ntp-keygen.html revision 275970
1275970Scy<html lang="en"> 2275970Scy<head> 3275970Scy<title>Ntp-keygen User's Manual</title> 4275970Scy<meta http-equiv="Content-Type" content="text/html"> 5275970Scy<meta name="description" content="Ntp-keygen User's Manual"> 6275970Scy<meta name="generator" content="makeinfo 4.7"> 7275970Scy<link title="Top" rel="top" href="#Top"> 8275970Scy<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> 9275970Scy<meta http-equiv="Content-Style-Type" content="text/css"> 10275970Scy<style type="text/css"><!-- 11275970Scy pre.display { font-family:inherit } 12275970Scy pre.format { font-family:inherit } 13275970Scy pre.smalldisplay { font-family:inherit; font-size:smaller } 14275970Scy pre.smallformat { font-family:inherit; font-size:smaller } 15275970Scy pre.smallexample { font-size:smaller } 16275970Scy pre.smalllisp { font-size:smaller } 17275970Scy span.sc { font-variant:small-caps } 18275970Scy span.roman { font-family: serif; font-weight: normal; } 19275970Scy--></style> 20275970Scy</head> 21275970Scy<body> 22275970Scy<h1 class="settitle">Ntp-keygen User's Manual</h1> 23275970Scy <div class="shortcontents"> 24275970Scy<h2>Short Contents</h2> 25275970Scy<ul> 26275970Scy<a href="#Top">Top</a> 27275970Scy<a href="#Top">NTP Key Generation Program User Manual</a> 28275970Scy</ul> 29275970Scy</div> 30275970Scy 31275970Scy 32275970Scy 33275970Scy<div class="node"> 34275970Scy<p><hr> 35275970Scy<a name="Top"></a>Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> 36275970Scy<br> 37275970Scy</div> 38275970Scy 39275970Scy<h2 class="unnumbered">Top</h2> 40275970Scy 41275970Scy<ul class="menu"> 42275970Scy<li><a accesskey="1" href="#Description">Description</a> 43275970Scy<li><a accesskey="2" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>: Invoking ntp-keygen 44275970Scy<li><a accesskey="3" href="#Running-the-Program">Running the Program</a> 45275970Scy<li><a accesskey="4" href="#Random-Seed-File">Random Seed File</a> 46275970Scy<li><a accesskey="5" href="#Cryptographic-Data-Files">Cryptographic Data Files</a> 47275970Scy</ul> 48275970Scy 49275970Scy<div class="node"> 50275970Scy<p><hr> 51275970Scy<a name="Top"></a>Next: <a rel="next" accesskey="n" href="#Description">Description</a>, 52275970ScyPrevious: <a rel="previous" accesskey="p" href="#dir">(dir)</a>, 53275970ScyUp: <a rel="up" accesskey="u" href="#dir">(dir)</a> 54275970Scy<br> 55275970Scy</div> 56275970Scy 57275970Scy<h2 class="unnumbered">NTP Key Generation Program User Manual</h2> 58275970Scy 59275970Scy<p>This document describes the use of the NTP Project's <code>ntp-keygen</code> 60275970Scyprogram, that generates cryptographic data files used by the NTPv4 61275970Scyauthentication and identity schemes. 62275970ScyIt can generate message digest keys used in symmetric key cryptography and, 63275970Scyif the OpenSSL software 64275970Scylibrary has been installed, it can generate host keys, sign keys, 65275970Scycertificates, and identity keys and parameters used by the Autokey 66275970Scypublic key cryptography. 67275970ScyThe message digest keys file is generated in a 68275970Scyformat compatible with NTPv3. 69275970ScyAll other files are in PEM-encoded 70275970Scyprintable ASCII format so they can be embedded as MIME attachments in 71275970Scymail to other sites. 72275970Scy 73275970Scy <p>This document applies to version 4.2.8 of <code>ntp-keygen</code>. 74275970Scy 75275970Scy<div class="node"> 76275970Scy<p><hr> 77275970Scy<a name="Description"></a>Next: <a rel="next" accesskey="n" href="#Running-the-Program">Running the Program</a>, 78275970ScyPrevious: <a rel="previous" accesskey="p" href="#Top">Top</a>, 79275970ScyUp: <a rel="up" accesskey="u" href="#Top">Top</a> 80275970Scy<br> 81275970Scy</div> 82275970Scy 83275970Scy<!-- node-name, next, previous, up --> 84275970Scy<h3 class="section">Description</h3> 85275970Scy 86275970Scy<p>This program generates cryptographic data files used by the NTPv4 87275970Scyauthentication and identity schemes. It can generate message digest 88275970Scykeys used in symmetric key cryptography and, if the OpenSSL software 89275970Scylibrary has been installed, it can generate host keys, sign keys, 90275970Scycertificates, and identity keys and parameters used by the Autokey 91275970Scypublic key cryptography. The message digest keys file is generated in a 92275970Scyformat compatible with NTPv3. All other files are in PEM-encoded 93275970Scyprintable ASCII format so they can be embedded as MIME attachments in 94275970Scymail to other sites. 95275970Scy 96275970Scy <p>When used to generate message digest keys, the program produces a file 97275970Scycontaining ten pseudo-random printable ASCII strings suitable for the 98275970ScyMD5 message digest algorithm included in the distribution. 99275970ScyIf the 100275970ScyOpenSSL library is installed, it produces an additional ten hex-encoded 101275970Scyrandom bit strings suitable for the SHA1 and other message digest 102275970Scyalgorithms. 103275970ScyThe message digest keys file must be distributed and stored 104275970Scyusing secure means beyond the scope of NTP itself. 105275970ScyBesides the keys 106275970Scyused for ordinary NTP associations, additional keys can be defined as 107275970Scypasswords for the ntpq and ntpdc utility programs. 108275970Scy 109275970Scy <p>The remaining generated files are compatible with other OpenSSL 110275970Scyapplications and other Public Key Infrastructure (PKI) resources. 111275970ScyCertificates generated by this program are compatible with extant 112275970Scyindustry practice, although some users might find the interpretation of 113275970ScyX509v3 extension fields somewhat liberal. 114275970ScyHowever, the identity keys 115275970Scyare probably not compatible with anything other than Autokey. 116275970Scy 117275970Scy <p>Some files used by this program are encrypted using a private password. 118275970ScyThe <code>-p</code> option specifies the password for local encrypted files and the 119275970Scy<code>-q</code> option the password for encrypted files sent to remote sites. 120275970ScyIf no password is specified, the host name returned by the Unix 121275970Scy<code>gethostname()</code> function, normally the DNS name of the host, is used. 122275970Scy 123275970Scy <p>The <kbd>pw</kbd> option of the <code>crypto</code> configuration command 124275970Scyspecifies the read password for previously encrypted local files. 125275970ScyThis must match the local password used by this program. 126275970ScyIf not specified, the host name is used. 127275970ScyThus, if files are generated by this program without password, 128275970Scythey can be read back by ntpd without password, but only on the same 129275970Scyhost. 130275970Scy 131275970Scy <p>Normally, encrypted files for each host are generated by that host and 132275970Scyused only by that host, although exceptions exist as noted later on 133275970Scythis page. 134275970ScyThe symmetric keys file, normally called <code>ntp.keys</code>, is 135275970Scyusually installed in <code>/etc</code>. 136275970ScyOther files and links are usually installed 137275970Scyin <code>/usr/local/etc</code>, which is normally in a shared filesystem in 138275970ScyNFS-mounted networks and cannot be changed by shared clients. 139275970ScyThe location of the keys directory can be changed by the keysdir 140275970Scyconfiguration command in such cases. 141275970ScyNormally, this is in <code>/etc</code>. 142275970Scy 143275970Scy <p>This program directs commentary and error messages to the standard 144275970Scyerror stream <code>stderr</code> and remote files to the standard output stream 145275970Scy<code>stdout</code> where they can be piped to other applications or redirected to 146275970Scyfiles. 147275970ScyThe names used for generated files and links all begin with the 148275970Scystring <code>ntpkey</code> and include the file type, 149275970Scygenerating host and filestamp, 150275970Scyas described in the <a href="#Cryptographic-Data-Files">Cryptographic Data Files</a> section below. 151275970Scy 152275970Scy<div class="node"> 153275970Scy<p><hr> 154275970Scy<a name="Running-the-Program"></a>Next: <a rel="next" accesskey="n" href="#Random-Seed-File">Random Seed File</a>, 155275970ScyPrevious: <a rel="previous" accesskey="p" href="#Description">Description</a>, 156275970ScyUp: <a rel="up" accesskey="u" href="#Top">Top</a> 157275970Scy<br> 158275970Scy</div> 159275970Scy 160275970Scy<!-- node-name, next, previous, up --> 161275970Scy<h3 class="section">Running the Program</h3> 162275970Scy 163275970Scy<p>To test and gain experience with Autokey concepts, log in as root and 164275970Scychange to the keys directory, usually <code>/usr/local/etc</code>. 165275970ScyWhen run for the 166275970Scyfirst time, or if all files with names beginning <code>ntpkey</code>] have been 167275970Scyremoved, use the <code>ntp-keygen</code> command without arguments to generate a 168275970Scydefault RSA host key and matching RSA-MD5 certificate with expiration 169275970Scydate one year hence. 170275970ScyIf run again without options, the program uses the 171275970Scyexisting keys and parameters and generates only a new certificate with 172275970Scynew expiration date one year hence. 173275970Scy 174275970Scy <p>Run the command on as many hosts as necessary. 175275970ScyDesignate one of them as the trusted host (TH) using <code>ntp-keygen</code> 176275970Scywith the <code>-T</code> option and configure 177275970Scyit to synchronize from reliable Internet servers. 178275970ScyThen configure the other hosts to synchronize to the TH directly or indirectly. 179275970ScyA certificate trail is created when Autokey asks the immediately 180275970Scyascendant host towards the TH to sign its certificate, which is then 181275970Scyprovided to the immediately descendant host on request. 182275970ScyAll group hosts should have acyclic certificate trails ending on the TH. 183275970Scy 184275970Scy <p>The host key is used to encrypt the cookie when required and so must be 185275970ScyRSA type. 186275970ScyBy default, the host key is also the sign key used to encrypt signatures. 187275970ScyA different sign key can be assigned using the <code>-S</code> option 188275970Scyand this can be either RSA or DSA type. 189275970ScyBy default, the signature 190275970Scymessage digest type is MD5, but any combination of sign key type and 191275970Scymessage digest type supported by the OpenSSL library can be specified 192275970Scyusing the <code>-c</code> option. 193275970Scy 194275970Scy <p>The rules say cryptographic media should be generated with proventic 195275970Scyfilestamps, which means the host should already be synchronized before 196275970Scythis program is run. 197275970ScyThis of course creates a chicken-and-egg problem 198275970Scywhen the host is started for the first time. 199275970ScyAccordingly, the host time 200275970Scyshould be set by some other means, such as eyeball-and-wristwatch, at 201275970Scyleast so that the certificate lifetime is within the current year. 202275970ScyAfter that and when the host is synchronized to a proventic source, the 203275970Scycertificate should be re-generated. 204275970Scy 205275970Scy <p>Additional information on trusted groups and identity schemes is on the 206275970ScyAutokey Public-Key Authentication page. 207275970Scy 208275970Scy<div class="node"> 209275970Scy<p><hr> 210275970Scy<a name="ntp_002dkeygen-Invocation"></a> 211275970Scy<br> 212275970Scy</div> 213275970Scy 214275970Scy<h3 class="section">Invoking ntp-keygen</h3> 215275970Scy 216275970Scy<p><a name="index-ntp_002dkeygen-1"></a><a name="index-Create-a-NTP-host-key-2"></a> 217275970Scy 218275970Scy <p>This program generates cryptographic data files used by the NTPv4 219275970Scyauthentication and identification schemes. 