ntp-keygen.html revision 293650
1144411Sscottl<html lang="en"> 2247443Sdelphij<head> 3247443Sdelphij<title>Ntp-keygen User's Manual</title> 4144411Sscottl<meta http-equiv="Content-Type" content="text/html"> 5210358Sdelphij<meta name="description" content="Ntp-keygen User's Manual"> 6144411Sscottl<meta name="generator" content="makeinfo 4.7"> 7247443Sdelphij<link title="Top" rel="top" href="#Top"> 8247443Sdelphij<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> 9247443Sdelphij<meta http-equiv="Content-Style-Type" content="text/css"> 10247443Sdelphij<style type="text/css"><!-- 11247443Sdelphij pre.display { font-family:inherit } 12165155Sscottl pre.format { font-family:inherit } 13144411Sscottl pre.smalldisplay { font-family:inherit; font-size:smaller } 14144411Sscottl pre.smallformat { font-family:inherit; font-size:smaller } 15144411Sscottl pre.smallexample { font-size:smaller } 16144411Sscottl pre.smalllisp { font-size:smaller } 17144411Sscottl span.sc { font-variant:small-caps } 18144411Sscottl span.roman { font-family: serif; font-weight: normal; } 19144411Sscottl--></style> 20144411Sscottl</head> 21144411Sscottl<body> 22144411Sscottl<h1 class="settitle">Ntp-keygen User's Manual</h1> 23144411Sscottl <div class="shortcontents"> 24144411Sscottl<h2>Short Contents</h2> 25144411Sscottl<ul> 26144411Sscottl<a href="#Top">Top</a> 27144411Sscottl<a href="#Top">NTP Key Generation Program User Manual</a> 28144411Sscottl</ul> 29144411Sscottl</div> 30144411Sscottl 31144411Sscottl 32144411Sscottl 33144411Sscottl<div class="node"> 34144411Sscottl<p><hr> 35165155Sscottl<a name="Top"></a>Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> 36144411Sscottl<br> 37215234Sdelphij</div> 38215234Sdelphij 39215234Sdelphij<h2 class="unnumbered">Top</h2> 40215234Sdelphij 41215234Sdelphij<ul class="menu"> 42215234Sdelphij<li><a accesskey="1" href="#Description">Description</a> 43215234Sdelphij<li><a accesskey="2" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>: Invoking ntp-keygen 44244406Sdelphij<li><a accesskey="3" href="#Running-the-Program">Running the Program</a> 45215234Sdelphij<li><a accesskey="4" href="#Random-Seed-File">Random Seed File</a> 46220403Sdelphij<li><a accesskey="5" href="#Cryptographic-Data-Files">Cryptographic Data Files</a> 47215234Sdelphij</ul> 48215234Sdelphij 49215234Sdelphij<div class="node"> 50215234Sdelphij<p><hr> 51215234Sdelphij<a name="Top"></a>Next: <a rel="next" accesskey="n" href="#Description">Description</a>, 52244406SdelphijPrevious: <a rel="previous" accesskey="p" href="#dir">(dir)</a>, 53240079SdelphijUp: <a rel="up" accesskey="u" href="#dir">(dir)</a> 54144411Sscottl<br> 55144411Sscottl</div> 56144411Sscottl 57144411Sscottl<h2 class="unnumbered">NTP Key Generation Program User Manual</h2> 58174451Sscottl 59144411Sscottl<p>This document describes the use of the NTP Project's <code>ntp-keygen</code> 60144411Sscottlprogram, that generates cryptographic data files used by the NTPv4 61174451Sscottlauthentication and identity schemes. 62144411SscottlIt can generate message digest keys used in symmetric key cryptography and, 63165155Sscottlif the OpenSSL software 64174451Sscottllibrary has been installed, it can generate host keys, sign keys, 65165155Sscottlcertificates, and identity keys and parameters used by the Autokey 66165155Sscottlpublic key cryptography. 67165155SscottlThe message digest keys file is generated in a 68165155Sscottlformat compatible with NTPv3. 69165155SscottlAll other files are in PEM-encoded 70244406Sdelphijprintable ASCII format so they can be embedded as MIME attachments in 71244406Sdelphijmail to other sites. 72244406Sdelphij 73244406Sdelphij <p>This document applies to version 4.2.8p5 of <code>ntp-keygen</code>. 