Authenicated NTP

LamaZ

@lamaz were you ever in the past having issues that's with time jumps 10-15 mins around noonish?

Thankfully I've never seen this behavior. It would have driven me mad as well when taking the OSCP exam and I was down to the wire.

I haven't been using multiple servers. ~~Maybe I should~~ I'll grow my list. There are only 4 servers that support authenticated NTP according to https://tf.nist.gov/tf-cgi/servers.cgi.

Nice touch ensuring that no local hosts are trying to skirt around your NTP. I do the same thing with both NTP and DNS. Local DNS requests get re-mapped to my pfSense DNS which then does it over TLS. I watch my WAN and ensure no traffic is going out on UDP port 53 :).

EDIT: I did it. Thanks @JonathanLee for the informative posts on NTP. I learned something new today.

[23.01-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ntp-g.nist.gov  .NIST.           1 u   62   64    3    5.755   +0.244   1.500
+ntp-c.colorado. .NIST.           1 u   65   64    3   44.843   +0.668   1.292
+ntp-wwv.nist.go .NIST.           1 u   64   64    3   45.135   -1.426   1.312
+ntp-b.nist.gov  .NIST.           1 u   66   64    3   42.373   -1.416   1.486

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 30934  f61a   yes   yes   ok   sys.peer    sys_peer  1
  2 30935  f414   yes   yes   ok  candidate   reachable  1
  3 30936  f414   yes   yes   ok  candidate   reachable  1
  4 30937  f41a   yes   yes   ok  candidate    sys_peer  1

Full tinfoil hat.

-LamaZ

LamaZ

Folks,

In an effort to facilitate checking the status of authenticated NTP, I've added some columns to the NTP Status page to parse the output of ntpq -c associations as defined in the ntpq Command spec. Let me know what you folks think.

The last 3 columns have been added (AssocID, Status Word, Auth). I only added those 3 to the GUI, but I added the plumbing for the most of the fields in case someone wanted to display them as well.
Screen Shot 2023-02-25 at 7.37.34 AM.png

Patch file provided if you want to try it out. It worked for me :)
status_ntpd.php.auth.patch

PS - I'm trying to unlock my Redline account to add this as full fledged feature request. Somehow I'm not getting the password reset email at the moment.

-LamaZ

JonathanLee

@lamaz I just got my official secure email from NIST and was given a key and a value, do I only use the value inside of pfsense, it seems to work correctly with that again I will need your patch to see if it authenticated correctly. COOL encrypted secure time!!

JonathanLee

@lamaz

Screenshot 2023-03-02 at 9.32.26 AM.png

I added my key however it is not using auth

Screenshot 2023-03-02 at 10.09.57 AM.png
With your patch so I can add my key number to use with key value now it works !!! Thanks

JonathanLee

@lamaz I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this.

JonathanLee

@lamaz

Yeah!!!

Screenshot 2023-03-02 at 1.03.24 PM.png

LamaZ

Awesome! Warms my heart to see someone else getting value out of these patches and that they are working for others.

@jonathanlee said I am going to open a redmine ticket for you as this is missing the key value and redirect the ticket to this page so others can see this

Let me know how that goes. I tried many moons ago to get it added with no luck. Here is the last time I tried: https://redmine.pfsense.org/issues/8794

I'd follow up myself, but I somehow can't reset my redmine password. I'm guessing too many recent reset password attempts from my IP. The password apparently can't be too complex.

-LamaZ

JonathanLee

@lamaz that is from 2018 ?? Wow I added some notes in your older ticket just now.

JonathanLee

@lamaz thank you for the patches. I appreciate you.

If you wanted the leap second file this is the one I am using

https://www.ietf.org/timezones/data/leap-seconds.list

LamaZ

@jonathanlee Has it been that long?! Time flies.

LamaZ

@jonathanlee Just added the leap seconds to my setup. Thanks for the tip!

I like that I tried adding my comments to the file and it validated the hash. Put another it gave me an "signature mismatch" because something had changed. I went back and copy/pasted as-is and now have the leap seconds properly setup.

cat /var/log/ntpd.log | grep leap
Mar  3 19:02:51 pfSense ntpd[61552]: leapsecond file ('/var/db/leap-seconds'): signature mismatch
Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): good hash signature
Mar  3 19:03:36 pfSense ntpd[75239]: leapsecond file ('/var/db/leap-seconds'): loaded, expire=2023-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37

-LamaZ

DeLiver

@jonathanlee Off topic, but how do you get Status/NTP to sort like you have shown? 2.6 CE to 22.01 and 23.01 Plus all act weirdly when trying to sort by columns, for me. Thanks.

tman222

@jonathanlee said in Authenicated NTP:

@johnpoz you can fax them also I just did, I want to test this, I have seen time jumps during cyber security classes in the past. 10-15 min jumps. Maybe this will fix it again with the use of my firewall I have not seen that in a while. Still I want to check it out. "Users who wish to use this service should send a letter to NIST using the US mail or FAX machine (e-mail is not acceptable)."

@JonathanLee - do they still require a static IP address or can a host name be given instead (in case the IP is dynamic)? Thanks in advance.

JonathanLee

@tman222 I was required to provide the IP address provided to me by my ISP.

JonathanLee

@deliver I installed the patch that is listed above. LamaZ provided it to us, I am very thankful for it. Use the 23.05 version

JonathanLee

@lamaz time flys haha as we talk about time servers

LamaZ

@LamaZ said in Authenicated NTP:

status_ntpd.php.auth.patch

@LamaZ said in Authenicated NTP:

system.inc.ntp-auth.23.01.patch

Folks, just upgraded to 23.05 and these patches still work. Copy them to your /root folder (that's ~ for admin).

cd /etc
patch -u -b /usr/local/www/status_ntpd.php -i /root/status_ntpd.php.auth.patch
patch -u -b inc/system.inc -i /root/system.inc.ntp-auth.23.01.patch

I periodically come back to this thread and remember what I've done over the years :).

-LamaZ

MatthewA1

I have a PR open that incorporates the patches @LamaZ made (more or less) as well as adds a key ID field to the web GUI. If anyone is interested in testing it out to make sure I didn't miss anything, I can upload equivalent patch files here.
pfsense/pfsense#4658

JonathanLee

@MatthewA1 That's amazing can you post the patch, I would like to test it on 23.05.01 "pfSense Plus"?

MatthewA1

@JonathanLee Thanks! I tested on a CE 2.7.1 VM as I only have one Plus device, and it's very much a production device. Here are the three patch files. I'm not 100% sure they are compatible with Plus as I have not looked at the PHP source files for 23.09, but I don't believe there is any difference with the modified sections in CE vs Plus.
These are created based on master+9257345. It seemed to work fine with my NTP server, but it would probably be good if someone could test against NIST NTP servers (as I also just setup my GPS based NTP server, so it's possible it was misconfigured but worked anyways)
system.inc.patch
status_ntpd.php.patch
services_ntpd.php.patch

Also, the table on the NTP status page is wider than the title header. I'm not sure there is a way to fix that other than removing one of the columns. If anyone has suggestions, please do share.