Re: [chrony-dev] 'Bug/Implementation' fix for v3 NTP client using 'authentication' with key id == 0

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Thu, May 07, 2026 at 11:42:02AM +0200, Jan Vanhercke wrote:
> Since we switched from ntpd to chrony 4.6.1, some of our appliances could no
> longer sync.

Can you share the name of the appliance?

> After some debugging we discovered that these clients are using v3 NTP with
> authentication, but using a key id == 0, although the RFC specifies that the
> key id must be greater than 1.

To be clear, the NTP client is sending a request that has 20 zero bytes
appended after the transmit timestamp? And ntpd was responding with a
crypto NAK (4 extra zero bytes), which the client accepted, and it
accepts also plain responses (no extra bytes) from the patched
chronyd?

ntpd doesn't distinguish v3 from v4. It handles everything as v4 and
juts copies the version value from the request to the response.

> I could not find a clear stipulation of what must be done with a packet
> having key id == 0. The pseudo seems to imply it must be calculated and the
> hash verified, but since the key id should not exist, what should the output
> of the hash then be?
> 
> Anyhow the appliances we use expect no authentication occur. Since we really
> wanted to switch to chrony we implemented a patch that reverts to no
> authentication when the keyid == 0 to cover this gray zone.

To me that sounds like a buggy implementation that should be patched to
send well-formatted NTP requests. Have you asked the vendor?

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.