Authenicated NTP

JonathanLee · Mar 2, 2023, 5:29 PM

@lamaz I just got my official secure email from NIST and was given a key and a value, do I only use the value inside of pfsense, it seems to work correctly with that again I will need your patch to see if it authenticated correctly. COOL encrypted secure time!!

JonathanLee · Mar 2, 2023, 6:21 PM

@lamaz

I added my key however it is not using auth

With your patch so I can add my key number to use with key value now it works !!! Thanks

JonathanLee · Mar 2, 2023, 6:22 PM

@lamaz I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this.

JonathanLee · Mar 2, 2023, 9:03 PM

@lamaz

Yeah!!!

LamaZ · Mar 3, 2023, 3:00 PM

Awesome! Warms my heart to see someone else getting value out of these patches and that they are working for others.

@jonathanlee said I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this

Let me know how that goes. I tried many moons ago to get it added with no luck. Here is the last time I tried: https://redmine.pfsense.org/issues/8794

I'd follow up myself, but I somehow can't reset my redmine password. I'm guessing too many recent reset password attempts from my IP. The password apparently can't be too complex.

-LamaZ

JonathanLee · Mar 3, 2023, 3:00 PM

@lamaz that is from 2018 ?? Wow I added some notes in your older ticket just now.

JonathanLee · Mar 3, 2023, 4:51 PM

@lamaz thank you for the patches. I appreciate you.

If you wanted the leap second file this is the one I am using

https://www.ietf.org/timezones/data/leap-seconds.list

LamaZ · Mar 3, 2023, 8:55 PM

@jonathanlee Has it been that long?! Time flies.

LamaZ · Mar 4, 2023, 12:11 AM

@jonathanlee Just added the leap seconds to my setup. Thanks for the tip!

I like that I tried adding my comments to the file and it validated the hash. Put another it gave me an "signature mismatch" because something had changed. I went back and copy/pasted as-is and now have the leap seconds properly setup.

cat /var/log/ntpd.log | grep leap
Mar  3 19:02:51 pfSense ntpd[61552]: leapsecond file ('/var/db/leap-seconds'): signature mismatch
Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): good hash signature
Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): loaded, expire=2023-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37

-LamaZ

DeLiver · Mar 4, 2023, 5:02 PM

@jonathanlee Off topic, but how do you get Status/NTP to sort like you have shown? 2.6 CE to 22.01 and 23.01 Plus all act weirdly when trying to sort by columns, for me. Thanks.

tman222 · Mar 4, 2023, 7:31 PM

@jonathanlee said in Authenicated NTP:

@johnpoz you can fax them also I just did, I want to test this, I have seen time jumps during cyber security classes in the past. 10-15 min jumps. Maybe this will fix it again with the use of my firewall I have not seen that in a while. Still I want to check it out. "Users who wish to use this service should send a letter to NIST using the US mail or FAX machine (e-mail is not acceptable)."

@JonathanLee - do they still require a static IP address or can a host name be given instead (in case the IP is dynamic)? Thanks in advance.

JonathanLee · Mar 5, 2023, 12:16 AM

@tman222 I was required to provide the IP address provided to me by my ISP.

JonathanLee · Mar 5, 2023, 12:19 AM

@deliver I installed the patch that is listed above. LamaZ provided it to us, I am very thankful for it. Use the 23.05 version

JonathanLee · Mar 5, 2023, 12:19 AM

@lamaz time flys haha as we talk about time servers

LamaZ · Jun 7, 2023, 6:09 PM

@LamaZ said in Authenicated NTP:

status_ntpd.php.auth.patch

@LamaZ said in Authenicated NTP:

system.inc.ntp-auth.23.01.patch

Folks, just upgraded to 23.05 and these patches still work. Copy them to your /root folder (that's ~ for admin).

cd /etc
patch -u -b /usr/local/www/status_ntpd.php -i /root/status_ntpd.php.auth.patch
patch -u -b inc/system.inc -i /root/system.inc.ntp-auth.23.01.patch

I periodically come back to this thread and remember what I've done over the years :).

-LamaZ

MatthewA1 · Dec 6, 2023, 2:51 AM

I have a PR open that incorporates the patches @LamaZ made (more or less) as well as adds a key ID field to the web GUI. If anyone is interested in testing it out to make sure I didn't miss anything, I can upload equivalent patch files here.
pfsense/pfsense#4658

JonathanLee · Dec 6, 2023, 3:11 AM

@MatthewA1 That's amazing can you post the patch, I would like to test it on 23.05.01 "pfSense Plus"?

MatthewA1 · Dec 6, 2023, 3:28 AM

@JonathanLee Thanks! I tested on a CE 2.7.1 VM as I only have one Plus device, and it's very much a production device. Here are the three patch files. I'm not 100% sure they are compatible with Plus as I have not looked at the PHP source files for 23.09, but I don't believe there is any difference with the modified sections in CE vs Plus.
These are created based on master+9257345. It seemed to work fine with my NTP server, but it would probably be good if someone could test against NIST NTP servers (as I also just setup my GPS based NTP server, so it's possible it was misconfigured but worked anyways)
system.inc.patch
status_ntpd.php.patch
services_ntpd.php.patch

Also, the table on the NTP status page is wider than the title header. I'm not sure there is a way to fix that other than removing one of the columns. If anyone has suggestions, please do share.