NTP Authentication Keys

Time synchronization can be authenticated to ensure that the switch obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The switch will synchronize to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services.

To authenticate other time servers, include the trusted-key statement at the [edit system ntp] hierarchy level. The trusted keys refer to the configured key that is trusted and used by NTP for secure clock synchronization. Any configured key not referenced in the trusted-key is not qualified and is rejected by NTP. Only time servers that transmit network time packets containing one of the specified key numbers are eligible to be synchronized. Additionally, the key needs to match the value configured for that key number. Other systems can synchronize to the local switch without being authenticated.

Each key can be any 32-bit unsigned integer except 0. Include the key option in the peer, server, or broadcast statements to transmit the specified authentication key when transmitting packets. The key is necessary if the remote system has authentication enabled so that it can synchronize to the local system.

To define the authentication keys, include the authentication-key statement at the [edit system ntp] hierarchy level:

number is the key number, type is the authentication type (only Message Digest 5 [MD5], SHA1, and SHA256 are supported), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication. There must be no space in the password for configuring the Network Time Protocol (NTP) authentication-key.

Note: Note:

EX4300, EX4600, and related non-MP devices such as QFX5100 (EX and QFX models that run BSD6) support only MD5 authentication for NTP and do not support SHA-1 and SHA-256 authentication types.