This article provides steps for configuring symmetric authentication for NTP time synchronization on ESXi hosts.
To configure symmetric authentication using a key, the ESXi NTP '/etc/ntp.conf' file should include the following settings:
keys /etc/ntp.keys
trustedkey <keyno>
server ... key <keyno>
The keys need to be stored in the '/etc/ntp.keys' file in the format: <keyno> <type> <key>. Here, 'keyno' should be a positive integer (between 1 and 65535), 'type' should be the message digest or cipher algorithm, and 'key' should be the key itself.
To add or remove keys, the ESXi '/etc/ntp.keys' file needs to be edited directly using a text editor, such as vi.
On ESXi builds up to Vmware vSphere ESXi 7.0 Update 2, the '/etc/ntp.conf' file needs to be edited directly using a text editor, such as vi. Starting from Vmware vSphere ESXi 7.0 Update 3 onwards, you should not edit the ESXi '/etc/ntp.conf' file directly. To add the required settings to the '/etc/ntp.conf' file, create a text file containing NTP configuration commands and load it into the ESXi NTP configuration using the esxcli command.
Example:
[root@localhost:~] vi temp.txt
[root@localhost:~] cat temp.txt
... <snip>
keys /etc/ntp.keys
trustedkey <keyno>
server ... key <keyno>
[root@localhost:~] esxcli system ntp set -f temp.txt
Restart NTP after applying the settings on ESXi:
[root@localhost:~] esxcli system ntp set -e 1
Please ensure the NTP server also has the following settings in its configuration file:
keys <path-to-server-keys-file>
trustedkey <keyno>
Please note that the client and server key files must both contain identical copies of the line specified by keyno.
To ensure that authenticated NTP is connecting successfully, please check that the 'auth' value for the server in the 'ntpq -c associations' output is 'ok'.
Example:
root@blr7-7th-dhcp-46-106:~] ntpq -c as
ind assid status conf reach auth condition last_event cnt
===========================================================
1 52115 f61a yes yes ok sys.peer sys_peer 1
2 52116 c011 yes no bad reject mobilize 1
3 52117 9014 yes yes none reject reachable 1