74244406Sdelphij 75244406Sdelphij<div class="node"> 76244406Sdelphij<p><hr> 77244406Sdelphij<a name="Description"></a>Next: <a rel="next" accesskey="n" href="#Running-the-Program">Running the Program</a>, 78244406SdelphijPrevious: <a rel="previous" accesskey="p" href="#Top">Top</a>, 79244406SdelphijUp: <a rel="up" accesskey="u" href="#Top">Top</a> 80244406Sdelphij<br> 81244406Sdelphij</div> 82244406Sdelphij 83244406Sdelphij<!-- node-name, next, previous, up --> 84244406Sdelphij<h3 class="section">Description</h3> 85244406Sdelphij 86244406Sdelphij<p>This program generates cryptographic data files used by the NTPv4 87244406Sdelphijauthentication and identity schemes. It can generate message digest 88244406Sdelphijkeys used in symmetric key cryptography and, if the OpenSSL software 89144411Sscottllibrary has been installed, it can generate host keys, sign keys, 90144411Sscottlcertificates, and identity keys and parameters used by the Autokey 91144411Sscottlpublic key cryptography. The message digest keys file is generated in a 92144411Sscottlformat compatible with NTPv3. All other files are in PEM-encoded 93144411Sscottlprintable ASCII format so they can be embedded as MIME attachments in 94215234Sdelphijmail to other sites. 95215234Sdelphij 96215234Sdelphij <p>When used to generate message digest keys, the program produces a file 97215234Sdelphijcontaining ten pseudo-random printable ASCII strings suitable for the 98215234SdelphijMD5 message digest algorithm included in the distribution. 99215234SdelphijIf the 100215234SdelphijOpenSSL library is installed, it produces an additional ten hex-encoded 101215234Sdelphijrandom bit strings suitable for the SHA1 and other message digest 102215234Sdelphijalgorithms. 103210358SdelphijThe message digest keys file must be distributed and stored 104244406Sdelphijusing secure means beyond the scope of NTP itself. 105215234SdelphijBesides the keys 106210358Sdelphijused for ordinary NTP associations, additional keys can be defined as 107215234Sdelphijpasswords for the ntpq and ntpdc utility programs. 108215234Sdelphij 109215234Sdelphij <p>The remaining generated files are compatible with other OpenSSL 110215234Sdelphijapplications and other Public Key Infrastructure (PKI) resources. 111215234SdelphijCertificates generated by this program are compatible with extant 112215234Sdelphijindustry practice, although some users might find the interpretation of 113215234SdelphijX509v3 extension fields somewhat liberal. 114215234SdelphijHowever, the identity keys 115215234Sdelphijare probably not compatible with anything other than Autokey. 116215234Sdelphij 117210358Sdelphij <p>Some files used by this program are encrypted using a private password. 118144411SscottlThe <code>-p</code> option specifies the password for local encrypted files and the 119240079Sdelphij<code>-q</code> option the password for encrypted files sent to remote sites. 120240079SdelphijIf no password is specified, the host name returned by the Unix 121240079Sdelphij<code>gethostname()</code> function, normally the DNS name of the host, is used. 122240079Sdelphij 123240079Sdelphij <p>The <kbd>pw</kbd> option of the <code>crypto</code> configuration command 124240079Sdelphijspecifies the read password for previously encrypted local files. 125240079SdelphijThis must match the local password used by this program. 126215234SdelphijIf not specified, the host name is used. 127215234SdelphijThus, if files are generated by this program without password, 128215234Sdelphijthey can be read back by ntpd without password, but only on the same 129215234Sdelphijhost. 130215234Sdelphij 131215234Sdelphij <p>Normally, encrypted files for each host are generated by that host and 132215234Sdelphijused only by that host, although exceptions exist as noted later on 133215234Sdelphijthis page. 134210358SdelphijThe symmetric keys file, normally called <code>ntp.keys</code>, is 135240079Sdelphijusually installed in <code>/etc</code>. 136244406SdelphijOther files and links are usually installed 137215234Sdelphijin <code>/usr/local/etc</code>, which is normally in a shared filesystem in 138210358SdelphijNFS-mounted networks and cannot be changed by shared clients. 