Configuring NTP Authentication Keys
Time synchronization can be authenticated to ensure that the local router or switch obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The system will synchronize to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services.
To authenticate other time servers, include the trusted-key
statement at the [edit system ntp]
hierarchy
level. Only time servers transmitting network time packets that contain
one of the specified key numbers and whose key matches the value configured
for that key number are eligible to be synchronized to. Other systems
can synchronize to the local router without being authenticated.
[edit system ntp] trusted-key [ key-numbers ];
Each key can be any 32-bit unsigned integer except
0. Include the key
option in the peer
, server
, or broadcast
statements to transmit the
specified authentication key when transmitting packets. The key is
necessary if the remote system has authentication enabled so that
it can synchronize to the local system.
To define the authentication keys, include the authentication-key
statement at the [edit system ntp]
hierarchy level:
[edit system ntp] authentication-key key-number type type value password;
number
is the key
number, type
is the authentication
type (Message Digest 5 [MD5], SHA1, and SHA2-256 are supported), and password
is the password for this key. The password can be up to 20 characters
in ASCII format, or 40 characters using hex digits. The
key number, type, and password must match on all systems using that
particular key for authentication.