Configuring Authenticated NTP Using Symmetric Keys on ESXi Host
search cancel

Configuring Authenticated NTP Using Symmetric Keys on ESXi Host

book

Article ID: 313168

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps for configuring symmetric authentication for NTP time synchronization on ESXi hosts.


Resolution

Please follow the steps mentioned below to configure symmetric authentication for NTP time synchronization on ESXi hosts:

  • To configure symmetric authentication using a key, the ESXi NTP '/etc/ntp.conf' file should include the following settings:

keys /etc/ntp.keys
trustedkey <keyno>
server ... key <keyno>

  • The keys need to be stored in the '/etc/ntp.keys' file in the format: <keyno> <type> <key>. Here, 'keyno' should be a positive integer (between 1 and 65535), 'type' should be the message digest or cipher algorithm, and 'key' should be the key itself.

  • To add or remove keys, the ESXi '/etc/ntp.keys' file needs to be edited directly using a text editor, such as vi.

  • On ESXi builds up to Vmware vSphere ESXi 7.0 Update 2, the '/etc/ntp.conf' file needs to be edited directly using a text editor, such as vi. Starting from Vmware vSphere ESXi 7.0 Update 3 onwards, you should not edit the ESXi '/etc/ntp.conf' file directly. To add the required settings to the '/etc/ntp.conf' file, create a text file containing NTP configuration commands and load it into the ESXi NTP configuration using the esxcli command.

Example:
[root@localhost:~] vi temp.txt
[root@localhost:~] cat temp.txt
... <snip>
keys /etc/ntp.keys
trustedkey <keyno>
server ... key <keyno>
[root@localhost:~] esxcli system ntp set -f temp.txt

  • Restart NTP after applying the settings on ESXi:

[root@localhost:~] esxcli system ntp set -e 1

  • Please ensure the NTP server also has the following settings in its configuration file:

keys <path-to-server-keys-file>
trustedkey <keyno>

  • Please note that the client and server key files must both contain identical copies of the line specified by keyno.

  • To ensure that authenticated NTP is connecting successfully, please check that the 'auth' value for the server in the 'ntpq -c associations' output is 'ok'.

Example:
root@blr7-7th-dhcp-46-106:~] ntpq -c as
ind assid status  conf reach auth condition  last_event cnt
===========================================================
1 52115  f61a   yes   yes   ok   sys.peer    sys_peer  1
2 52116  c011   yes    no   bad    reject    mobilize  1
3 52117  9014   yes   yes  none    reject   reachable  1

Powered by Wolken Software