139240079SdelphijThe location of the keys directory can be changed by the keysdir 140215234Sdelphijconfiguration command in such cases. 141215234SdelphijNormally, this is in <code>/etc</code>. 142215234Sdelphij 143215234Sdelphij <p>This program directs commentary and error messages to the standard 144215234Sdelphijerror stream <code>stderr</code> and remote files to the standard output stream 145215234Sdelphij<code>stdout</code> where they can be piped to other applications or redirected to 146215234Sdelphijfiles. 147215234SdelphijThe names used for generated files and links all begin with the 148215234Sdelphijstring <code>ntpkey</code> and include the file type, 149215234Sdelphijgenerating host and filestamp, 150210358Sdelphijas described in the <a href="#Cryptographic-Data-Files">Cryptographic Data Files</a> section below. 151240079Sdelphij 152144411Sscottl<div class="node"> 153165155Sscottl<p><hr> 154165155Sscottl<a name="Running-the-Program"></a>Next: <a rel="next" accesskey="n" href="#Random-Seed-File">Random Seed File</a>, 155165155SscottlPrevious: <a rel="previous" accesskey="p" href="#Description">Description</a>, 156165155SscottlUp: <a rel="up" accesskey="u" href="#Top">Top</a> 157165155Sscottl<br> 158215234Sdelphij</div> 159215234Sdelphij 160215234Sdelphij<!-- node-name, next, previous, up --> 161215234Sdelphij<h3 class="section">Running the Program</h3> 162215234Sdelphij 163215234Sdelphij<p>To test and gain experience with Autokey concepts, log in as root and 164144411Sscottlchange to the keys directory, usually <code>/usr/local/etc</code>. 165144411SscottlWhen run for the 166144411Sscottlfirst time, or if all files with names beginning <code>ntpkey</code>] have been 167144411Sscottlremoved, use the <code>ntp-keygen</code> command without arguments to generate a 168144411Sscottldefault RSA host key and matching RSA-MD5 certificate with expiration 169215234Sdelphijdate one year hence. 170215234SdelphijIf run again without options, the program uses the 171215234Sdelphijexisting keys and parameters and generates only a new certificate with 172215234Sdelphijnew expiration date one year hence. 173144411Sscottl 174144411Sscottl <p>Run the command on as many hosts as necessary. 175144411SscottlDesignate one of them as the trusted host (TH) using <code>ntp-keygen</code> 176144411Sscottlwith the <code>-T</code> option and configure 177144411Sscottlit to synchronize from reliable Internet servers. 178215234SdelphijThen configure the other hosts to synchronize to the TH directly or indirectly. 179215234SdelphijA certificate trail is created when Autokey asks the immediately 180215234Sdelphijascendant host towards the TH to sign its certificate, which is then 181215234Sdelphijprovided to the immediately descendant host on request. 182165155SscottlAll group hosts should have acyclic certificate trails ending on the TH. 183165155Sscottl 184144411Sscottl <p>The host key is used to encrypt the cookie when required and so must be 185244406SdelphijRSA type. 186244406SdelphijBy default, the host key is also the sign key used to encrypt signatures. 187244406SdelphijA different sign key can be assigned using the <code>-S</code> option 188244406Sdelphijand this can be either RSA or DSA type. 189244406SdelphijBy default, the signature 190244406Sdelphijmessage digest type is MD5, but any combination of sign key type and 191165155Sscottlmessage digest type supported by the OpenSSL library can be specified 192244406Sdelphijusing the <code>-c</code> option. 193165155Sscottl 194144411Sscottl <p>The rules say cryptographic media should be generated with proventic 195210358Sdelphijfilestamps, which means the host should already be synchronized before 196210358Sdelphijthis program is run. 197210358SdelphijThis of course creates a chicken-and-egg problem 198210358Sdelphijwhen the host is started for the first time. 199210358SdelphijAccordingly, the host time 200210358Sdelphijshould be set by some other means, such as eyeball-and-wristwatch, at 201210358Sdelphijleast so that the certificate lifetime is within the current year. 202210358SdelphijAfter that and when the host is synchronized to a proventic source, the 203210358Sdelphijcertificate should be re-generated. 