220275970ScyIt generates MD5 key files used in symmetric key cryptography. 221275970ScyIn addition, if the OpenSSL software library has been installed, 222275970Scyit generates keys, certificate and identity files used in public key 223275970Scycryptography. 224275970ScyThese files are used for cookie encryption, 225275970Scydigital signature and challenge/response identification algorithms 226275970Scycompatible with the Internet standard security infrastructure. 227275970Scy 228275970Scy <p>All files are in PEM-encoded printable ASCII format, 229275970Scyso they can be embedded as MIME attachments in mail to other sites 230275970Scyand certificate authorities. 231275970ScyBy default, files are not encrypted. 232275970Scy 233275970Scy <p>When used to generate message digest keys, the program produces a file 234275970Scycontaining ten pseudo-random printable ASCII strings suitable for the 235275970ScyMD5 message digest algorithm included in the distribution. 236275970ScyIf the OpenSSL library is installed, it produces an additional ten 237275970Scyhex-encoded random bit strings suitable for the SHA1 and other message 238275970Scydigest algorithms. 239275970ScyThe message digest keys file must be distributed and stored 240275970Scyusing secure means beyond the scope of NTP itself. 241275970ScyBesides the keys used for ordinary NTP associations, additional keys 242275970Scycan be defined as passwords for the 243275970Scy<code>ntpq(1ntpqmdoc)</code> 244275970Scyand 245275970Scy<code>ntpdc(1ntpdcmdoc)</code> 246275970Scyutility programs. 247275970Scy 248275970Scy <p>The remaining generated files are compatible with other OpenSSL 249275970Scyapplications and other Public Key Infrastructure (PKI) resources. 250275970ScyCertificates generated by this program are compatible with extant 251275970Scyindustry practice, although some users might find the interpretation of 252275970ScyX509v3 extension fields somewhat liberal. 253275970ScyHowever, the identity keys are probably not compatible with anything 254275970Scyother than Autokey. 255275970Scy 256275970Scy <p>Some files used by this program are encrypted using a private password. 257275970ScyThe 258275970Scy<code>-p</code> 259275970Scyoption specifies the password for local encrypted files and the 260275970Scy<code>-q</code> 261275970Scyoption the password for encrypted files sent to remote sites. 262275970ScyIf no password is specified, the host name returned by the Unix 263275970Scy<code>gethostname()</code> 264275970Scyfunction, normally the DNS name of the host is used. 265275970Scy 266275970Scy <p>The 267275970Scy<kbd>pw</kbd> 268275970Scyoption of the 269275970Scy<kbd>crypto</kbd> 270275970Scyconfiguration command specifies the read 271275970Scypassword for previously encrypted local files. 272275970ScyThis must match the local password used by this program. 273275970ScyIf not specified, the host name is used. 274275970ScyThus, if files are generated by this program without password, 275275970Scythey can be read back by 276275970Scy<kbd>ntpd</kbd> 277275970Scywithout password but only on the same host. 278275970Scy 279275970Scy <p>Normally, encrypted files for each host are generated by that host and 280275970Scyused only by that host, although exceptions exist as noted later on 281275970Scythis page. 282275970ScyThe symmetric keys file, normally called 283275970Scy<kbd>ntp.keys</kbd>, 284275970Scyis usually installed in 285275970Scy<span class="file">/etc</span>. 286275970ScyOther files and links are usually installed in 287275970Scy<span class="file">/usr/local/etc</span>, 288275970Scywhich is normally in a shared filesystem in 289275970ScyNFS-mounted networks and cannot be changed by shared clients. 290275970ScyThe location of the keys directory can be changed by the 291275970Scy<kbd>keysdir</kbd> 292275970Scyconfiguration command in such cases. 293275970ScyNormally, this is in 294275970Scy<span class="file">/etc</span>. 295275970Scy 296275970Scy <p>This program directs commentary and error messages to the standard 297275970Scyerror stream 298275970Scy<kbd>stderr</kbd> 299275970Scyand remote files to the standard output stream 300275970Scy<kbd>stdout</kbd> 301275970Scywhere they can be piped to other applications or redirected to files. 302275970ScyThe names used for generated files and links all begin with the 303275970Scystring 304275970Scy<kbd>ntpkey</kbd> 305275970Scyand include the file type, generating host and filestamp, 306275970Scyas described in the 307275970ScyCryptographic Data Files 308275970Scysection below. 309275970Scy 310275970Scy<h5 class="subsubsection">Running the Program</h5> 311275970Scy 312275970Scy<p>To test and gain experience with Autokey concepts, log in as root and 313275970Scychange to the keys directory, usually 314275970Scy<span class="file">/usr/local/etc</span> 315275970ScyWhen run for the first time, or if all files with names beginning with 316275970Scy<kbd>ntpkey</kbd> 317275970Scyhave been removed, use the 318275970Scy<code>ntp-keygen</code> 319275970Scycommand without arguments to generate a 320275970Scydefault RSA host key and matching RSA-MD5 certificate with expiration 321275970Scydate one year hence. 322275970ScyIf run again without options, the program uses the 323275970Scyexisting keys and parameters and generates only a new certificate with 324275970Scynew expiration date one year hence. 325275970Scy 326275970Scy <p>Run the command on as many hosts as necessary. 327275970ScyDesignate one of them as the trusted host (TH) using 328275970Scy<code>ntp-keygen</code> 329275970Scywith the 330275970Scy<code>-T</code> 331275970Scyoption and configure it to synchronize from reliable Internet servers. 332275970ScyThen configure the other hosts to synchronize to the TH directly or 333275970Scyindirectly. 334275970ScyA certificate trail is created when Autokey asks the immediately 335275970Scyascendant host towards the TH to sign its certificate, which is then 336275970Scyprovided to the immediately descendant host on request. 337275970ScyAll group hosts should have acyclic certificate trails ending on the TH. 338275970Scy 339275970Scy <p>The host key is used to encrypt the cookie when required and so must be 340275970ScyRSA type. 341275970ScyBy default, the host key is also the sign key used to encrypt 342275970Scysignatures. 343275970ScyA different sign key can be assigned using the 344275970Scy<code>-S</code> 345275970Scyoption and this can be either RSA or DSA type. 346275970ScyBy default, the signature 347275970Scymessage digest type is MD5, but any combination of sign key type and 348275970Scymessage digest type supported by the OpenSSL library can be specified 349275970Scyusing the 350275970Scy<code>-c</code> 351275970Scyoption. 352275970ScyThe rules say cryptographic media should be generated with proventic 353275970Scyfilestamps, which means the host should already be synchronized before 354275970Scythis program is run. 355275970ScyThis of course creates a chicken-and-egg problem 356275970Scywhen the host is started for the first time. 357275970ScyAccordingly, the host time 358275970Scyshould be set by some other means, such as eyeball-and-wristwatch, at 359275970Scyleast so that the certificate lifetime is within the current year. 360275970ScyAfter that and when the host is synchronized to a proventic source, the 361275970Scycertificate should be re-generated. 362275970Scy 363275970Scy <p>Additional information on trusted groups and identity schemes is on the 364275970ScyAutokey Public-Key Authentication 365275970Scypage. 366275970Scy 367275970Scy <p>The 368275970Scy<code>ntpd(1ntpdmdoc)</code> 369275970Scyconfiguration command 370275970Scy<code>crypto</code> <code>pw</code> <kbd>password</kbd> 371275970Scyspecifies the read password for previously encrypted files. 372275970ScyThe daemon expires on the spot if the password is missing 373275970Scyor incorrect. 374275970ScyFor convenience, if a file has been previously encrypted, 375275970Scythe default read password is the name of the host running 376275970Scythe program. 377275970ScyIf the previous write password is specified as the host name, 378275970Scythese files can be read by that host with no explicit password. 379275970Scy 380275970Scy <p>File names begin with the prefix 381275970Scy<code>ntpkey_</code> 382275970Scyand end with the postfix 383275970Scy<kbd>_hostname.filestamp</kbd>, 384275970Scywhere 385275970Scy<kbd>hostname</kbd> 386275970Scyis the owner name, usually the string returned 387275970Scyby the Unix gethostname() routine, and 388275970Scy<kbd>filestamp</kbd> 389275970Scyis the NTP seconds when the file was generated, in decimal digits. 390275970ScyThis both guarantees uniqueness and simplifies maintenance 391275970Scyprocedures, since all files can be quickly removed 392275970Scyby a 393275970Scy<code>rm</code> <code>ntpkey*</code> 394275970Scycommand or all files generated 395275970Scyat a specific time can be removed by a 396275970Scy<code>rm</code> 397275970Scy<kbd>*filestamp</kbd> 398275970Scycommand. 399275970ScyTo further reduce the risk of misconfiguration, 400275970Scythe first two lines of a file contain the file name 401275970Scyand generation date and time as comments. 402275970Scy 403275970Scy <p>All files are installed by default in the keys directory 404275970Scy<span class="file">/usr/local/etc</span>, 405275970Scywhich is normally in a shared filesystem 406275970Scyin NFS-mounted networks. 407275970ScyThe actual location of the keys directory 408275970Scyand each file can be overridden by configuration commands, 409275970Scybut this is not recommended. 410275970ScyNormally, the files for each host are generated by that host 411275970Scyand used only by that host, although exceptions exist 412275970Scyas noted later on this page. 413275970Scy 414275970Scy <p>Normally, files containing private values, 415275970Scyincluding the host key, sign key and identification parameters, 416275970Scyare permitted root read/write-only; 417275970Scywhile others containing public values are permitted world readable. 418275970ScyAlternatively, files containing private values can be encrypted 419275970Scyand these files permitted world readable, 420275970Scywhich simplifies maintenance in shared file systems. 421275970ScySince uniqueness is insured by the hostname and 422275970Scyfile name extensions, the files for a NFS server and 423275970Scydependent clients can all be installed in the same shared directory. 424275970Scy 425275970Scy <p>The recommended practice is to keep the file name extensions 426275970Scywhen installing a file and to install a soft link 427275970Scyfrom the generic names specified elsewhere on this page 428275970Scyto the generated files. 429275970ScyThis allows new file generations to be activated simply 430275970Scyby changing the link. 431275970ScyIf a link is present, ntpd follows it to the file name 432275970Scyto extract the filestamp. 433275970ScyIf a link is not present, 434275970Scy<code>ntpd(1ntpdmdoc)</code> 435275970Scyextracts the filestamp from the file itself. 436275970ScyThis allows clients to verify that the file and generation times 437275970Scyare always current. 438275970ScyThe 439275970Scy<code>ntp-keygen</code> 440275970Scyprogram uses the same timestamp extension for all files generated 441275970Scyat one time, so each generation is distinct and can be readily 442275970Scyrecognized in monitoring data. 443275970Scy 444275970Scy<h5 class="subsubsection">Running the program</h5> 445275970Scy 446275970Scy<p>The safest way to run the 447275970Scy<code>ntp-keygen</code> 448275970Scyprogram is logged in directly as root. 449275970ScyThe recommended procedure is change to the keys directory, 450275970Scyusually 451275970Scy<span class="file">/usr/local/etc</span>, 452275970Scythen run the program. 