Authenicated NTP

LamaZ

@MaximillianC Warms my heart! Make me glad knowing that my efforts helped someone out there.

I just updated and revisited this page to remind myself how to get this working again. :) I had high hopes the changes would have made it in by now.

JonathanLee

@stephenw10

I am missing my photos here too :( Can you help with a couple of these posts the photos are vanishing ..

stephenw10

Probably not those from the begining of March unfortunately. For some period attachments were being uploaded to an invalid storage location and when that was corrected those were effectively lost. But all other attachments (since the move to NodeBB) were restored.

MatthewA1

@LamaZ It looks like the way to get config properties was updated a couple weeks ago (63d6bb4) so at least in current builds off master, the patch will not cleanly apply. I believe it should still apply cleanly for the latest release version.

MatthewA1

If anyone wants to test (@JonathanLee ?), I've rebased the work onto the current state of master and updated the config accesses to use the new required functions. Below is the current patch, and the latest version is always available from the GitHub PR diff.
ntp-authentication-feature_20240620.patch
pfsense/pfsense#4658 diff
I don't have my development environment up and running at the moment (getting a new NTP key) so I haven't tested this yet. I think it will work, but the patch may not apply to the current 2.7.0 release. There's also no dev snapshots available at the moment it seems, so if it doesn't apply to 2.7.0 release, and advice on how to test in the absence of dev snapshots would be appreciated.

JonathanLee

@MatthewA1 I have to test when I get home it is merged I just saw the GitHub. I need to creat a new boot environment for it and load 24.08 on it. I am still utilizing 23.05.01 because of the crypto chip and offboarding acceleration with vpn on the 2100, the new 2100 does not ship with a acceleration chip, so they do not include software for it any longer, I need it purchased one with it so I am stuck on that version or what I call the everything bagel 🥯 version. I can get a BE up and running later this week.

stephenw10

All 2100s ship with the SafeXcel crypto hardware. It's in the SoC. It's supported in all versions, including the upcoming 24.08:

[24.08-DEVELOPMENT][admin@2100-2.stevew.lan]/root: dmesg | grep crypto
armv8crypto0: <AES-CBC,AES-XTS,AES-GCM>
safexcel0: <SafeXcel EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1

What is no longer used is the crypto ID chip. That doesn't (and never did) accelerate anything.

JonathanLee

@stephenw10 my OpenVPN can not do off boarding in the new versions. I think it’s OpenVPN related. I know it is off topic, plus I love that proxy you know that. I have way to much time and effort put in that proxy, I am convinced that that is the future solution for invasive containers, because it gives cybersecurity the ability to start caching them and after start fingerprinting the containers. You can run all of Kali on a docker container right now, that is scary. Future cybersecurity solutions I am willing to bet involve updating older accelerator technology and proxys and reworking code to detect and block before it hits the secure side of lans. That’s why I can’t give up on proxy software. I just need a 30 floor building of software developers, and it should work right, plus a database of container fingerprints, and a couple good lawyers on container, hr staff, some good managers, a good break room, 401k plan, some other stuff too, bank loans etc.

stephenw10

You cannot select an off-loading engine in OpenVPN because OpenSSL does not support it. We removed the setting there because it was no longer doing anything (and had not been for some time)

However kernel mode crypto should use SafeXcel so OpenVPN with DCO enabled should.

We should move this to a different thread though. This is nothing to do with NTP Auth.

JonathanLee

@stephenw10 I agree this is a different thread the version I am on still supported it and has the logs to show it runnning. Weird right?

MatthewA1

FYI for anyone looking here, this was merged so should be in the next release (and snapshot builds whenever they start being available again).
There's still work to be done (namely: multiple keys that can be assigned on a per server basis) but it will take a complete restructuring of the timerservers and ntpd config sections, so that will be a larger undertaking.

JonathanLee

@LamaZ yeahh!!!

JonathanLee

@MatthewA1 thanks for all you do.

LamaZ

@JonathanLee, @MatthewA1 Thanks!

I updated to 24.11 and noticed that we now have authenticated NTP key setting in the GUI (Services->NTP)!

For those using NIST servers, I tweaked the following settings. I'm not 100% sure I needed to click "Prefer".

I finally took the leap and used the Patches GUI to (re) apply the authentication status patch. Here are the settings I used.

-LamaZ