204210358Sdelphij 205210358Sdelphij <p>Additional information on trusted groups and identity schemes is on the 206210358SdelphijAutokey Public-Key Authentication page. 207210358Sdelphij 208210358Sdelphij<div class="node"> 209210358Sdelphij<p><hr> 210210358Sdelphij<a name="ntp_002dkeygen-Invocation"></a> 211210358Sdelphij<br> 212144411Sscottl</div> 213144411Sscottl 214144411Sscottl<h3 class="section">Invoking ntp-keygen</h3> 215144411Sscottl 216144411Sscottl<p><a name="index-ntp_002dkeygen-1"></a><a name="index-Create-a-NTP-host-key-2"></a> 217144411Sscottl 218144411Sscottl <p>This program generates cryptographic data files used by the NTPv4 219144411Sscottlauthentication and identification schemes. 220144411SscottlIt generates MD5 key files used in symmetric key cryptography. 221144411SscottlIn addition, if the OpenSSL software library has been installed, 222144411Sscottlit generates keys, certificate and identity files used in public key 223210358Sdelphijcryptography. 224144411SscottlThese files are used for cookie encryption, 225144411Sscottldigital signature and challenge/response identification algorithms 226210358Sdelphijcompatible with the Internet standard security infrastructure. 227144411Sscottl 228144411Sscottl <p>All files are in PEM-encoded printable ASCII format, 229144411Sscottlso they can be embedded as MIME attachments in mail to other sites 230144411Sscottland certificate authorities. 231144411SscottlBy default, files are not encrypted. 232144411Sscottl 233165155Sscottl <p>When used to generate message digest keys, the program produces a file 234144411Sscottlcontaining ten pseudo-random printable ASCII strings suitable for the 235165155SscottlMD5 message digest algorithm included in the distribution. 236165155SscottlIf the OpenSSL library is installed, it produces an additional ten 237165155Sscottlhex-encoded random bit strings suitable for the SHA1 and other message 238165155Sscottldigest algorithms. 239244406SdelphijThe message digest keys file must be distributed and stored 240165155Sscottlusing secure means beyond the scope of NTP itself. 241165155SscottlBesides the keys used for ordinary NTP associations, additional keys 242144411Sscottlcan be defined as passwords for the 243165155Sscottl<code>ntpq(1ntpqmdoc)</code> 244165155Sscottland 245165155Sscottl<code>ntpdc(1ntpdcmdoc)</code> 246165155Sscottlutility programs. 247165155Sscottl 248165155Sscottl <p>The remaining generated files are compatible with other OpenSSL 249165155Sscottlapplications and other Public Key Infrastructure (PKI) resources. 250165155SscottlCertificates generated by this program are compatible with extant 251165155Sscottlindustry practice, although some users might find the interpretation of 252210358SdelphijX509v3 extension fields somewhat liberal. 253144411SscottlHowever, the identity keys are probably not compatible with anything 254215234Sdelphijother than Autokey. 255215234Sdelphij 256215234Sdelphij <p>Some files used by this program are encrypted using a private password. 257210358SdelphijThe 258144411Sscottl<code>-p</code> 259174451Sscottloption specifies the password for local encrypted files and the 260244406Sdelphij<code>-q</code> 261244406Sdelphijoption the password for encrypted files sent to remote sites. 262244406SdelphijIf no password is specified, the host name returned by the Unix 263244406Sdelphij<code>gethostname()</code> 264244406Sdelphijfunction, normally the DNS name of the host is used. 265244406Sdelphij 266244406Sdelphij <p>The 267244406Sdelphij<kbd>pw</kbd> 268244406Sdelphijoption of the 269244406Sdelphij<kbd>crypto</kbd> 270244406Sdelphijconfiguration command specifies the read 271244406Sdelphijpassword for previously encrypted local files. 