by JonathanLee Mar 3, 2023, 4:51 PM Mar 3, 2023, 3:02 PM

                @lamaz thank you for the patches. I appreciate you.

                If you wanted the leap second file this is the one I am using

                https://www.ietf.org/timezones/data/leap-seconds.list

                Make sure to upvote

                L 1 Reply Last reply Mar 4, 2023, 12:11 AM Reply Quote 1
                • L
                  LamaZ @JonathanLee
                  last edited by Mar 3, 2023, 8:55 PM

                  @jonathanlee Has it been that long?! Time flies.

                  J 1 Reply Last reply Mar 5, 2023, 12:19 AM Reply Quote 1
                  • L
                    LamaZ @JonathanLee
                    last edited by LamaZ Mar 4, 2023, 12:11 AM Mar 4, 2023, 12:11 AM

                    @jonathanlee Just added the leap seconds to my setup. Thanks for the tip!

                    I like that I tried adding my comments to the file and it validated the hash. Put another it gave me an "signature mismatch" because something had changed. I went back and copy/pasted as-is and now have the leap seconds properly setup.

                    cat /var/log/ntpd.log | grep leap
                    Mar  3 19:02:51 pfSense ntpd[61552]: leapsecond file ('/var/db/leap-seconds'): signature mismatch
                    Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): good hash signature
                    Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): loaded, expire=2023-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
                    

                    -LamaZ

                    1 Reply Last reply Reply Quote 1
                    • D
                      DeLiver @JonathanLee
                      last edited by Mar 4, 2023, 5:02 PM

                      @jonathanlee Off topic, but how do you get Status/NTP to sort like you have shown? 2.6 CE to 22.01 and 23.01 Plus all act weirdly when trying to sort by columns, for me. Thanks.

                      J 1 Reply Last reply Mar 5, 2023, 12:17 AM Reply Quote 0
                      • T
                        tman222 @JonathanLee
                        last edited by Mar 4, 2023, 7:31 PM

                        @jonathanlee said in Authenicated NTP:

                        @johnpoz you can fax them also I just did, I want to test this, I have seen time jumps during cyber security classes in the past. 10-15 min jumps. Maybe this will fix it again with the use of my firewall I have not seen that in a while. Still I want to check it out. "Users who wish to use this service should send a letter to NIST using the US mail or FAX machine (e-mail is not acceptable)."

                        @JonathanLee - do they still require a static IP address or can a host name be given instead (in case the IP is dynamic)? Thanks in advance.

                        J 1 Reply Last reply Mar 5, 2023, 12:16 AM Reply Quote 0
                        • J
                          JonathanLee @tman222
                          last edited by Mar 5, 2023, 12:16 AM

                          @tman222 I was required to provide the IP address provided to me by my ISP.

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • J
                            JonathanLee @DeLiver
                            last edited by JonathanLee Mar 5, 2023, 12:19 AM Mar 5, 2023, 12:17 AM

                            @deliver I installed the patch that is listed above. LamaZ provided it to us, I am very thankful for it. Use the 23.05 version

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 1
                            • J
                              JonathanLee @LamaZ
                              last edited by Mar 5, 2023, 12:19 AM

                              @lamaz time flys haha 😂 as we talk about time servers

                              Make sure to upvote

                              1 Reply Last reply Reply Quote 0
                              • D Dobby_ referenced this topic on Jun 6, 2023, 6:07 AM
                              • J JonathanLee referenced this topic on Jun 7, 2023, 3:58 PM
                              • L
                                LamaZ
                                last edited by Jun 7, 2023, 6:09 PM

                                @LamaZ said in Authenicated NTP:

                                status_ntpd.php.auth.patch

                                @LamaZ said in Authenicated NTP:

                                system.inc.ntp-auth.23.01.patch

                                Folks, just upgraded to 23.05 and these patches still work. Copy them to your /root folder (that's ~ for admin).