453275970ScyWhen run for the first time, 454275970Scyor if all 455275970Scy<code>ntpkey</code> 456275970Scyfiles have been removed, 457275970Scythe program generates a RSA host key file and matching RSA-MD5 certificate file, 458275970Scywhich is all that is necessary in many cases. 459275970ScyThe program also generates soft links from the generic names 460275970Scyto the respective files. 461275970ScyIf run again, the program uses the same host key file, 462275970Scybut generates a new certificate file and link. 463275970Scy 464275970Scy <p>The host key is used to encrypt the cookie when required and so must be RSA type. 465275970ScyBy default, the host key is also the sign key used to encrypt signatures. 466275970ScyWhen necessary, a different sign key can be specified and this can be 467275970Scyeither RSA or DSA type. 468275970ScyBy default, the message digest type is MD5, but any combination 469275970Scyof sign key type and message digest type supported by the OpenSSL library 470275970Scycan be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 471275970Scyand RIPE160 message digest algorithms. 472275970ScyHowever, the scheme specified in the certificate must be compatible 473275970Scywith the sign key. 474275970ScyCertificates using any digest algorithm are compatible with RSA sign keys; 475275970Scyhowever, only SHA and SHA1 certificates are compatible with DSA sign keys. 476275970Scy 477275970Scy <p>Private/public key files and certificates are compatible with 478275970Scyother OpenSSL applications and very likely other libraries as well. 479275970ScyCertificates or certificate requests derived from them should be compatible 480275970Scywith extant industry practice, although some users might find 481275970Scythe interpretation of X509v3 extension fields somewhat liberal. 482275970ScyHowever, the identification parameter files, although encoded 483275970Scyas the other files, are probably not compatible with anything other than Autokey. 484275970Scy 485275970Scy <p>Running the program as other than root and using the Unix 486275970Scy<code>su</code> 487275970Scycommand 488275970Scyto assume root may not work properly, since by default the OpenSSL library 489275970Scylooks for the random seed file 490275970Scy<code>.rnd</code> 491275970Scyin the user home directory. 492275970ScyHowever, there should be only one 493275970Scy<code>.rnd</code>, 494275970Scymost conveniently 495275970Scyin the root directory, so it is convenient to define the 496275970Scy<code>$RANDFILE</code> 497275970Scyenvironment variable used by the OpenSSL library as the path to 498275970Scy<code>/.rnd</code>. 499275970Scy 500275970Scy <p>Installing the keys as root might not work in NFS-mounted 501275970Scyshared file systems, as NFS clients may not be able to write 502275970Scyto the shared keys directory, even as root. 503275970ScyIn this case, NFS clients can specify the files in another 504275970Scydirectory such as 505275970Scy<span class="file">/etc</span> 506275970Scyusing the 507275970Scy<code>keysdir</code> 508275970Scycommand. 509275970ScyThere is no need for one client to read the keys and certificates 510275970Scyof other clients or servers, as these data are obtained automatically 511275970Scyby the Autokey protocol. 512275970Scy 513275970Scy <p>Ordinarily, cryptographic files are generated by the host that uses them, 514275970Scybut it is possible for a trusted agent (TA) to generate these files 515275970Scyfor other hosts; however, in such cases files should always be encrypted. 516275970ScyThe subject name and trusted name default to the hostname 517275970Scyof the host generating the files, but can be changed by command line options. 518275970ScyIt is convenient to designate the owner name and trusted name 519275970Scyas the subject and issuer fields, respectively, of the certificate. 520275970ScyThe owner name is also used for the host and sign key files, 521275970Scywhile the trusted name is used for the identity files. 522275970Scy 523275970Scy <p>All files are installed by default in the keys directory 524275970Scy<span class="file">/usr/local/etc</span>, 525275970Scywhich is normally in a shared filesystem 526275970Scyin NFS-mounted networks. 527275970ScyThe actual location of the keys directory 528275970Scyand each file can be overridden by configuration commands, 529275970Scybut this is not recommended. 530275970ScyNormally, the files for each host are generated by that host 531275970Scyand used only by that host, although exceptions exist 532275970Scyas noted later on this page. 533275970Scy 534275970Scy <p>Normally, files containing private values, 535275970Scyincluding the host key, sign key and identification parameters, 536275970Scyare permitted root read/write-only; 537275970Scywhile others containing public values are permitted world readable. 538275970ScyAlternatively, files containing private values can be encrypted 539275970Scyand these files permitted world readable, 540275970Scywhich simplifies maintenance in shared file systems. 541275970ScySince uniqueness is insured by the hostname and 542275970Scyfile name extensions, the files for a NFS server and 543275970Scydependent clients can all be installed in the same shared directory. 544275970Scy 545275970Scy <p>The recommended practice is to keep the file name extensions 546275970Scywhen installing a file and to install a soft link 547275970Scyfrom the generic names specified elsewhere on this page 548275970Scyto the generated files. 549275970ScyThis allows new file generations to be activated simply 550275970Scyby changing the link. 551275970ScyIf a link is present, ntpd follows it to the file name 552275970Scyto extract the filestamp. 553275970ScyIf a link is not present, 554275970Scy<code>ntpd(1ntpdmdoc)</code> 555275970Scyextracts the filestamp from the file itself. 556275970ScyThis allows clients to verify that the file and generation times 557275970Scyare always current. 558275970ScyThe 559275970Scy<code>ntp-keygen</code> 560275970Scyprogram uses the same timestamp extension for all files generated 561275970Scyat one time, so each generation is distinct and can be readily 562275970Scyrecognized in monitoring data. 563275970Scy 564275970Scy<h5 class="subsubsection">Running the program</h5> 565275970Scy 566275970Scy<p>The safest way to run the 567275970Scy<code>ntp-keygen</code> 568275970Scyprogram is logged in directly as root. 569275970ScyThe recommended procedure is change to the keys directory, 570275970Scyusually 571275970Scy<span class="file">/usr/local/etc</span>, 572275970Scythen run the program. 573275970ScyWhen run for the first time, 574275970Scyor if all 575275970Scy<code>ntpkey</code> 576275970Scyfiles have been removed, 577275970Scythe program generates a RSA host key file and matching RSA-MD5 certificate file, 578275970Scywhich is all that is necessary in many cases. 579275970ScyThe program also generates soft links from the generic names 580275970Scyto the respective files. 581275970ScyIf run again, the program uses the same host key file, 582275970Scybut generates a new certificate file and link. 583275970Scy 584275970Scy <p>The host key is used to encrypt the cookie when required and so must be RSA type. 585275970ScyBy default, the host key is also the sign key used to encrypt signatures. 586275970ScyWhen necessary, a different sign key can be specified and this can be 587275970Scyeither RSA or DSA type. 588275970ScyBy default, the message digest type is MD5, but any combination 589275970Scyof sign key type and message digest type supported by the OpenSSL library 590275970Scycan be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 591275970Scyand RIPE160 message digest algorithms. 592275970ScyHowever, the scheme specified in the certificate must be compatible 593275970Scywith the sign key. 594275970ScyCertificates using any digest algorithm are compatible with RSA sign keys; 595275970Scyhowever, only SHA and SHA1 certificates are compatible with DSA sign keys. 596275970Scy 597275970Scy <p>Private/public key files and certificates are compatible with 598275970Scyother OpenSSL applications and very likely other libraries as well. 599275970ScyCertificates or certificate requests derived from them should be compatible 600275970Scywith extant industry practice, although some users might find 601275970Scythe interpretation of X509v3 extension fields somewhat liberal. 602275970ScyHowever, the identification parameter files, although encoded 603275970Scyas the other files, are probably not compatible with anything other than Autokey. 604275970Scy 605275970Scy <p>Running the program as other than root and using the Unix 606275970Scy<code>su</code> 607275970Scycommand 608275970Scyto assume root may not work properly, since by default the OpenSSL library 609275970Scylooks for the random seed file 610275970Scy<code>.rnd</code> 611275970Scyin the user home directory. 612275970ScyHowever, there should be only one 613275970Scy<code>.rnd</code>, 614275970Scymost conveniently 615275970Scyin the root directory, so it is convenient to define the 616275970Scy<code>$RANDFILE</code> 617275970Scyenvironment variable used by the OpenSSL library as the path to 618275970Scy<code>/.rnd</code>. 619275970Scy 620275970Scy <p>Installing the keys as root might not work in NFS-mounted 621275970Scyshared file systems, as NFS clients may not be able to write 622275970Scyto the shared keys directory, even as root. 623275970ScyIn this case, NFS clients can specify the files in another 624275970Scydirectory such as 625275970Scy<span class="file">/etc</span> 626275970Scyusing the 627275970Scy<code>keysdir</code> 628275970Scycommand. 629275970ScyThere is no need for one client to read the keys and certificates 630275970Scyof other clients or servers, as these data are obtained automatically 631275970Scyby the Autokey protocol. 632275970Scy 633275970Scy <p>Ordinarily, cryptographic files are generated by the host that uses them, 634275970Scybut it is possible for a trusted agent (TA) to generate these files 635275970Scyfor other hosts; however, in such cases files should always be encrypted. 636275970ScyThe subject name and trusted name default to the hostname 637275970Scyof the host generating the files, but can be changed by command line options. 638275970ScyIt is convenient to designate the owner name and trusted name 639275970Scyas the subject and issuer fields, respectively, of the certificate. 640275970ScyThe owner name is also used for the host and sign key files, 641275970Scywhile the trusted name is used for the identity files. 642275970Scyseconds. 643275970Scyseconds. 644275970Scy 645275970Scy <p>s Trusted Hosts and Groups 646275970ScyEach cryptographic configuration involves selection of a signature scheme 647275970Scyand identification scheme, called a cryptotype, 648275970Scyas explained in the 649275970Scy<a href="#Authentication-Options">Authentication Options</a> 650275970Scysection of 651275970Scy<code>ntp.conf(5)</code>. 652275970ScyThe default cryptotype uses RSA encryption, MD5 message digest 653275970Scyand TC identification. 654275970ScyFirst, configure a NTP subnet including one or more low-stratum 655275970Scytrusted hosts from which all other hosts derive synchronization 656275970Scydirectly or indirectly. 657275970ScyTrusted hosts have trusted certificates; 658275970Scyall other hosts have nontrusted certificates. 659275970ScyThese hosts will automatically and dynamically build authoritative 660275970Scycertificate trails to one or more trusted hosts. 