272244406SdelphijThis must match the local password used by this program. 273244406SdelphijIf not specified, the host name is used. 274244406SdelphijThus, if files are generated by this program without password, 275244406Sdelphijthey can be read back by 276244406Sdelphij<kbd>ntpd</kbd> 277244406Sdelphijwithout password but only on the same host. 278244406Sdelphij 279244406Sdelphij <p>Normally, encrypted files for each host are generated by that host and 280244406Sdelphijused only by that host, although exceptions exist as noted later on 281244406Sdelphijthis page. 282244406SdelphijThe symmetric keys file, normally called 283244406Sdelphij<kbd>ntp.keys</kbd>, 284244406Sdelphijis usually installed in 285244406Sdelphij<span class="file">/etc</span>. 286244406SdelphijOther files and links are usually installed in 287244406Sdelphij<span class="file">/usr/local/etc</span>, 288244406Sdelphijwhich is normally in a shared filesystem in 289244406SdelphijNFS-mounted networks and cannot be changed by shared clients. 290244406SdelphijThe location of the keys directory can be changed by the 291244406Sdelphij<kbd>keysdir</kbd> 292244406Sdelphijconfiguration command in such cases. 293244406SdelphijNormally, this is in 294174451Sscottl<span class="file">/etc</span>. 295174451Sscottl 296174451Sscottl <p>This program directs commentary and error messages to the standard 297174451Sscottlerror stream 298174451Sscottl<kbd>stderr</kbd> 299174451Sscottland remote files to the standard output stream 300174451Sscottl<kbd>stdout</kbd> 301174451Sscottlwhere they can be piped to other applications or redirected to files. 302210358SdelphijThe names used for generated files and links all begin with the 303174451Sscottlstring 304174451Sscottl<kbd>ntpkey</kbd> 305174451Sscottland include the file type, generating host and filestamp, 306174451Sscottlas described in the 307174451SscottlCryptographic Data Files 308174451Sscottlsection below. 309174451Sscottl 310174451Sscottl<h5 class="subsubsection">Running the Program</h5> 311174451Sscottl 312174451Sscottl<p>To test and gain experience with Autokey concepts, log in as root and 313174451Sscottlchange to the keys directory, usually 314174451Sscottl<span class="file">/usr/local/etc</span> 315174451SscottlWhen run for the first time, or if all files with names beginning with 316174451Sscottl<kbd>ntpkey</kbd> 317174451Sscottlhave been removed, use the 318174451Sscottl<code>ntp-keygen</code> 319174451Sscottlcommand without arguments to generate a 320174451Sscottldefault RSA host key and matching RSA-MD5 certificate with expiration 321174451Sscottldate one year hence. 322174451SscottlIf run again without options, the program uses the 323174451Sscottlexisting keys and parameters and generates only a new certificate with 324174451Sscottlnew expiration date one year hence. 325174451Sscottl 326174451Sscottl <p>Run the command on as many hosts as necessary. 327174451SscottlDesignate one of them as the trusted host (TH) using 328174451Sscottl<code>ntp-keygen</code> 329174451Sscottlwith the 330174451Sscottl<code>-T</code> 331174451Sscottloption and configure it to synchronize from reliable Internet servers. 332174451SscottlThen configure the other hosts to synchronize to the TH directly or 333174451Sscottlindirectly. 334174451SscottlA certificate trail is created when Autokey asks the immediately 335174451Sscottlascendant host towards the TH to sign its certificate, which is then 336174451Sscottlprovided to the immediately descendant host on request. 337174451SscottlAll group hosts should have acyclic certificate trails ending on the TH. 338174451Sscottl 339210358Sdelphij <p>The host key is used to encrypt the cookie when required and so must be 340210358SdelphijRSA type. 341210358SdelphijBy default, the host key is also the sign key used to encrypt 342210358Sdelphijsignatures. 