                                cd /etc
                                patch -u -b /usr/local/www/status_ntpd.php -i /root/status_ntpd.php.auth.patch
                                patch -u -b inc/system.inc -i /root/system.inc.ntp-auth.23.01.patch
                                

                                I periodically come back to this thread and remember what I've done over the years :).

                                -LamaZ

                                L 1 Reply Last reply May 9, 2024, 10:09 PM Reply Quote 3
                                • M
                                  MatthewA1
                                  last edited by MatthewA1 Dec 6, 2023, 2:51 AM Dec 6, 2023, 2:49 AM

                                  I have a PR open that incorporates the patches @LamaZ made (more or less) as well as adds a key ID field to the web GUI. If anyone is interested in testing it out to make sure I didn't miss anything, I can upload equivalent patch files here.
                                  pfsense/pfsense#4658

                                  J 1 Reply Last reply Dec 6, 2023, 3:06 AM Reply Quote 1
                                  • J
                                    JonathanLee @MatthewA1
                                    last edited by JonathanLee Dec 6, 2023, 3:11 AM Dec 6, 2023, 3:06 AM

                                    @MatthewA1 That's amazing can you post the patch, I would like to test it on 23.05.01 "pfSense Plus"?

                                    Make sure to upvote

                                    M 1 Reply Last reply Dec 6, 2023, 3:28 AM Reply Quote 1
                                    • M
                                      MatthewA1 @JonathanLee
                                      last edited by Dec 6, 2023, 3:28 AM

                                      @JonathanLee Thanks! I tested on a CE 2.7.1 VM as I only have one Plus device, and it's very much a production device. Here are the three patch files. I'm not 100% sure they are compatible with Plus as I have not looked at the PHP source files for 23.09, but I don't believe there is any difference with the modified sections in CE vs Plus.
                                      These are created based on master+9257345. It seemed to work fine with my NTP server, but it would probably be good if someone could test against NIST NTP servers (as I also just setup my GPS based NTP server, so it's possible it was misconfigured but worked anyways)
                                      system.inc.patch
                                      status_ntpd.php.patch
                                      services_ntpd.php.patch

                                      Also, the table on the NTP status page is wider than the title header. I'm not sure there is a way to fix that other than removing one of the columns. If anyone has suggestions, please do share.

                                      J 2 Replies Last reply Dec 6, 2023, 3:36 AM Reply Quote 1
                                      • J
                                        JonathanLee @MatthewA1
                                        last edited by Dec 6, 2023, 3:36 AM

                                        @MatthewA1 @LamaZ his was the same way with the column issue see below.

                                        Screenshot 2023-12-05 at 7.35.29 PM.png

                                        Make sure to upvote

                                        1 Reply Last reply Reply Quote 1
                                        • J
                                          JonathanLee @MatthewA1
                                          last edited by JonathanLee Dec 6, 2023, 4:28 AM Dec 6, 2023, 4:10 AM

                                          @MatthewA1

                                          All of them show ok under debug thanks for doing this.

                                          Screenshot 2023-12-05 at 8.08.48 PM.png

                                          I had to remove /src from all the patches or they would not work with plus that was the only issue strip count zero

                                          Screenshot 2023-12-05 at 8.09.43 PM.png

                                          System works as expected for input area YEAH!!!

                                          Screenshot 2023-12-05 at 8.12.05 PM.png

                                          Screenshot 2023-12-05 at 8.15.50 PM.png

                                          Time is showing AUTH under ntpq -c associations

                                          This is great !!

                                          Functions with the status patch also for nist.gov authenticated NTP project.

                                          I had to originally get approved by NIST to even be able to use authenicated NTP with them.

                                          This is an amazing addition to pfSense for time protection from the aging non autheniticated NTP protocol.

                                          Screenshot 2023-12-05 at 8.24.30 PM.png

                                          Make sure to upvote

                                          M 1 Reply Last reply Dec 6, 2023, 4:39 AM Reply Quote 1
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            [[user:consent.lead]]
                                            [[user:consent.not_received]]