661275970ScyA trusted group is the set of all hosts that have, directly or indirectly, 662275970Scya certificate trail ending at a trusted host. 663275970ScyThe trail is defined by static configuration file entries 664275970Scyor dynamic means described on the 665275970Scy<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a> 666275970Scysection of 667275970Scy<code>ntp.conf(5)</code>. 668275970Scy 669275970Scy <p>On each trusted host as root, change to the keys directory. 670275970ScyTo insure a fresh fileset, remove all 671275970Scy<code>ntpkey</code> 672275970Scyfiles. 673275970ScyThen run 674275970Scy<code>ntp-keygen</code> 675275970Scy<code>-T</code> 676275970Scyto generate keys and a trusted certificate. 677275970ScyOn all other hosts do the same, but leave off the 678275970Scy<code>-T</code> 679275970Scyflag to generate keys and nontrusted certificates. 680275970ScyWhen complete, start the NTP daemons beginning at the lowest stratum 681275970Scyand working up the tree. 682275970ScyIt may take some time for Autokey to instantiate the certificate trails 683275970Scythroughout the subnet, but setting up the environment is completely automatic. 684275970Scy 685275970Scy <p>If it is necessary to use a different sign key or different digest/signature 686275970Scyscheme than the default, run 687275970Scy<code>ntp-keygen</code> 688275970Scywith the 689275970Scy<code>-S</code> <kbd>type</kbd> 690275970Scyoption, where 691275970Scy<kbd>type</kbd> 692275970Scyis either 693275970Scy<code>RSA</code> 694275970Scyor 695275970Scy<code>DSA</code>. 696275970ScyThe most often need to do this is when a DSA-signed certificate is used. 697275970ScyIf it is necessary to use a different certificate scheme than the default, 698275970Scyrun 699275970Scy<code>ntp-keygen</code> 700275970Scywith the 701275970Scy<code>-c</code> <kbd>scheme</kbd> 702275970Scyoption and selected 703275970Scy<kbd>scheme</kbd> 704275970Scyas needed. 705275970Scyf 706275970Scy<code>ntp-keygen</code> 707275970Scyis run again without these options, it generates a new certificate 708275970Scyusing the same scheme and sign key. 709275970Scy 710275970Scy <p>After setting up the environment it is advisable to update certificates 711275970Scyfrom time to time, if only to extend the validity interval. 712275970ScySimply run 713275970Scy<code>ntp-keygen</code> 714275970Scywith the same flags as before to generate new certificates 715275970Scyusing existing keys. 716275970ScyHowever, if the host or sign key is changed, 717275970Scy<code>ntpd(1ntpdmdoc)</code> 718275970Scyshould be restarted. 719275970ScyWhen 720275970Scy<code>ntpd(1ntpdmdoc)</code> 721275970Scyis restarted, it loads any new files and restarts the protocol. 722275970ScyOther dependent hosts will continue as usual until signatures are refreshed, 723275970Scyat which time the protocol is restarted. 724275970Scy 725275970Scy<h5 class="subsubsection">Identity Schemes</h5> 726275970Scy 727275970Scy<p>As mentioned on the Autonomous Authentication page, 728275970Scythe default TC identity scheme is vulnerable to a middleman attack. 729275970ScyHowever, there are more secure identity schemes available, 730275970Scyincluding PC, IFF, GQ and MV described on the 731275970Scy"Identification Schemes" 732275970Scypage 733275970Scy(maybe available at 734275970Scy<code>http://www.eecis.udel.edu/%7emills/keygen.html</code>). 735275970ScyThese schemes are based on a TA, one or more trusted hosts 736275970Scyand some number of nontrusted hosts. 737275970ScyTrusted hosts prove identity using values provided by the TA, 738275970Scywhile the remaining hosts prove identity using values provided 739275970Scyby a trusted host and certificate trails that end on that host. 740275970ScyThe name of a trusted host is also the name of its sugroup 741275970Scyand also the subject and issuer name on its trusted certificate. 742275970ScyThe TA is not necessarily a trusted host in this sense, but often is. 743275970Scy 744275970Scy <p>In some schemes there are separate keys for servers and clients. 745275970ScyA server can also be a client of another server, 746275970Scybut a client can never be a server for another client. 747275970ScyIn general, trusted hosts and nontrusted hosts that operate 748275970Scyas both server and client have parameter files that contain 749275970Scyboth server and client keys. 750275970ScyHosts that operate 751275970Scyonly as clients have key files that contain only client keys. 752275970Scy 753275970Scy <p>The PC scheme supports only one trusted host in the group. 754275970ScyOn trusted host alice run 755275970Scy<code>ntp-keygen</code> 756275970Scy<code>-P</code> 757275970Scy<code>-p</code> <kbd>password</kbd> 758275970Scyto generate the host key file 759275970Scy<span class="file">ntpkey_RSAkey_</span><kbd>alice.filestamp</kbd> 760275970Scyand trusted private certificate file 761275970Scy<span class="file">ntpkey_RSA-MD5_cert_</span><kbd>alice.filestamp</kbd>. 762275970ScyCopy both files to all group hosts; 763275970Scythey replace the files which would be generated in other schemes. 764275970ScyOn each host bob install a soft link from the generic name 765275970Scy<span class="file">ntpkey_host_</span><kbd>bob</kbd> 766275970Scyto the host key file and soft link 767275970Scy<span class="file">ntpkey_cert_</span><kbd>bob</kbd> 768275970Scyto the private certificate file. 769275970ScyNote the generic links are on bob, but point to files generated 770275970Scyby trusted host alice. 771275970ScyIn this scheme it is not possible to refresh 772275970Scyeither the keys or certificates without copying them 773275970Scyto all other hosts in the group. 774275970Scy 775275970Scy <p>For the IFF scheme proceed as in the TC scheme to generate keys 776275970Scyand certificates for all group hosts, then for every trusted host in the group, 777275970Scygenerate the IFF parameter file. 778275970ScyOn trusted host alice run 779275970Scy<code>ntp-keygen</code> 780275970Scy<code>-T</code> 781275970Scy<code>-I</code> 782275970Scy<code>-p</code> <kbd>password</kbd> 783275970Scyto produce her parameter file 784275970Scy<span class="file">ntpkey_IFFpar_</span><kbd>alice.filestamp</kbd>, 785275970Scywhich includes both server and client keys. 786275970ScyCopy this file to all group hosts that operate as both servers 787275970Scyand clients and install a soft link from the generic 788275970Scy<span class="file">ntpkey_iff_</span><kbd>alice</kbd> 789275970Scyto this file. 790275970ScyIf there are no hosts restricted to operate only as clients, 791275970Scythere is nothing further to do. 792275970ScyAs the IFF scheme is independent 793275970Scyof keys and certificates, these files can be refreshed as needed. 794275970Scy 795275970Scy <p>If a rogue client has the parameter file, it could masquerade 796275970Scyas a legitimate server and present a middleman threat. 797275970ScyTo eliminate this threat, the client keys can be extracted 798275970Scyfrom the parameter file and distributed to all restricted clients. 799275970ScyAfter generating the parameter file, on alice run 800275970Scy<code>ntp-keygen</code> 801275970Scy<code>-e</code> 802275970Scyand pipe the output to a file or mail program. 803275970ScyCopy or mail this file to all restricted clients. 804275970ScyOn these clients install a soft link from the generic 805275970Scy<span class="file">ntpkey_iff_</span><kbd>alice</kbd> 806275970Scyto this file. 807275970ScyTo further protect the integrity of the keys, 808275970Scyeach file can be encrypted with a secret password. 809275970Scy 810275970Scy <p>For the GQ scheme proceed as in the TC scheme to generate keys 811275970Scyand certificates for all group hosts, then for every trusted host 812275970Scyin the group, generate the IFF parameter file. 813275970ScyOn trusted host alice run 814275970Scy<code>ntp-keygen</code> 815275970Scy<code>-T</code> 816275970Scy<code>-G</code> 817275970Scy<code>-p</code> <kbd>password</kbd> 818275970Scyto produce her parameter file 819275970Scy<span class="file">ntpkey_GQpar_</span><kbd>alice.filestamp</kbd>, 820275970Scywhich includes both server and client keys. 821275970ScyCopy this file to all group hosts and install a soft link 822275970Scyfrom the generic 823275970Scy<span class="file">ntpkey_gq_</span><kbd>alice</kbd> 824275970Scyto this file. 825275970ScyIn addition, on each host bob install a soft link 826275970Scyfrom generic 827275970Scy<span class="file">ntpkey_gq_</span><kbd>bob</kbd> 828275970Scyto this file. 829275970ScyAs the GQ scheme updates the GQ parameters file and certificate 830275970Scyat the same time, keys and certificates can be regenerated as needed. 831275970Scy 832275970Scy <p>For the MV scheme, proceed as in the TC scheme to generate keys 833275970Scyand certificates for all group hosts. 834275970ScyFor illustration assume trish is the TA, alice one of several trusted hosts 835275970Scyand bob one of her clients. 836275970ScyOn TA trish run 837275970Scy<code>ntp-keygen</code> 838275970Scy<code>-V</code> <kbd>n</kbd> 839275970Scy<code>-p</code> <kbd>password</kbd>, 840275970Scywhere 841275970Scy<kbd>n</kbd> 842275970Scyis the number of revokable keys (typically 5) to produce 843275970Scythe parameter file 844275970Scy<span class="file">ntpkeys_MVpar_</span><kbd>trish.filestamp</kbd> 845275970Scyand client key files 846275970Scy<span class="file">ntpkeys_MVkeyd_</span><kbd>trish.filestamp</kbd> 847275970Scywhere 848275970Scy<kbd>d</kbd> 849275970Scyis the key number (0 < 850275970Scy<kbd>d</kbd> 851275970Scy< 852275970Scy<kbd>n</kbd>). 853275970ScyCopy the parameter file to alice and install a soft link 854275970Scyfrom the generic 855275970Scy<span class="file">ntpkey_mv_</span><kbd>alice</kbd> 856275970Scyto this file. 857275970ScyCopy one of the client key files to alice for later distribution 858275970Scyto her clients. 859275970ScyIt doesn't matter which client key file goes to alice, 860275970Scysince they all work the same way. 861275970ScyAlice copies the client key file to all of her cliens. 862275970ScyOn client bob install a soft link from generic 863275970Scy<span class="file">ntpkey_mvkey_</span><kbd>bob</kbd> 864275970Scyto the client key file. 865275970ScyAs the MV scheme is independent of keys and certificates, 866275970Scythese files can be refreshed as needed. 867275970Scy 868275970Scy<h5 class="subsubsection">Command Line Options</h5> 869275970Scy 870275970Scy <dl> 871275970Scy<dt><code>-c</code> <kbd>scheme</kbd><dd>Select certificate message digest/signature encryption scheme. 872275970ScyThe 873275970Scy<kbd>scheme</kbd> 874275970Scycan be one of the following: 875275970Scy. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , 876275970Scyor 877275970Scy<code>DSA-SHA1</code>. 878275970ScyNote that RSA schemes must be used with a RSA sign key and DSA 879275970Scyschemes must be used with a DSA sign key. 880275970ScyThe default without this option is 881275970Scy<code>RSA-MD5</code>. 882275970Scy<br><dt><code>-d</code><dd>Enable debugging. 883275970ScyThis option displays the cryptographic data produced in eye-friendly billboards. 884275970Scy<br><dt><code>-e</code><dd>Write the IFF client keys to the standard output. 885275970ScyThis is intended for automatic key distribution by mail. 886275970Scy<br><dt><code>-G</code><dd>Generate parameters and keys for the GQ identification scheme, 887275970Scyobsoleting any that may exist. 888275970Scy<br><dt><code>-g</code><dd>Generate keys for the GQ identification scheme 889275970Scyusing the existing GQ parameters. 890275970ScyIf the GQ parameters do not yet exist, create them first. 891275970Scy<br><dt><code>-H</code><dd>Generate new host keys, obsoleting any that may exist. 892275970Scy<br><dt><code>-I</code><dd>Generate parameters for the IFF identification scheme, 893275970Scyobsoleting any that may exist. 894275970Scy<br><dt><code>-i</code> <kbd>name</kbd><dd>Set the suject name to 895275970Scy<kbd>name</kbd>. 