343210358SdelphijA different sign key can be assigned using the 344210358Sdelphij<code>-S</code> 345210358Sdelphijoption and this can be either RSA or DSA type. 346210358SdelphijBy default, the signature 347210358Sdelphijmessage digest type is MD5, but any combination of sign key type and 348210358Sdelphijmessage digest type supported by the OpenSSL library can be specified 349210358Sdelphijusing the 350210358Sdelphij<code>-c</code> 351210358Sdelphijoption. 352210358SdelphijThe rules say cryptographic media should be generated with proventic 353210358Sdelphijfilestamps, which means the host should already be synchronized before 354210358Sdelphijthis program is run. 355210358SdelphijThis of course creates a chicken-and-egg problem 356210358Sdelphijwhen the host is started for the first time. 357210358SdelphijAccordingly, the host time 358210358Sdelphijshould be set by some other means, such as eyeball-and-wristwatch, at 359210358Sdelphijleast so that the certificate lifetime is within the current year. 360210358SdelphijAfter that and when the host is synchronized to a proventic source, the 361210358Sdelphijcertificate should be re-generated. 362210358Sdelphij 363210358Sdelphij <p>Additional information on trusted groups and identity schemes is on the 364210358SdelphijAutokey Public-Key Authentication 365210358Sdelphijpage. 366210358Sdelphij 367210358Sdelphij <p>The 368210358Sdelphij<code>ntpd(1ntpdmdoc)</code> 369210358Sdelphijconfiguration command 370210358Sdelphij<code>crypto</code> <code>pw</code> <kbd>password</kbd> 371210358Sdelphijspecifies the read password for previously encrypted files. 372210358SdelphijThe daemon expires on the spot if the password is missing 373210358Sdelphijor incorrect. 374210358SdelphijFor convenience, if a file has been previously encrypted, 375210358Sdelphijthe default read password is the name of the host running 376210358Sdelphijthe program. 377210358SdelphijIf the previous write password is specified as the host name, 378210358Sdelphijthese files can be read by that host with no explicit password. 379210358Sdelphij 380210358Sdelphij <p>File names begin with the prefix 381210358Sdelphij<code>ntpkey_</code> 382210358Sdelphijand end with the postfix 383210358Sdelphij<kbd>_hostname.filestamp</kbd>, 384210358Sdelphijwhere 385210358Sdelphij<kbd>hostname</kbd> 386244406Sdelphijis the owner name, usually the string returned 387244406Sdelphijby the Unix gethostname() routine, and 388210358Sdelphij<kbd>filestamp</kbd> 389210358Sdelphijis the NTP seconds when the file was generated, in decimal digits. 390244406SdelphijThis both guarantees uniqueness and simplifies maintenance 391244406Sdelphijprocedures, since all files can be quickly removed 392244406Sdelphijby a 393244406Sdelphij<code>rm</code> <code>ntpkey*</code> 394244406Sdelphijcommand or all files generated 395244406Sdelphijat a specific time can be removed by a 396244406Sdelphij<code>rm</code> 397244406Sdelphij<kbd>*filestamp</kbd> 398244406Sdelphijcommand. 399244406SdelphijTo further reduce the risk of misconfiguration, 400244406Sdelphijthe first two lines of a file contain the file name 401244406Sdelphijand generation date and time as comments. 402244406Sdelphij 403244406Sdelphij <p>All files are installed by default in the keys directory 404244406Sdelphij<span class="file">/usr/local/etc</span>, 405244406Sdelphijwhich is normally in a shared filesystem 406244406Sdelphijin NFS-mounted networks. 407244406SdelphijThe actual location of the keys directory 408244406Sdelphijand each file can be overridden by configuration commands, 409244406Sdelphijbut this is not recommended. 410244406SdelphijNormally, the files for each host are generated by that host 411244406Sdelphijand used only by that host, although exceptions exist 412244406Sdelphijas noted later on this page. 413244406Sdelphij 414244406Sdelphij <p>Normally, files containing private values, 415244406Sdelphijincluding the host key, sign key and identification parameters, 416244406Sdelphijare permitted root read/write-only; 417244406Sdelphijwhile others containing public values are permitted world readable. 