$FreeBSD: src/usr.sbin/ntp/doc/ntp-genkeys.8,v 1.4 2003/01/01 18:49:02 schweikh Exp $
.Dd August 2, 2001 .Dt NTP_GENKEYS 8 .Os .Sh NAME .Nm ntp-genkeys .Nd generate public and private keys .Sh SYNOPSIS .Nm .Op Fl dfhlnt .Op Fl c Ar conffile .Op Fl g Ar target .Op Fl k Ar keyfile .Sh DESCRIPTION The .Nm utility generates random keys used by either or both the NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey) cryptographic authentication schemes.
p The following options are available: l -tag -width indent t Fl c Ar conffile Location of .Xr ntp.conf 8 file. t Fl d enable debug messages (can be used multiple times) t Fl f force installation of generated keys. t Fl g target Generate file or files indicated by the characters in the .Ar target string: l -tag -width X t Li d Generate D-H parameter file. t Li m Generate MD5 key file. t Li r Generate RSA keys. .El t Fl h Build keys here (current directory). Implies .Fl l . t Fl k Ar keyfile Location of key file. t Fl l Do not make the symlinks. t Fl n Do not actually do anything, just say what would be done. t Fl t Trash the (old) files at the end of symlink. .El
p By default the program generates the .Xr ntp.keys 5 file containing 16 random symmetric keys. In addition, if the rsaref20 package is configured for the software build, the program generates cryptographic values used by the Autokey scheme. These values are incorporated as a set of three files,
a ntpkey containing the RSA private key,
a ntpkey_ Ns Ar host containing the RSA public key, where .Ar host is the DNS name of the generating machine, and
a ntpkey_dh containing the parameters for the Diffie-Hellman key-agreement algorithm. All files and are in printable ASCII format. A timestamp in NTP seconds is appended to each. Since the algorithms are seeded by the system clock, each run of this program produces a different file and file name.
p The .Xr ntp.keys 5 file contains 16 MD5 keys. Each key consists of 16 characters randomized over the ASCII 95-character printing subset. The file is read by the daemon at the location specified by the c keys configuration file command and made visible only to root. An additional key consisting of an easily remembered password should be added by hand for use with the .Xr ntpq 8 and .Xr ntpdc 8 programs. The file must be distributed by secure means to other servers and clients sharing the same security compartment. While the key identifiers for MD5 and DES keys must be in the range 1-65534, inclusive, the .Nm utility uses only the identifiers from 1 to 16. The key identifier for each association is specified as the key argument in the c server or c peer configuration file command.
p The
a ntpkey file contains the RSA private key. It is read by the daemon at the location specified by the .Ar privatekey argument of the c crypto configuration file command and made visible only to root. This file is useful only to the machine that generated it and never shared with any other daemon or application program.
p The
a ntpkey_ Ns Ar host file contains the RSA public key, where .Ar host is the DNS name of the host that generated it. The file is read by the daemon at the location specified by the .Ar publickey argument to the c server or c peer configuration file command. This file can be widely distributed and stored without using secure means, since the data are public values.
p The
a ntp_dh file contains two Diffie-Hellman parameters: the prime modulus and the generator. The file is read by the daemon at the location specified by the .Ar dhparams argument of the c crypto configuration file command. The file can be distributed by insecure means to other servers and clients sharing the same key agreement compartment, since the data are public values.
p The file formats begin with two lines, the first containing the generating system DNS name and the second the datestamp. Lines beginning with .Ql # are considered comments and ignored by the daemon. In the .Xr ntp.keys 5 file, the next 16 lines contain the MD5 keys in order. If necessary, this file can be further customized by an ordinary text editor. The format is described in the following section. In the
a ntpkey and
a ntpkey_ Ns Ar host files, the next line contains the modulus length in bits followed by the key as a PEM encoded string. In the
a ntpkey_dh file, the next line contains the prime length in bytes followed by the prime as a PEM encoded string, and the next and final line contains the generator length in bytes followed by the generator as a PEM encoded string.
p Note: See the file
a ./source/rsaref.h in the rsaref20 package for explanation of return values, if necessary. .Sh SEE ALSO .Xr ntp.keys 5 , .Xr ntpdc 8 , .Xr ntpq 8 .Sh BUGS It can take quite a while to generate the RSA public/private key pair and Diffie-Hellman parameters, from a few seconds on a modern workstation to several minutes on older machines.