896275970ScyThis is used as the subject field in certificates 897275970Scyand in the file name for host and sign keys. 898275970Scy<br><dt><code>-M</code><dd>Generate MD5 keys, obsoleting any that may exist. 899275970Scy<br><dt><code>-P</code><dd>Generate a private certificate. 900275970ScyBy default, the program generates public certificates. 901275970Scy<br><dt><code>-p</code> <kbd>password</kbd><dd>Encrypt generated files containing private data with 902275970Scy<kbd>password</kbd> 903275970Scyand the DES-CBC algorithm. 904275970Scy<br><dt><code>-q</code><dd>Set the password for reading files to password. 905275970Scy<br><dt><code>-S</code> <code>[RSA | DSA]</code><dd>Generate a new sign key of the designated type, 906275970Scyobsoleting any that may exist. 907275970ScyBy default, the program uses the host key as the sign key. 908275970Scy<br><dt><code>-s</code> <kbd>name</kbd><dd>Set the issuer name to 909275970Scy<kbd>name</kbd>. 910275970ScyThis is used for the issuer field in certificates 911275970Scyand in the file name for identity files. 912275970Scy<br><dt><code>-T</code><dd>Generate a trusted certificate. 913275970ScyBy default, the program generates a non-trusted certificate. 914275970Scy<br><dt><code>-V</code> <kbd>nkeys</kbd><dd>Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. 915275970Scy</dl> 916275970Scy 917275970Scy<h5 class="subsubsection">Random Seed File</h5> 918275970Scy 919275970Scy<p>All cryptographically sound key generation schemes must have means 920275970Scyto randomize the entropy seed used to initialize 921275970Scythe internal pseudo-random number generator used 922275970Scyby the library routines. 923275970ScyThe OpenSSL library uses a designated random seed file for this purpose. 924275970ScyThe file must be available when starting the NTP daemon and 925275970Scy<code>ntp-keygen</code> 926275970Scyprogram. 927275970ScyIf a site supports OpenSSL or its companion OpenSSH, 928275970Scyit is very likely that means to do this are already available. 929275970Scy 930275970Scy <p>It is important to understand that entropy must be evolved 931275970Scyfor each generation, for otherwise the random number sequence 932275970Scywould be predictable. 933275970ScyVarious means dependent on external events, such as keystroke intervals, 934275970Scycan be used to do this and some systems have built-in entropy sources. 935275970ScySuitable means are described in the OpenSSL software documentation, 936275970Scybut are outside the scope of this page. 937275970Scy 938275970Scy <p>The entropy seed used by the OpenSSL library is contained in a file, 939275970Scyusually called 940275970Scy<code>.rnd</code>, 941275970Scywhich must be available when starting the NTP daemon 942275970Scyor the 943275970Scy<code>ntp-keygen</code> 944275970Scyprogram. 945275970ScyThe NTP daemon will first look for the file 946275970Scyusing the path specified by the 947275970Scy<code>randfile</code> 948275970Scysubcommand of the 949275970Scy<code>crypto</code> 950275970Scyconfiguration command. 951275970ScyIf not specified in this way, or when starting the 952275970Scy<code>ntp-keygen</code> 953275970Scyprogram, 954275970Scythe OpenSSL library will look for the file using the path specified 955275970Scyby the 956275970Scy.Ev RANDFILE 957275970Scyenvironment variable in the user home directory, 958275970Scywhether root or some other user. 959275970ScyIf the 960275970Scy.Ev RANDFILE 961275970Scyenvironment variable is not present, 962275970Scythe library will look for the 963275970Scy<code>.rnd</code> 964275970Scyfile in the user home directory. 965275970ScyIf the file is not available or cannot be written, 966275970Scythe daemon exits with a message to the system log and the program 967275970Scyexits with a suitable error message. 968275970Scy 969275970Scy<h5 class="subsubsection">Cryptographic Data Files</h5> 970275970Scy 971275970Scy<p>All other file formats begin with two lines. 972275970ScyThe first contains the file name, including the generated host name 973275970Scyand filestamp. 974275970ScyThe second contains the datestamp in conventional Unix date format. 975275970ScyLines beginning with # are considered comments and ignored by the 976275970Scy<code>ntp-keygen</code> 977275970Scyprogram and 978275970Scy<code>ntpd(1ntpdmdoc)</code> 979275970Scydaemon. 980275970ScyCryptographic values are encoded first using ASN.1 rules, 981275970Scythen encrypted if necessary, and finally written PEM-encoded 982275970Scyprintable ASCII format preceded and followed by MIME content identifier lines. 983275970Scy 984275970Scy <p>The format of the symmetric keys file is somewhat different 985275970Scythan the other files in the interest of backward compatibility. 986275970ScySince DES-CBC is deprecated in NTPv4, the only key format of interest 987275970Scyis MD5 alphanumeric strings. 988275970ScyFollowing hte heard the keys are 989275970Scyentered one per line in the format 990275970Scy<pre class="example"> <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd> 991275970Scy</pre> 992275970Scy <p>where 993275970Scy<kbd>keyno</kbd> 994275970Scyis a positive integer in the range 1-65,535, 995275970Scy<kbd>type</kbd> 996275970Scyis the string MD5 defining the key format and 997275970Scy<kbd>key</kbd> 998275970Scyis the key itself, 999275970Scywhich is a printable ASCII string 16 characters or less in length. 1000275970ScyEach character is chosen from the 93 printable characters 1001275970Scyin the range 0x21 through 0x7f excluding space and the 1002275970Scy# 1003275970Scycharacter. 1004275970Scy 1005275970Scy <p>Note that the keys used by the 1006275970Scy<code>ntpq(1ntpqmdoc)</code> 1007275970Scyand 1008275970Scy<code>ntpdc(1ntpdcmdoc)</code> 1009275970Scyprograms 1010275970Scyare checked against passwords requested by the programs 1011275970Scyand entered by hand, so it is generally appropriate to specify these keys 1012275970Scyin human readable ASCII format. 1013275970Scy 1014275970Scy <p>The 1015275970Scy<code>ntp-keygen</code> 1016275970Scyprogram generates a MD5 symmetric keys file 1017275970Scy<span class="file">ntpkey_MD5key_</span><kbd>hostname.filestamp</kbd>. 1018275970ScySince the file contains private shared keys, 1019275970Scyit should be visible only to root and distributed by secure means 1020275970Scyto other subnet hosts. 1021275970ScyThe NTP daemon loads the file 1022275970Scy<span class="file">ntp.keys</span>, 1023275970Scyso 1024275970Scy<code>ntp-keygen</code> 1025275970Scyinstalls a soft link from this name to the generated file. 1026275970ScySubsequently, similar soft links must be installed by manual 1027275970Scyor automated means on the other subnet hosts. 1028275970ScyWhile this file is not used with the Autokey Version 2 protocol, 1029275970Scyit is needed to authenticate some remote configuration commands 1030275970Scyused by the 1031275970Scy<code>ntpq(1ntpqmdoc)</code> 1032275970Scyand 1033275970Scy<code>ntpdc(1ntpdcmdoc)</code> 1034275970Scyutilities. 1035275970Scy 1036275970Scy <p>This section was generated by <strong>AutoGen</strong>, 1037275970Scyusing the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp-keygen</code> program. 1038275970ScyThis software is released under the NTP license, <http://ntp.org/license>. 1039275970Scy 1040275970Scy<ul class="menu"> 1041275970Scy<li><a accesskey="1" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>: ntp-keygen help/usage (<span class="option">--help</span>) 1042275970Scy<li><a accesskey="2" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>: imbits option (-b) 1043275970Scy<li><a accesskey="3" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>: certificate option (-c) 1044275970Scy<li><a accesskey="4" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>: cipher option (-C) 1045275970Scy<li><a accesskey="5" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>: id-key option (-e) 1046275970Scy<li><a accesskey="6" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>: gq-params option (-G) 1047275970Scy<li><a accesskey="7" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>: host-key option (-H) 1048275970Scy<li><a accesskey="8" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>: iffkey option (-I) 1049275970Scy<li><a accesskey="9" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>: ident option (-i) 1050275970Scy<li><a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>: lifetime option (-l) 1051275970Scy<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M) 1052275970Scy<li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m) 1053275970Scy<li><a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>: pvt-cert option (-P) 1054275970Scy<li><a href="#ntp_002dkeygen-password">ntp-keygen password</a>: password option (-p) 1055275970Scy<li><a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>: export-passwd option (-q) 1056275970Scy<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S) 1057275970Scy<li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s) 1058275970Scy<li><a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>: trusted-cert option (-T) 1059275970Scy<li><a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>: mv-params option (-V) 1060275970Scy<li><a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>: mv-keys option (-v) 1061275970Scy<li><a href="#ntp_002dkeygen-config">ntp-keygen config</a>: presetting/configuring ntp-keygen 1062275970Scy<li><a href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>: exit status 1063275970Scy<li><a href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>: Usage 1064275970Scy<li><a href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>: Notes 1065275970Scy<li><a href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>: Bugs 1066275970Scy</ul> 1067275970Scy 1068275970Scy<div class="node"> 1069275970Scy<p><hr> 1070275970Scy<a name="ntp_002dkeygen-usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, 1071275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1072275970Scy<br> 1073275970Scy</div> 1074275970Scy 1075275970Scy<h4 class="subsection">ntp-keygen help/usage (<span class="option">--help</span>)</h4> 1076275970Scy 1077275970Scy<p><a name="index-ntp_002dkeygen-help-3"></a> 1078275970ScyThis is the automatically generated usage text for ntp-keygen. 1079275970Scy 1080275970Scy <p>The text printed is the same whether selected with the <code>help</code> option 1081275970Scy(<span class="option">--help</span>) or the <code>more-help</code> option (<span class="option">--more-help</span>). <code>more-help</code> will print 1082275970Scythe usage text by passing it through a pager program. 1083275970Scy<code>more-help</code> is disabled on platforms without a working 1084275970Scy<code>fork(2)</code> function. The <code>PAGER</code> environment variable is 1085275970Scyused to select the program, defaulting to <span class="file">more</span>. Both will exit 1086275970Scywith a status code of 0. 