418244406SdelphijAlternatively, files containing private values can be encrypted 419244406Sdelphijand these files permitted world readable, 420244406Sdelphijwhich simplifies maintenance in shared file systems. 421244406SdelphijSince uniqueness is insured by the hostname and 422244406Sdelphijfile name extensions, the files for a NFS server and 423244406Sdelphijdependent clients can all be installed in the same shared directory. 424244406Sdelphij 425244406Sdelphij <p>The recommended practice is to keep the file name extensions 426244406Sdelphijwhen installing a file and to install a soft link 427244406Sdelphijfrom the generic names specified elsewhere on this page 428244406Sdelphijto the generated files. 429244406SdelphijThis allows new file generations to be activated simply 430244406Sdelphijby changing the link. 431244406SdelphijIf a link is present, ntpd follows it to the file name 432244406Sdelphijto extract the filestamp. 433244406SdelphijIf a link is not present, 434244406Sdelphij<code>ntpd(1ntpdmdoc)</code> 435244406Sdelphijextracts the filestamp from the file itself. 436244406SdelphijThis allows clients to verify that the file and generation times 437244406Sdelphijare always current. 438244406SdelphijThe 439244406Sdelphij<code>ntp-keygen</code> 440244406Sdelphijprogram uses the same timestamp extension for all files generated 441244406Sdelphijat one time, so each generation is distinct and can be readily 442244406Sdelphijrecognized in monitoring data. 443244406Sdelphij 444244406Sdelphij<h5 class="subsubsection">Running the program</h5> 445244406Sdelphij 446244406Sdelphij<p>The safest way to run the 447244406Sdelphij<code>ntp-keygen</code> 448244406Sdelphijprogram is logged in directly as root. 449244406SdelphijThe recommended procedure is change to the keys directory, 450244406Sdelphijusually 451244406Sdelphij<span class="file">/usr/local/etc</span>, 452244406Sdelphijthen run the program. 453244406SdelphijWhen run for the first time, 454244406Sdelphijor if all 455244406Sdelphij<code>ntpkey</code> 456244406Sdelphijfiles have been removed, 457244406Sdelphijthe program generates a RSA host key file and matching RSA-MD5 certificate file, 458244406Sdelphijwhich is all that is necessary in many cases. 459244406SdelphijThe program also generates soft links from the generic names 460244406Sdelphijto the respective files. 461244406SdelphijIf run again, the program uses the same host key file, 462244406Sdelphijbut generates a new certificate file and link. 463244406Sdelphij 464244406Sdelphij <p>The host key is used to encrypt the cookie when required and so must be RSA type. 465244406SdelphijBy default, the host key is also the sign key used to encrypt signatures. 466244406SdelphijWhen necessary, a different sign key can be specified and this can be 467244406Sdelphijeither RSA or DSA type. 468244406SdelphijBy default, the message digest type is MD5, but any combination 469244406Sdelphijof sign key type and message digest type supported by the OpenSSL library 470244406Sdelphijcan be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 471244406Sdelphijand RIPE160 message digest algorithms. 472244406SdelphijHowever, the scheme specified in the certificate must be compatible 473244406Sdelphijwith the sign key. 474244406SdelphijCertificates using any digest algorithm are compatible with RSA sign keys; 475244406Sdelphijhowever, only SHA and SHA1 certificates are compatible with DSA sign keys. 476244406Sdelphij 477244406Sdelphij <p>Private/public key files and certificates are compatible with 478244406Sdelphijother OpenSSL applications and very likely other libraries as well. 479244406SdelphijCertificates or certificate requests derived from them should be compatible 480244406Sdelphijwith extant industry practice, although some users might find 481244406Sdelphijthe interpretation of X509v3 extension fields somewhat liberal. 