Authenicated NTP
-
@JonathanLee Hmm, I'm not sure what is causing that. However, I checked an unmodified pfSense CE 2.7.2 and pfSense Plus 23.09.1 and this shows up in the logs on both of those appliances after a reboot. Also interesting is that it does not occur on a service restart, only on a system reboot.
-
@MatthewA1 when I removed the patch it goes away, I think it has to do with the status page adjustments.
-
J JonathanLee referenced this topic on
-
Anybody else using authenticated NTP?
We got our config info from that very nice gentleman Judah at NIST over a year ago, and I just now--as in, an hour ago- finally found the time to get ours working right with pfSense. :) I try to be a security nut, and, from what I understand, NIST's authenticated NTP service feels like the most secure inexpensive option for time sync.
As far as how I got it configured, I really appreciate your work above, @LamaZ, as it helped me quickly find where I needed to make changes in pfSense to get it all working. Ultimately, I just ended up commenting out the code in that system_ntp_configure() function you mentioned that overwrites the NTPD .keys and .conf files, and just populated the files myself, by hand. That seemed like a pretty quick and easy way to get it working.
It definitely would be nice if the pfSense UI supported this, but in the meantime, I guess we can just keep hacking the system_ntp_configure() function whenever it's modified, to keep it from overwriting the config files.
I definitely encourage everyone who is using pfSense as their corporate firewall to get their firewall(s) set up as secure/authenticated NTP servers, though. It's just one more way to reduce would-be hackers' attack vectors, right? -
@LamaZ Folks, just upgraded to pfSense+ 24.03-RELEASE and this still works.
I fumbled and didn't quite get @MatthewA1's sweet patch method working yet. That would of carried over across the upgrade right?
-
@MaximillianC Warms my heart! Make me glad knowing that my efforts helped someone out there.
I just updated and revisited this page to remind myself how to get this working again. :) I had high hopes the changes would have made it in by now.
-
I am missing my photos here too :( Can you help with a couple of these posts the photos are vanishing ..
-
Probably not those from the begining of March unfortunately. For some period attachments were being uploaded to an invalid storage location and when that was corrected those were effectively lost. But all other attachments (since the move to NodeBB) were restored.
-
-
If anyone wants to test (@JonathanLee ?), I've rebased the work onto the current state of master and updated the config accesses to use the new required functions. Below is the current patch, and the latest version is always available from the GitHub PR diff.
ntp-authentication-feature_20240620.patch
pfsense/pfsense#4658 diff
I don't have my development environment up and running at the moment (getting a new NTP key) so I haven't tested this yet. I think it will work, but the patch may not apply to the current 2.7.0 release. There's also no dev snapshots available at the moment it seems, so if it doesn't apply to 2.7.0 release, and advice on how to test in the absence of dev snapshots would be appreciated. -
@MatthewA1 I have to test when I get home it is merged I just saw the GitHub. I need to creat a new boot environment for it and load 24.08 on it. I am still utilizing 23.05.01 because of the crypto chip and offboarding acceleration with vpn on the 2100, the new 2100 does not ship with a acceleration chip, so they do not include software for it any longer, I need it purchased one with it so I am stuck on that version or what I call the everything bagel 🥯 version. I can get a BE up and running later this week.
-
All 2100s ship with the SafeXcel crypto hardware. It's in the SoC. It's supported in all versions, including the upcoming 24.08:
[24.08-DEVELOPMENT][admin@2100-2.stevew.lan]/root: dmesg | grep crypto armv8crypto0: <AES-CBC,AES-XTS,AES-GCM> safexcel0: <SafeXcel EIP-97 crypto accelerator> mem 0x90000-0xaffff irq 18,19,20,21,22,23 on simplebus1What is no longer used is the crypto ID chip. That doesn't (and never did) accelerate anything.
-
@stephenw10 my OpenVPN can not do off boarding in the new versions. I think it’s OpenVPN related. I know it is off topic, plus I love that proxy you know that. I have way to much time and effort put in that proxy, I am convinced that that is the future solution for invasive containers, because it gives cybersecurity the ability to start caching them and after start fingerprinting the containers. You can run all of Kali on a docker container right now, that is scary. Future cybersecurity solutions I am willing to bet involve updating older accelerator technology and proxys and reworking code to detect and block before it hits the secure side of lans. That’s why I can’t give up on proxy software. I just need a 30 floor building of software developers, and it should work right, plus a database of container fingerprints, and a couple good lawyers on container, hr staff, some good managers, a good break room, 401k plan, some other stuff too, bank loans etc.
-
You cannot select an off-loading engine in OpenVPN because OpenSSL does not support it. We removed the setting there because it was no longer doing anything (and had not been for some time)
However kernel mode crypto should use SafeXcel so OpenVPN with DCO enabled should.
We should move this to a different thread though. This is nothing to do with NTP Auth.
-
@stephenw10 I agree this is a different thread the version I am on still supported it and has the logs to show it runnning. Weird right?
-
FYI for anyone looking here, this was merged so should be in the next release (and snapshot builds whenever they start being available again).
There's still work to be done (namely: multiple keys that can be assigned on a per server basis) but it will take a complete restructuring of thetimerserversandntpdconfig sections, so that will be a larger undertaking. -
@LamaZ yeahh!!!
-
@MatthewA1 thanks for all you do.
-
@JonathanLee, @MatthewA1 Thanks!
I updated to 24.11 and noticed that we now have authenticated NTP key setting in the GUI (Services->NTP)!
For those using NIST servers, I tweaked the following settings. I'm not 100% sure I needed to click "Prefer".
I finally took the leap and used the Patches GUI to (re) apply the authentication status patch. Here are the settings I used.
-LamaZ