1087275970Scy 1088275970Scy<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p486-RC 1089275970ScyUsage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 1090275970Scy Flg Arg Option-Name Description 1091275970Scy -b Num imbits identity modulus bits 1092275970Scy - it must be in the range: 1093275970Scy 256 to 2048 1094275970Scy -c Str certificate certificate scheme 1095275970Scy -C Str cipher privatekey cipher 1096275970Scy -d no debug-level Increase debug verbosity level 1097275970Scy - may appear multiple times 1098275970Scy -D Num set-debug-level Set the debug verbosity level 1099275970Scy - may appear multiple times 1100275970Scy -e no id-key Write IFF or GQ identity keys 1101275970Scy -G no gq-params Generate GQ parameters and keys 1102275970Scy -H no host-key generate RSA host key 1103275970Scy -I no iffkey generate IFF parameters 1104275970Scy -i Str ident set Autokey group name 1105275970Scy -l Num lifetime set certificate lifetime 1106275970Scy -M no md5key generate MD5 keys 1107275970Scy -m Num modulus modulus 1108275970Scy - it must be in the range: 1109275970Scy 256 to 2048 1110275970Scy -P no pvt-cert generate PC private certificate 1111275970Scy -p Str password local private password 1112275970Scy -q Str export-passwd export IFF or GQ group keys with password 1113275970Scy -S Str sign-key generate sign key (RSA or DSA) 1114275970Scy -s Str subject-name set host and optionally group name 1115275970Scy -T no trusted-cert trusted certificate (TC scheme) 1116275970Scy -V Num mv-params generate <num> MV parameters 1117275970Scy -v Num mv-keys update <num> MV keys 1118275970Scy opt version output version information and exit 1119275970Scy -? no help display extended usage information and exit 1120275970Scy -! no more-help extended usage information passed thru pager 1121275970Scy -> opt save-opts save the option state to a config file 1122275970Scy -< Str load-opts load options from a config file 1123275970Scy - disabled as '--no-load-opts' 1124275970Scy - may appear multiple times 1125275970Scy 1126275970ScyOptions are specified by doubled hyphens and their name or by a single 1127275970Scyhyphen and the flag character. 1128275970Scy 1129275970Scy 1130275970ScyThe following option preset mechanisms are supported: 1131275970Scy - reading file $HOME/.ntprc 1132275970Scy - reading file ./.ntprc 1133275970Scy - examining environment variables named NTP_KEYGEN_* 1134275970Scy 1135275970ScyPlease send bug reports to: <http://bugs.ntp.org, bugs@ntp.org> 1136275970Scy</pre> 1137275970Scy <div class="node"> 1138275970Scy<p><hr> 1139275970Scy<a name="ntp_002dkeygen-imbits"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, 1140275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>, 1141275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1142275970Scy<br> 1143275970Scy</div> 1144275970Scy 1145275970Scy<h4 class="subsection">imbits option (-b)</h4> 1146275970Scy 1147275970Scy<p><a name="index-ntp_002dkeygen_002dimbits-4"></a> 1148275970ScyThis is the “identity modulus bits” option. 1149275970ScyThis option takes a number argument <span class="file">imbits</span>. 1150275970Scy 1151275970Scy<p class="noindent">This option has some usage constraints. It: 1152275970Scy <ul> 1153275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1154275970Scy</ul> 1155275970Scy 1156275970Scy <p>The number of bits in the identity modulus. The default is 256. 1157275970Scy<div class="node"> 1158275970Scy<p><hr> 1159275970Scy<a name="ntp_002dkeygen-certificate"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, 1160275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, 1161275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1162275970Scy<br> 1163275970Scy</div> 1164275970Scy 1165275970Scy<h4 class="subsection">certificate option (-c)</h4> 1166275970Scy 1167275970Scy<p><a name="index-ntp_002dkeygen_002dcertificate-5"></a> 1168275970ScyThis is the “certificate scheme” option. 1169275970ScyThis option takes a string argument <span class="file">scheme</span>. 1170275970Scy 1171275970Scy<p class="noindent">This option has some usage constraints. It: 1172275970Scy <ul> 1173275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1174275970Scy</ul> 1175275970Scy 1176275970Scy <p>scheme is one of 1177275970ScyRSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, 1178275970ScyDSA-SHA, or DSA-SHA1. 1179275970Scy 1180275970Scy <p>Select the certificate message digest/signature encryption scheme. 1181275970ScyNote that RSA schemes must be used with a RSA sign key and DSA 1182275970Scyschemes must be used with a DSA sign key. The default without 1183275970Scythis option is RSA-MD5. 1184275970Scy<div class="node"> 1185275970Scy<p><hr> 1186275970Scy<a name="ntp_002dkeygen-cipher"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, 1187275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, 1188275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1189275970Scy<br> 1190275970Scy</div> 1191275970Scy 1192275970Scy<h4 class="subsection">cipher option (-C)</h4> 1193275970Scy 1194275970Scy<p><a name="index-ntp_002dkeygen_002dcipher-6"></a> 1195275970ScyThis is the “privatekey cipher” option. 1196275970ScyThis option takes a string argument <span class="file">cipher</span>. 1197275970Scy 1198275970Scy<p class="noindent">This option has some usage constraints. It: 1199275970Scy <ul> 1200275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1201275970Scy</ul> 1202275970Scy 1203275970Scy <p>Select the cipher which is used to encrypt the files containing 1204275970Scyprivate keys. The default is three-key triple DES in CBC mode, 1205275970Scyequivalent to "<code>-C des-ede3-cbc". The openssl tool lists ciphers 1206275970Scyavailable in "openssl -h" output. 1207275970Scy</code><div class="node"> 1208275970Scy<p><hr> 1209275970Scy<a name="ntp_002dkeygen-id_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, 1210275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, 1211275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1212275970Scy<br> 1213275970Scy</div> 1214275970Scy 1215275970Scy<h4 class="subsection">id-key option (-e)</h4> 1216275970Scy 1217275970Scy<p><a name="index-ntp_002dkeygen_002did_002dkey-7"></a> 1218275970ScyThis is the “write iff or gq identity keys” option. 1219275970Scy 1220275970Scy<p class="noindent">This option has some usage constraints. It: 1221275970Scy <ul> 1222275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1223275970Scy</ul> 1224275970Scy 1225275970Scy <p>Write the IFF or GQ client keys to the standard output. This is 1226275970Scyintended for automatic key distribution by mail. 1227275970Scy<div class="node"> 1228275970Scy<p><hr> 1229275970Scy<a name="ntp_002dkeygen-gq_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, 1230275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, 1231275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1232275970Scy<br> 1233275970Scy</div> 1234275970Scy 1235275970Scy<h4 class="subsection">gq-params option (-G)</h4> 1236275970Scy 1237275970Scy<p><a name="index-ntp_002dkeygen_002dgq_002dparams-8"></a> 1238275970ScyThis is the “generate gq parameters and keys” option. 1239275970Scy 1240275970Scy<p class="noindent">This option has some usage constraints. It: 1241275970Scy <ul> 1242275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1243275970Scy</ul> 1244275970Scy 1245275970Scy <p>Generate parameters and keys for the GQ identification scheme, 1246275970Scyobsoleting any that may exist. 1247275970Scy<div class="node"> 1248275970Scy<p><hr> 1249275970Scy<a name="ntp_002dkeygen-host_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, 1250275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, 1251275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1252275970Scy<br> 1253275970Scy</div> 1254275970Scy 1255275970Scy<h4 class="subsection">host-key option (-H)</h4> 1256275970Scy 1257275970Scy<p><a name="index-ntp_002dkeygen_002dhost_002dkey-9"></a> 1258275970ScyThis is the “generate rsa host key” option. 1259275970Scy 1260275970Scy<p class="noindent">This option has some usage constraints. It: 1261275970Scy <ul> 1262275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1263275970Scy</ul> 1264275970Scy 1265275970Scy <p>Generate new host keys, obsoleting any that may exist. 1266275970Scy<div class="node"> 1267275970Scy<p><hr> 1268275970Scy<a name="ntp_002dkeygen-iffkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, 1269275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, 1270275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1271275970Scy<br> 1272275970Scy</div> 1273275970Scy 1274275970Scy<h4 class="subsection">iffkey option (-I)</h4> 1275275970Scy 1276275970Scy<p><a name="index-ntp_002dkeygen_002diffkey-10"></a> 1277275970ScyThis is the “generate iff parameters” option. 1278275970Scy 1279275970Scy<p class="noindent">This option has some usage constraints. It: 1280275970Scy <ul> 1281275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1282275970Scy</ul> 1283275970Scy 1284275970Scy <p>Generate parameters for the IFF identification scheme, obsoleting 1285275970Scyany that may exist. 1286275970Scy<div class="node"> 1287275970Scy<p><hr> 1288275970Scy<a name="ntp_002dkeygen-ident"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, 1289275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, 1290275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1291275970Scy<br> 1292275970Scy</div> 1293275970Scy 1294275970Scy<h4 class="subsection">ident option (-i)</h4> 1295275970Scy 1296275970Scy<p><a name="index-ntp_002dkeygen_002dident-11"></a> 1297275970ScyThis is the “set autokey group name” option. 1298275970ScyThis option takes a string argument <span class="file">group</span>. 1299275970Scy 1300275970Scy<p class="noindent">This option has some usage constraints. It: 1301275970Scy <ul> 1302275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1303275970Scy</ul> 1304275970Scy 1305275970Scy <p>Set the optional Autokey group name to name. This is used in 1306275970Scythe file name of IFF, GQ, and MV client parameters files. In 1307275970Scythat role, the default is the host name if this option is not 1308275970Scyprovided. The group name, if specified using <code>-i/--ident</code> or 1309275970Scyusing <code>-s/--subject-name</code> following an '<code>}' character, 1310275970Scyis also a part of the self-signed host certificate's subject and 1311275970Scyissuer names in the form host 1312275970Scy <p>'crypto ident' or 'server ident' configuration in 1313275970Scyntpd's configuration file. 1314275970Scy</code><div class="node"> 1315275970Scy<p><hr> 1316275970Scy<a name="ntp_002dkeygen-lifetime"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, 1317275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, 1318275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1319275970Scy<br> 1320275970Scy</div> 1321275970Scy 1322275970Scy<h4 class="subsection">lifetime option (-l)</h4> 1323275970Scy 1324275970Scy<p><a name="index-ntp_002dkeygen_002dlifetime-12"></a> 1325275970ScyThis is the ``set certificate lifetime'' option. 1326275970ScyThis option takes a number argument <span class="file">lifetime</span>. 1327275970Scy 1328275970Scy<p class="noindent">This option has some usage constraints. It: 1329275970Scy <ul> 1330275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1331275970Scy</ul> 1332275970Scy 1333275970Scy <p>Set the certificate expiration to lifetime days from now. 1334275970Scy<div class="node"> 1335275970Scy<p><hr> 1336275970Scy<a name="ntp_002dkeygen-md5key"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, 1337275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, 1338275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1339275970Scy<br> 1340275970Scy</div> 1341275970Scy 1342275970Scy<h4 class="subsection">md5key option (-M)</h4> 1343275970Scy 1344275970Scy<p><a name="index-ntp_002dkeygen_002dmd5key-13"></a> 1345275970ScyThis is the ``generate md5 keys'' option. 1346275970ScyGenerate MD5 keys, obsoleting any that may exist. 1347275970Scy<div class="node"> 1348275970Scy<p><hr> 1349275970Scy<a name="ntp_002dkeygen-modulus"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, 1350275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, 1351275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1352275970Scy<br> 1353275970Scy</div> 1354275970Scy 1355275970Scy<h4 class="subsection">modulus option (-m)</h4> 1356275970Scy 1357275970Scy<p><a name="index-ntp_002dkeygen_002dmodulus-14"></a> 1358275970ScyThis is the ``modulus'' option. 1359275970ScyThis option takes a number argument <span class="file">modulus</span>. 