NTP server permission denied when trying to read key file

I'm trying to set up an NTP timeserver for hosts on my internal network to synchronise against.

I need to use authorisation in order to comply with PCI standards.

I've created a set of keys using ntp-keygen -M and added the below snippet to my /etc/ntp.conf file on the server.

enable auth
keys /etc/ntp.keys
trustedkey 1 7 17

I'm unable to connect to the server from a client. When I run "ntpq -c as" on the client I can see that auth is "bad" for my server. I have copied the key file that was generated on the server to the client and added the trusted key lines to the client too, like this:

server timeserver key 17
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
keys /etc/ntp.keys
trustedkey 1 7 17

Looking at the server logs I can see that I'm getting a permission denied fault when trying to read the file, as below.

Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Starting LSB: Start NTP daemon...
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:  * Starting NTP server ntpd
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: ntpd 4.2.8p4@1.3265-o Wed Oct  5 12:34:45 UTC 2016 (1): Starting
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28094]: Command line: /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:116
Jan 30 12:38:01 ip-10-0-1-103 ntp[28084]:    ...done.
Jan 30 12:38:01 ip-10-0-1-103 systemd[1]: Started LSB: Start NTP daemon.
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: proto: precision = 0.182 usec (-22)
Jan 30 12:38:01 ip-10-0-1-103 ntpd[28096]: authreadkeys: file /etc/ntp.keys: Permission denied

I have used ntpdate from the client machine to set the date from the server so I'm pretty confident that the networking is up and running. I've actually disabled iptables on both servers while I'm busy trying to set this up.

The key file is 600 on the server, like this:

-rw-------  1 root  root    1066 Jan 30 12:29 ntpkey_MD5key_timeserver.3694768152
lrwxrwxrwx  1 root  root      35 Jan 30 12:33 ntp.keys -> ntpkey_MD5key_timeserver.3694768152

I've tried changing the config to point to the actual file and not the symlink.

Can anybody help me work out what the error in the syslog means and how to resolve this?

EDIT: Looking at the source it looks like the "Permission denied" part of the error is coming from the OS.

Best Answer

If the key file is readable by root only, but ntpd is running as non-root user, e.g. using -u ntp:ntp, make sure the effective user can read the key file.

For example you could use chmod u=rw,g=r,o= keyfile for the key file to allow the group to read, and then do a chgrp ntp keyfile to assign group ntp to the file, effectively allowing group ntp to access the file (but you knew that already, right?).

Still it may be worth to check for additional restrictions imposed by apparmor or selinux. For the former you can try aa-status | grep ntpd to check.

Best Answer

Related Solutions

Linux – NTP: ntpdate to sync time between the PCs on a private network

Ntpdate works, but ntpd can’t synchronize

Related Topic