1132451Sroberto<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2132451Sroberto<html> 3280849Scy<head> 4280849Scy<meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 5280849Scy<meta name="generator" content="HTML Tidy, see www.w3.org"> 6280849Scy<title>Authentication Commands and Options</title> 7280849Scy<link href="scripts/style.css" type="text/css" rel="stylesheet"> 8280849Scy<style type="text/css"> 9280849Scy.style1 { 10280849Scy color: #FF0000; 11280849Scy font-weight: bold; 12280849Scy} 13280849Scy</style> 14280849Scy</head> 15280849Scy<body> 16280849Scy<h3>Authentication Commands and Options</h3> 17280849Scy<img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a> 18280849Scy<p>Our resident cryptographer; now you see him, now you don't.</p> 19280849Scy<p>Last update: 20280849Scy <!-- #BeginDate format:En2m -->15-Oct-2011 01:00<!-- #EndDate --> 21280849Scy UTC</p> 22280849Scy<br clear="left"> 23280849Scy<h4>Related Links</h4> 24280849Scy<script type="text/javascript" language="javascript" src="scripts/command.txt"></script> 25280849Scy<script type="text/javascript" language="javascript" src="scripts/authopt.txt"></script> 26280849Scy<hr> 27280849Scy<h4>Commands and Options</h4> 28280849Scy<p>Unless noted otherwise, further information about these commands is on the <a href="authentic.html">Authentication Support</a> page.</p> 29280849Scy<dl> 30280849Scy <dt id=automax><tt>automax [<i>logsec</i>]</tt></dt> 31280849Scy <dd>Specifies the interval between regenerations of the session key list used with the Autokey protocol, as a power of 2 in seconds. Note that the size of the key list for each association depends on this interval and the current poll interval. The default interval is 12 (about 1.1 hr). For poll intervals above the specified interval, a session key list with a single entry will be regenerated for every message sent. See the <a href="autokey.html">Autokey Public Key Authentication</a> page for further information.</dd> 32280849Scy <dt id="controlkey"><tt>controlkey <i>keyid</i></tt></dt> 33280849Scy <dd>Specifies the key ID for the <a 34280849Scy href="ntpq.html"><tt>ntpq</tt></a> utility, which uses the 35280849Scy standard protocol defined in RFC-1305. The <tt><i>keyid</i></tt> argument is the key ID for a <a href="#trustedkey">trusted 36280849Scy key</a>, where the value can be in the range 1 to 65534, 37280849Scy inclusive.</dd> 38280849Scy <dt id="crypto"><tt>crypto [digest</tt> <em><tt>digest</tt></em><tt>]</tt> <tt>[host <i>name</i>] [ident <i>name</i>] [pw <i>password</i>] [randfile <i>file</i>]</tt></dt> 39280849Scy <dd>This command activates the Autokey public key cryptography 40280849Scy and loads the required host keys and certificate. If one or more files 41280849Scy are unspecified, the default names are used. Unless 42280849Scy the complete path and name of the file are specified, the location of a file 43280849Scy is relative to the keys directory specified in the <tt>keysdir</tt> configuration 44280849Scy command with default <tt>/usr/local/etc</tt>. See the <a href="autokey.html">Autokey Public Key Authentication</a> page for further information. Following are the options.</dd> 45280849Scy <dd> 46280849Scy <dl> 47280849Scy <dt><tt>digest</tt> <em><tt>digest</tt></em></dt> 48280849Scy <dd> </dd> 49280849Scy <dd>Specify the message digest algorithm, with default MD5. If the OpenSSL library 50280849Scy is installed, <tt><i>digest</i></tt> can be be any message digest algorithm supported 51280849Scy by the library. The current selections are: <tt>MD2</tt>, <tt>MD4</tt>, <tt>MD5,</tt> <tt>MDC2</tt>, <tt>RIPEMD160</tt>, <tt>SHA</tt> and <tt>SHA1</tt>. All 52280849Scy participants in an Autokey subnet must use the same algorithm. The Autokey message digest algorithm is separate and distinct from the symmetric 53280849Scy key message digest algorithm. Note: If compliance with FIPS 140-2 is required, 54280849Scy the algorithm must be ether <tt>SHA</tt> or <tt>SHA1</tt>.</dd> 55280849Scy <dt><tt>host <i>name</i></tt></dt> 56280849Scy <dd>Specify the cryptographic media names for the host, sign and certificate files. If this option is not specified, the default name is the string returned by the Unix <tt>gethostname()</tt> routine.