1360275970Scy 1361275970Scy<p class="noindent">This option has some usage constraints. It: 1362275970Scy <ul> 1363275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1364275970Scy</ul> 1365275970Scy 1366275970Scy <p>The number of bits in the prime modulus. The default is 512. 1367275970Scy<div class="node"> 1368275970Scy<p><hr> 1369275970Scy<a name="ntp_002dkeygen-pvt_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>, 1370275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, 1371275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1372275970Scy<br> 1373275970Scy</div> 1374275970Scy 1375275970Scy<h4 class="subsection">pvt-cert option (-P)</h4> 1376275970Scy 1377275970Scy<p><a name="index-ntp_002dkeygen_002dpvt_002dcert-15"></a> 1378275970ScyThis is the ``generate pc private certificate'' option. 1379275970Scy 1380275970Scy<p class="noindent">This option has some usage constraints. It: 1381275970Scy <ul> 1382275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1383275970Scy</ul> 1384275970Scy 1385275970Scy <p>Generate a private certificate. By default, the program generates 1386275970Scypublic certificates. 1387275970Scy<div class="node"> 1388275970Scy<p><hr> 1389275970Scy<a name="ntp_002dkeygen-password"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, 1390275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, 1391275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1392275970Scy<br> 1393275970Scy</div> 1394275970Scy 1395275970Scy<h4 class="subsection">password option (-p)</h4> 1396275970Scy 1397275970Scy<p><a name="index-ntp_002dkeygen_002dpassword-16"></a> 1398275970ScyThis is the ``local private password'' option. 1399275970ScyThis option takes a string argument <span class="file">passwd</span>. 1400275970Scy 1401275970Scy<p class="noindent">This option has some usage constraints. It: 1402275970Scy <ul> 1403275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1404275970Scy</ul> 1405275970Scy 1406275970Scy <p>Local files containing private data are encrypted with the 1407275970ScyDES-CBC algorithm and the specified password. The same password 1408275970Scymust be specified to the local ntpd via the "crypto pw password" 1409275970Scyconfiguration command. The default password is the local 1410275970Scyhostname. 1411275970Scy<div class="node"> 1412275970Scy<p><hr> 1413275970Scy<a name="ntp_002dkeygen-export_002dpasswd"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, 1414275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-password">ntp-keygen password</a>, 1415275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1416275970Scy<br> 1417275970Scy</div> 1418275970Scy 1419275970Scy<h4 class="subsection">export-passwd option (-q)</h4> 1420275970Scy 1421275970Scy<p><a name="index-ntp_002dkeygen_002dexport_002dpasswd-17"></a> 1422275970ScyThis is the ``export iff or gq group keys with password'' option. 1423275970ScyThis option takes a string argument <span class="file">passwd</span>. 1424275970Scy 1425275970Scy<p class="noindent">This option has some usage constraints. It: 1426275970Scy <ul> 1427275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1428275970Scy</ul> 1429275970Scy 1430275970Scy <p>Export IFF or GQ identity group keys to the standard output, 1431275970Scyencrypted with the DES-CBC algorithm and the specified password. 1432275970ScyThe same password must be specified to the remote ntpd via the 1433275970Scy"crypto pw password" configuration command. See also the option 1434275970Scy--id-key (-e) for unencrypted exports. 1435275970Scy<div class="node"> 1436275970Scy<p><hr> 1437275970Scy<a name="ntp_002dkeygen-sign_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, 1438275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, 1439275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1440275970Scy<br> 1441275970Scy</div> 1442275970Scy 1443275970Scy<h4 class="subsection">sign-key option (-S)</h4> 1444275970Scy 1445275970Scy<p><a name="index-ntp_002dkeygen_002dsign_002dkey-18"></a> 1446275970ScyThis is the ``generate sign key (rsa or dsa)'' option. 1447275970ScyThis option takes a string argument <span class="file">sign</span>. 1448275970Scy 1449275970Scy<p class="noindent">This option has some usage constraints. It: 1450275970Scy <ul> 1451275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1452275970Scy</ul> 1453275970Scy 1454275970Scy <p>Generate a new sign key of the designated type, obsoleting any 1455275970Scythat may exist. By default, the program uses the host key as the 1456275970Scysign key. 1457275970Scy<div class="node"> 1458275970Scy<p><hr> 1459275970Scy<a name="ntp_002dkeygen-subject_002dname"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, 1460275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, 1461275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1462275970Scy<br> 1463275970Scy</div> 1464275970Scy 1465275970Scy<h4 class="subsection">subject-name option (-s)</h4> 1466275970Scy 1467275970Scy<p><a name="index-ntp_002dkeygen_002dsubject_002dname-19"></a> 1468275970ScyThis is the ``set host and optionally group name'' option. 1469275970ScyThis option takes a string argument <span class="file">host@group</span>. 1470275970Scy 1471275970Scy<p class="noindent">This option has some usage constraints. It: 1472275970Scy <ul> 1473275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1474275970Scy</ul> 1475275970Scy 1476275970Scy <p>Set the Autokey host name, and optionally, group name specified 1477275970Scyfollowing an '<code>}' character. The host name is used in the file 1478275970Scyname of generated host and signing certificates, without the 1479275970Scygroup name. The host name, and if provided, group name are used 1480275970Scyin host 1481275970Scy <p>fields. Specifying '-s 1482275970Scy <p>leaving the host name unchanged while appending 1483275970Scy <p>subject and issuer fields, as with -i group. The group name, or 1484275970Scyif not provided, the host name are also used in the file names 1485275970Scyof IFF, GQ, and MV client parameter files. 1486275970Scy</code><div class="node"> 1487275970Scy<p><hr> 1488275970Scy<a name="ntp_002dkeygen-trusted_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, 1489275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, 1490275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1491275970Scy<br> 1492275970Scy</div> 1493275970Scy 1494275970Scy<h4 class="subsection">trusted-cert option (-T)</h4> 1495275970Scy 1496275970Scy<p><a name="index-ntp_002dkeygen_002dtrusted_002dcert-20"></a> 1497275970ScyThis is the ``trusted certificate (tc scheme)'' option. 1498275970Scy 1499275970Scy<p class="noindent">This option has some usage constraints. It: 1500275970Scy <ul> 1501275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1502275970Scy</ul> 1503275970Scy 1504275970Scy <p>Generate a trusted certificate. By default, the program generates 1505275970Scya non-trusted certificate. 1506275970Scy<div class="node"> 1507275970Scy<p><hr> 1508275970Scy<a name="ntp_002dkeygen-mv_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, 1509275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, 1510275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1511275970Scy<br> 1512275970Scy</div> 1513275970Scy 1514275970Scy<h4 class="subsection">mv-params option (-V)</h4> 1515275970Scy 1516275970Scy<p><a name="index-ntp_002dkeygen_002dmv_002dparams-21"></a> 1517275970ScyThis is the ``generate <num> mv parameters'' option. 1518275970ScyThis option takes a number argument <span class="file">num</span>. 1519275970Scy 1520275970Scy<p class="noindent">This option has some usage constraints. It: 1521275970Scy <ul> 1522275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1523275970Scy</ul> 1524275970Scy 1525275970Scy <p>Generate parameters and keys for the Mu-Varadharajan (MV) 1526275970Scyidentification scheme. 1527275970Scy<div class="node"> 1528275970Scy<p><hr> 1529275970Scy<a name="ntp_002dkeygen-mv_002dkeys"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-config">ntp-keygen config</a>, 1530275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, 1531275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1532275970Scy<br> 1533275970Scy</div> 1534275970Scy 1535275970Scy<h4 class="subsection">mv-keys option (-v)</h4> 1536275970Scy 1537275970Scy<p><a name="index-ntp_002dkeygen_002dmv_002dkeys-22"></a> 1538275970ScyThis is the ``update <num> mv keys'' option. 1539275970ScyThis option takes a number argument <span class="file">num</span>. 1540275970Scy 1541275970Scy<p class="noindent">This option has some usage constraints. It: 1542275970Scy <ul> 1543275970Scy<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1544275970Scy</ul> 1545275970Scy 1546275970Scy <p>This option has no <span class="samp">doc</span> documentation. 1547275970Scy 1548275970Scy<div class="node"> 1549275970Scy<p><hr> 1550275970Scy<a name="ntp_002dkeygen-config"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, 1551275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, 1552275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1553275970Scy<br> 1554275970Scy</div> 1555275970Scy 1556275970Scy<h4 class="subsection">presetting/configuring ntp-keygen</h4> 1557275970Scy 1558275970Scy<p>Any option that is not marked as <i>not presettable</i> may be preset by 1559275970Scyloading values from configuration ("rc" or "ini") files, and values from environment variables named <code>NTP-KEYGEN</code> and <code>NTP-KEYGEN_<OPTION_NAME></code>. <code><OPTION_NAME></code> must be one of 1560275970Scythe options listed above in upper case and segmented with underscores. 1561275970ScyThe <code>NTP-KEYGEN</code> variable will be tokenized and parsed like 1562275970Scythe command line. The remaining variables are tested for existence and their 1563275970Scyvalues are treated like option arguments. 1564275970Scy 1565275970Scy<p class="noindent"><code>libopts</code> will search in 2 places for configuration files: 1566275970Scy <ul> 1567275970Scy<li>$HOME 1568275970Scy<li>$PWD 1569275970Scy</ul> 1570275970Scy The environment variables <code>HOME</code>, and <code>PWD</code> 1571275970Scyare expanded and replaced when <span class="file">ntp-keygen</span> runs. 1572275970ScyFor any of these that are plain files, they are simply processed. 1573275970ScyFor any that are directories, then a file named <span class="file">.ntprc</span> is searched for 1574275970Scywithin that directory and processed. 1575275970Scy 1576275970Scy <p>Configuration files may be in a wide variety of formats. 1577275970ScyThe basic format is an option name followed by a value (argument) on the 1578275970Scysame line. Values may be separated from the option name with a colon, 1579275970Scyequal sign or simply white space. Values may be continued across multiple 1580275970Scylines by escaping the newline with a backslash. 1581275970Scy 1582275970Scy <p>Multiple programs may also share the same initialization file. 1583275970ScyCommon options are collected at the top, followed by program specific 1584275970Scysegments. The segments are separated by lines like: 1585275970Scy<pre class="example"> [NTP-KEYGEN] 1586275970Scy</pre> 1587275970Scy <p class="noindent">or by 1588275970Scy<pre class="example"> <?program ntp-keygen> 1589275970Scy</pre> 1590275970Scy <p class="noindent">Do not mix these styles within one configuration file. 1591275970Scy 1592275970Scy <p>Compound values and carefully constructed string values may also be 1593275970Scyspecified using XML syntax: 1594275970Scy<pre class="example"> <option-name> 1595275970Scy <sub-opt>...&lt;...&gt;...</sub-opt> 1596275970Scy </option-name> 1597275970Scy</pre> 1598275970Scy <p class="noindent">yielding an <code>option-name.sub-opt</code> string value of 1599275970Scy<pre class="example"> "...