NTS client with ntpsec – test my public service

  • by

Just some basic information, in order to test NTS (Network Time Security)

All what you need in order to understand how it works is here: https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/ 

My NTPsec server: time.signorini.ch

How to install it: first remove any standard NTP or Chrony package, then get the source code and compile it:

wget https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_1_1_9/ntpsec-NTPsec_1_1_9.tar.gz
tar -xf ntpsec-NTPsec_1_1_9.tar.gz
cd ntpsec-NTPsec_1_1_9/
./buildprep
./waf configure --refclock=all
./waf build
./waf install

Create some needed stuff:

adduser --system --no-create-home --disabled-login --group ntp
mkdir -m 0750 /var/log/ntpsec/
chown ntp:ntp /var/log/ntpsec/
mkdir -m 0750 /var/lib/ntpsec/
touch /var/lib/ntpsec/ntp.drift
chown -R ntp:ntp /var/lib/ntpsec/
rm -f /etc/ntp.conf
ln -s ntpsec/ntp.conf /etc/ntp.conf

Configure ntp.conf, you can mix standard NTP and NTS servers

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpsec/
ca /etc/ssl/certs
server time.signorini.ch iburst minpoll 6 nts
server time1.ethz.ch minpoll 8 iburst
server time2.ethz.ch minpoll 8 iburst
restrict default ignore
restrict -6 default ignore
restrict 127.0.0.1
restrict ::1

Start the service:

 systemctl daemon-reload
 systemctl restart ntpd.service
 systemctl status ntpd.service

Check it with the usual “ntpq -p” command

Here the conf of my server:

# grep -Ev '^#|^$' /etc/ntp.conf
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpsec/
nts enable
nts key /etc/ntpsec/nts-cert/time.signorini.ch.key
nts cert /etc/ntpsec/nts-cert/time.signorini.ch.crt
nts cookie /var/lib/ntp/nts-keys
refclock shm unit 0 refid SHM time1 +0.130 noselect minpoll 4 maxpoll 4
refclock shm unit 1 prefer refid GNSS minpoll 4 maxpoll 4
server time0.signorini.in iburst minpoll 4 maxpoll 4 nts
server time1.signorini.in iburst minpoll 4 maxpoll 4 nts
server time3.signorini.in iburst minpoll 4 maxpoll 4 nts
server time1.ethz.ch minpoll 8 iburst
server time2.ethz.ch minpoll 8 iburst
server metasntp11.admin.ch iburst minpoll 7
server metasntp12.admin.ch iburst minpoll 7
server metasntp13.admin.ch iburst minpoll 7
restrict -6 default ignore
restrict default kod nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1

And here the stats:

# ntpq -p
      remote             refid st t when poll reach   delay  offset jitter
==========================================================================
 SHM(0)                  .SHM.  0 l    1   16   377  0.0000 -1.9782 4.0141
*SHM(1)                  .GNSS. 0 l    -   16   377  0.0000  0.0010 0.0002
+time0.signorini.in      .GPS.  1 8   13   16   377  1.1692 -0.0551 0.0464
+time1.signorini.in      .GPGA. 1 8   12   16   377  0.4393  0.0169 0.0204
-time3.signorini.in      .GPGA. 1 8   11   16   377  0.5752 -0.0913 0.0696
-time1.ethz.ch           .PPS.  1 u   79  256     7 12.1475  0.6434 0.2022
-time2.ethz.ch           .PPS.  1 u   65  256     7 12.8011  0.4251 0.2272
-metasntp11.admin.ch     .MRS.  1 u   68  128    37 11.4734  0.2598 0.3540
-metasntp12.admin.ch     .MRS.  1 u   68  128    37 11.9410  0.0634 0.3493
-metasntp13.admin.ch     .MRS.  1 u   59  128    37 11.8157 -0.0951 0.4907

# ntptime
ntp_gettime() returns code 0 (OK)
  time e2cc0d0d.d7b2cc70 2020-07-29T14:58:21.842Z, (.842572125),
  maximum error 3500 us, estimated error 0 us, TAI offset 37
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset 0.832 us, frequency -17.329 ppm, interval 1 s,
  maximum error 3500 us, estimated error 0 us,
  status 0x2001 (PLL,NANO),
  time constant 4, precision 1.000 us, tolerance 500 ppm,

As usual on this blog you can find more detailed information on this topic and all NTP related in general:
https://weberblog.net/setting-up-nts-secured-ntp-with-ntpsec/

Leave a Reply

Your email address will not be published.