diff --git a/chrony.texi.in b/chrony.texi.in
index 8ce658b..56b2758 100644
--- a/chrony.texi.in
+++ b/chrony.texi.in
@@ -2461,6 +2461,9 @@ The syntax of this directive is identical to that for the @code{server}
 directive (@pxref{server directive}), except that it is used to specify
 an NTP peer rather than an NTP server.
 
+When a key is specified by the @code{key} option to enable authentication, both
+peers must be configured to use the same key and the same key number.
+
 Please note that NTP peers that are not configured with a key to enable
 authentication are vulnerable to a denial-of-service attack.  An attacker
 knowing that NTP hosts A and B are peering with each other can send a packet
diff --git a/ntp_core.c b/ntp_core.c
index e654c88..9594c7e 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1140,7 +1140,8 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
   if (inst->do_auth) {
     if (auth_len > 0) {
       auth_key_id = ntohl(message->auth_keyid);
-      test5 = check_packet_auth(message, auth_key_id, auth_len);
+      test5 = check_packet_auth(message, auth_key_id, auth_len) &&
+              auth_key_id == inst->auth_key_id;
     } else {
       /* If we expect authenticated info from this peer/server and the packet
          doesn't have it, it's got to fail */