<...>..." 1600275970Scy</pre> 1601275970Scy <p><code>AutoOpts</code> does not track suboptions. You simply note that it is a 1602275970Scyhierarchicly valued option. <code>AutoOpts</code> does provide a means for searching 1603275970Scythe associated name/value pair list (see: optionFindValue). 1604275970Scy 1605275970Scy <p>The command line options relating to configuration and/or usage help are: 1606275970Scy 1607275970Scy<h5 class="subsubheading">version (-)</h5> 1608275970Scy 1609275970Scy<p>Print the program version to standard out, optionally with licensing 1610275970Scyinformation, then exit 0. The optional argument specifies how much licensing 1611275970Scydetail to provide. The default is to print just the version. The licensing infomation may be selected with an option argument. 1612275970ScyOnly the first letter of the argument is examined: 1613275970Scy 1614275970Scy <dl> 1615275970Scy<dt><span class="samp">version</span><dd>Only print the version. This is the default. 1616275970Scy<br><dt><span class="samp">copyright</span><dd>Name the copyright usage licensing terms. 1617275970Scy<br><dt><span class="samp">verbose</span><dd>Print the full copyright usage licensing terms. 1618275970Scy</dl> 1619275970Scy 1620275970Scy<div class="node"> 1621275970Scy<p><hr> 1622275970Scy<a name="ntp_002dkeygen-exit-status"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, 1623275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-config">ntp-keygen config</a>, 1624275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1625275970Scy<br> 1626275970Scy</div> 1627275970Scy 1628275970Scy<h4 class="subsection">ntp-keygen exit status</h4> 1629275970Scy 1630275970Scy<p>One of the following exit values will be returned: 1631275970Scy <dl> 1632275970Scy<dt><span class="samp">0 (EXIT_SUCCESS)</span><dd>Successful program execution. 1633275970Scy<br><dt><span class="samp">1 (EXIT_FAILURE)</span><dd>The operation failed or the command syntax was not valid. 1634275970Scy<br><dt><span class="samp">66 (EX_NOINPUT)</span><dd>A specified configuration file could not be loaded. 1635275970Scy<br><dt><span class="samp">70 (EX_SOFTWARE)</span><dd>libopts had an internal operational error. Please report 1636275970Scyit to autogen-users@lists.sourceforge.net. Thank you. 1637275970Scy</dl> 1638275970Scy <div class="node"> 1639275970Scy<p><hr> 1640275970Scy<a name="ntp_002dkeygen-Usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, 1641275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, 1642275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1643275970Scy<br> 1644275970Scy</div> 1645275970Scy 1646275970Scy<h4 class="subsection">ntp-keygen Usage</h4> 1647275970Scy 1648275970Scy<div class="node"> 1649275970Scy<p><hr> 1650275970Scy<a name="ntp_002dkeygen-Notes"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>, 1651275970ScyPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, 1652275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1653275970Scy<br> 1654275970Scy</div> 1655275970Scy 1656275970Scy<h4 class="subsection">ntp-keygen Notes</h4> 1657275970Scy 1658275970Scy<div class="node"> 1659275970Scy<p><hr> 1660275970Scy<a name="ntp_002dkeygen-Bugs"></a>Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, 1661275970ScyUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1662275970Scy<br> 1663275970Scy</div> 1664275970Scy 1665275970Scy<h4 class="subsection">ntp-keygen Bugs</h4> 1666275970Scy 1667275970Scy<div class="node"> 1668275970Scy<p><hr> 1669275970Scy<a name="Random-Seed-File"></a>Next: <a rel="next" accesskey="n" href="#Cryptographic-Data-Files">Cryptographic Data Files</a>, 1670275970ScyPrevious: <a rel="previous" accesskey="p" href="#Running-the-Program">Running the Program</a>, 1671275970ScyUp: <a rel="up" accesskey="u" href="#Top">Top</a> 1672275970Scy<br> 1673275970Scy</div> 1674275970Scy 1675275970Scy<!-- node-name, next, previous, up --> 1676275970Scy<h3 class="section">Random Seed File</h3> 1677275970Scy 1678275970Scy<p>All cryptographically sound key generation schemes must have means to 1679275970Scyrandomize the entropy seed used to initialize the internal 1680275970Scypseudo-random number generator used by the OpenSSL library routines. 1681275970ScyIf a site supports ssh, it is very likely that means to do this are 1682275970Scyalready available. 1683275970ScyThe entropy seed used by the OpenSSL library is contained in a file, 1684275970Scyusually called <code>.rnd</code>, which must be available when 1685275970Scystarting the <code>ntp-keygen</code> program or <code>ntpd</code> daemon. 1686275970Scy 1687275970Scy <p>The OpenSSL library looks for the file using the path specified by the 1688275970Scy<code>RANDFILE</code> environment variable in the user home directory, whether root 1689275970Scyor some other user. 1690275970ScyIf the <code>RANDFILE</code> environment variable is not 1691275970Scypresent, the library looks for the <code>.rnd</code> file in the user home 1692275970Scydirectory. 1693275970ScySince both the <code>ntp-keygen</code> program and <code>ntpd</code> daemon must run 1694275970Scyas root, the logical place to put this file is in <code>/.rnd</code> or 1695275970Scy<code>/root/.rnd</code>. 1696275970ScyIf the file is not available or cannot be written, the program exits 1697275970Scywith a message to the system log. 1698275970Scy 1699275970Scy<div class="node"> 1700275970Scy<p><hr> 1701275970Scy<a name="Cryptographic-Data-Files"></a>Previous: <a rel="previous" accesskey="p" href="#Random-Seed-File">Random Seed File</a>, 1702275970ScyUp: <a rel="up" accesskey="u" href="#Top">Top</a> 1703275970Scy<br> 1704275970Scy</div> 1705275970Scy 1706275970Scy<!-- node-name, next, previous, up --> 1707275970Scy<h3 class="section">Cryptographic Data Files</h3> 1708275970Scy 1709275970Scy<p>File and link names are in the <code>form ntpkey_key_name.fstamp</code>, 1710275970Scywhere <code>key</code> is the key or parameter type, 1711275970Scy<code>name</code> is the host or group name and 1712275970Scy<code>fstamp</code> is the filestamp (NTP seconds) when the file was created). 1713275970ScyBy convention, key names in generated file names include both upper and 1714275970Scylower case characters, while key names in generated link names include 1715275970Scyonly lower case characters. The filestamp is not used in generated link 1716275970Scynames. 1717275970Scy 1718275970Scy <p>The key name is a string defining the cryptographic key type. 1719275970ScyKey types include public/private keys host and sign, certificate cert 1720275970Scyand several challenge/response key types. 1721275970ScyBy convention, client files used for 1722275970Scychallenges have a par subtype, as in the IFF challenge IFFpar, while 1723275970Scyserver files for responses have a key subtype, as in the GQ response 1724275970ScyGQkey. 1725275970Scy 1726275970Scy <p>All files begin with two nonencrypted lines. The first line contains 1727275970Scythe file name in the format <code>ntpkey_key_host.fstamp</code>. 1728275970ScyThe second line contains the datestamp in conventional Unix date format. 1729275970ScyLines beginning with <code>#</code> are ignored. 1730275970Scy 1731275970Scy <p>The remainder of the file contains cryptographic data encoded first 1732275970Scyusing ASN.1 rules, then encrypted using the DES-CBC algorithm with 1733275970Scygiven password and finally written in PEM-encoded printable ASCII text 1734275970Scypreceded and followed by MIME content identifier lines. 1735275970Scy 1736275970Scy <p>The format of the symmetric keys file, ordinarily named <code>ntp.keys</code>, 1737275970Scyis somewhat different than the other files in the interest of backward 1738275970Scycompatibility. 1739275970ScyOrdinarily, the file is generated by this program, but 1740275970Scyit can be constructed and edited using an ordinary text editor. 1741275970Scy 1742275970Scy<pre class="example"> # ntpkey_MD5key_hms.local.3564038757 1743275970Scy # Sun Dec 9 02:45:57 2012 1744275970Scy 1745275970Scy 1 MD5 "]!ghT%O;3)WJ,/Nc:>I # MD5 key 1746275970Scy 2 MD5 lu+H^tF46BKR-6~pV_5 # MD5 key 1747275970Scy 3 MD5 :lnoVsE%Yz*avh%EtNC # MD5 key 1748275970Scy 4 MD5 |fdZrf0sF~^V # MD5 key 1749275970Scy 5 MD5 IyAG>O"y"LmCRS!*bHC # MD5 key 1750275970Scy 6 MD5 ">e\A # MD5 key 1751275970Scy 7 MD5 c9x=M'CfLxax9v)PV-si # MD5 key 1752275970Scy 8 MD5 E|=jvFVov?Bn|Ev=&aK\ # MD5 key 1753275970Scy 9 MD5 T!c4UT&`(m$+m+B6,`Q0 # MD5 key 1754275970Scy 10 MD5 JVF/1=)=IFbHbJQz..Cd # MD5 key 1755275970Scy 11 SHA1 6dea311109529e436c2b4fccae9bc753c16d1b48 # SHA1 key 1756275970Scy 12 SHA1 7076f373d86c4848c59ff8046e49cb7d614ec394 # SHA1 key 1757275970Scy 13 SHA1 5f48b1b60591eb01b7cf1d33b7774f08d20262d3 # SHA1 key 1758275970Scy 14 SHA1 eed5ab9d9497319ec60cf3781d52607e76720178 # SHA1 key 1759275970Scy 15 SHA1 f283562611a04c964da8126296f5f8e58c3f85de # SHA1 key 1760275970Scy 16 SHA1 1930da171297dd63549af50b29449de17dcf341f # SHA1 key 1761275970Scy 17 SHA1 fee892110358cd4382322b889869e750db8e8a8f # SHA1 key 1762275970Scy 18 SHA1 b5520c9fadd7ad3fd8bfa061c8821b65d029bb37 # SHA1 key 1763275970Scy 19 SHA1 8c74fb440ec80f453ec6aaa62b9baed0ab723b92 # SHA1 key 1764275970Scy 20 SHA1 6bc05f734306a189326000970c19b3910f403795 # SHA1 key 1765275970Scy</pre> 1766275970Scy <p>Figure 1. Typical Symmetric Key File 1767275970Scy 1768275970Scy <p>Figure 1 shows a typical symmetric keys file used by the reference 1769275970Scyimplementation. 1770275970ScyEach line of the file contains three fields, first an 1771275970Scyinteger between 1 and 65534, inclusive, representing the key identifier 1772275970Scyused in the server and peer configuration commands. 1773275970ScyNext is the key type for the message digest algorithm, 1774275970Scywhich in the absence of the 1775275970ScyOpenSSL library must be MD5 to designate the MD5 message digest 1776275970Scyalgorithm. 1777275970ScyIf the OpenSSL library is installed, the key type can be any 1778275970Scymessage digest algorithm supported by that library. 1779275970ScyHowever, if 1780275970Scycompatibility with FIPS 140-2 is required, the key type must be either 1781275970ScySHA or SHA1. 1782275970ScyThe key type can be changed using an ASCII text editor. 1783275970Scy 1784275970Scy <p>An MD5 key consists of a printable ASCII string less than or equal to 1785275970Scy16 characters and terminated by whitespace or a # character. 1786275970ScyAn OpenSSL 1787275970Scykey consists of a hex-encoded ASCII string of 40 characters, which is 1788275970Scytruncated as necessary. 1789275970Scy 1790275970Scy <p>Note that the keys used by the <code>ntpq</code> and <code>ntpdc</code> programs are 1791275970Scychecked against passwords requested by the programs and entered by hand, 1792275970Scyso it 1793275970Scyis generally appropriate to specify these keys in human readable ASCII 1794275970Scyformat. 1795275970Scy 1796275970Scy <p>The <code>ntp-keygen</code> program generates a MD5 symmetric keys file 1797275970Scy<code>ntpkey_MD5key_hostname.filestamp</code>. 1798275970ScySince the file contains private 1799275970Scyshared keys, it should be visible only to root and distributed by 1800275970Scysecure means to other subnet hosts. 1801275970ScyThe NTP daemon loads the file <code>ntp.keys</code>, so <code>ntp-keygen</code> 1802275970Scyinstalls a soft link from this name to the generated file. 1803275970ScySubsequently, similar soft links must be installed by 1804275970Scymanual or automated means on the other subnet hosts. 1805275970ScyWhile this file is 1806275970Scynot used with the Autokey Version 2 protocol, it is needed to 1807275970Scyauthenticate some remote configuration commands used by the <code>ntpq</code> and 1808275970Scy<code>ntpdc</code> utilities. 1809275970Scy 1810275970Scy</body></html> 1811275970Scy 1812