</dd> 57280849Scy <dd><span class="style1">Note: In the latest Autokey version, this option has no effect other than to change the cryptographic media file names.</span></dd> 58280849Scy <dt><tt>ident <i>group</i></tt></dt> 59280849Scy <dd>Specify the cryptographic media names for the identity scheme files. If this option is not specified, the default name is the string returned by the Unix <tt>gethostname()</tt> routine.</dd> 60280849Scy <dd><span class="style1">Note: In the latest Autokey version, this option has no effect other than to change the cryptographic media file names.</span></dd> 61280849Scy <dt><tt>pw <i>password</i></tt></dt> 62280849Scy <dd>Specifies the password to decrypt files previously encrypted by the <tt>ntp-keygen</tt> program with the <tt>-p</tt> option. If this option is not specified, the default password is the string returned by the Unix <tt>gethostname()</tt> routine. </dd> 63280849Scy <dt><tt>randfile <i>file</i></tt></dt> 64280849Scy <dd>Specifies the location of the random seed file used by the OpenSSL library. The defaults are described on the <a href="keygen.html"><tt>ntp-keygen</tt> page</a>.</dd> 65280849Scy </dl> 66280849Scy </dd> 67280849Scy <dt id="ident"><tt>ident <i>group</i></tt></dt> 68280849Scy <dd>Specifies the group name for ephemeral associations mobilized by broadcast and symmetric passive modes. See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</dd> 69280849Scy <dt id="keys"><tt>keys <i>path</i></tt></dt> 70280849Scy <dd>Specifies the complete directory path for the key file containing the key IDs, key types and keys used by <tt>ntpd</tt>, <tt>ntpq</tt> and <tt>ntpdc</tt> when operating with symmetric key cryptography. The format of the keyfile is described on the <a href="keygen.html"><tt>ntp-keygen</tt> page</a>. This is the same operation as the <tt>-k</tt> command line option. Note that the directory path for Autokey cryptographic media is specified by the <tt>keysdir</tt> command.</dd> 71280849Scy <dt id="keysdir"><tt>keysdir <i>path</i></tt></dt> 72280849Scy <dd>Specifies the complete directory path for the Autokey cryptographic keys, parameters and certificates. The default is <tt>/usr/local/etc/</tt>. Note that the path for the symmetric keys file is specified by the <tt>keys</tt> command.</dd> 73280849Scy <dt id="requestkey"><tt>requestkey <i>keyid</i></tt></dt> 74280849Scy <dd>Specifies the key ID for the <a href="ntpdc.html"><tt>ntpdc</tt></a> utility program, which 75280849Scy uses a proprietary protocol specific to this implementation of <tt>ntpd</tt>. The <tt><i>keyid</i></tt> argument is a key ID 76280849Scy for a <a href="#trustedkey">trusted key</a>, in the range 1 to 77280849Scy 65534, inclusive.</dd> 78280849Scy <dt id="revoke"><tt>revoke [<i>logsec</i>]</tt></dt> 79280849Scy <dd>Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds, with default 17 (36 hr). See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</dd> 80280849Scy <dt id="trustedkey"><tt>trustedkey [<i>keyid</i> | (<i>lowid</i> ... <i>highid</i>)] [...]</tt></dt> 81280849Scy <dd>Specifies the key ID(s) which are trusted for the purposes of 82280849Scy authenticating peers with symmetric key cryptography. Key IDs 83280849Scy used to authenticate <tt>ntpq</tt> and <tt>ntpdc</tt> operations 84280849Scy must be listed here and additionally be enabled with <a href="#controlkey">controlkey</a> and/or <a href="#requestkey">requestkey</a>. The authentication 85280849Scy procedure for time transfer requires that both the local and 86280849Scy remote NTP servers employ the same key ID and secret for this 87280849Scy purpose, although different keys IDs may be used with different 88280849Scy servers. Ranges of trusted key IDs may be specified: <tt>trustedkey (1 ... 19) 1000 (100 ... 199)</tt> enables the 89280849Scy lowest 120 key IDs which start with the digit 1. The spaces 90280849Scy surrounding the ellipsis are required when specifying a range.</dd> 91280849Scy</dl> 92280849Scy<hr> 93280849Scy<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> 94280849Scy</body> 95280849Scy</html> 96