482244406SdelphijHowever, the identification parameter files, although encoded 483244406Sdelphijas the other files, are probably not compatible with anything other than Autokey. 484244406Sdelphij 485244406Sdelphij <p>Running the program as other than root and using the Unix 486244406Sdelphij<code>su</code> 487244406Sdelphijcommand 488244406Sdelphijto assume root may not work properly, since by default the OpenSSL library 489244406Sdelphijlooks for the random seed file 490244406Sdelphij<code>.rnd</code> 491244406Sdelphijin the user home directory. 492244406SdelphijHowever, there should be only one 493244406Sdelphij<code>.rnd</code>, 494244406Sdelphijmost conveniently 495244406Sdelphijin the root directory, so it is convenient to define the 496244406Sdelphij<code>$RANDFILE</code> 497244406Sdelphijenvironment variable used by the OpenSSL library as the path to 498244406Sdelphij<code>/.rnd</code>. 499244406Sdelphij 500244406Sdelphij <p>Installing the keys as root might not work in NFS-mounted 501244406Sdelphijshared file systems, as NFS clients may not be able to write 502244406Sdelphijto the shared keys directory, even as root. 503244406SdelphijIn this case, NFS clients can specify the files in another 504244406Sdelphijdirectory such as 505244406Sdelphij<span class="file">/etc</span> 506244406Sdelphijusing the 507244406Sdelphij<code>keysdir</code> 508244406Sdelphijcommand. 509244406SdelphijThere is no need for one client to read the keys and certificates 510244406Sdelphijof other clients or servers, as these data are obtained automatically 511244406Sdelphijby the Autokey protocol. 512244406Sdelphij 513244406Sdelphij <p>Ordinarily, cryptographic files are generated by the host that uses them, 514244406Sdelphijbut it is possible for a trusted agent (TA) to generate these files 515244406Sdelphijfor other hosts; however, in such cases files should always be encrypted. 516244406SdelphijThe subject name and trusted name default to the hostname 517244406Sdelphijof the host generating the files, but can be changed by command line options. 518244406SdelphijIt is convenient to designate the owner name and trusted name 519244406Sdelphijas the subject and issuer fields, respectively, of the certificate. 520244406SdelphijThe owner name is also used for the host and sign key files, 521244406Sdelphijwhile the trusted name is used for the identity files. 522244406Sdelphij 523244406Sdelphij <p>All files are installed by default in the keys directory 524244406Sdelphij<span class="file">/usr/local/etc</span>, 525244406Sdelphijwhich is normally in a shared filesystem 526244406Sdelphijin NFS-mounted networks. 527244406SdelphijThe actual location of the keys directory 528244406Sdelphijand each file can be overridden by configuration commands, 529244406Sdelphijbut this is not recommended. 530244406SdelphijNormally, the files for each host are generated by that host 531244406Sdelphijand used only by that host, although exceptions exist 532244406Sdelphijas noted later on this page. 533244406Sdelphij 534244406Sdelphij <p>Normally, files containing private values, 535244406Sdelphijincluding the host key, sign key and identification parameters, 536244406Sdelphijare permitted root read/write-only; 537244406Sdelphijwhile others containing public values are permitted world readable. 538244406SdelphijAlternatively, files containing private values can be encrypted 539244406Sdelphijand these files permitted world readable, 540244406Sdelphijwhich simplifies maintenance in shared file systems. 541244406SdelphijSince uniqueness is insured by the hostname and 542244406Sdelphijfile name extensions, the files for a NFS server and 543244406Sdelphijdependent clients can all be installed in the same shared directory. 544244406Sdelphij 545244406Sdelphij <p>The recommended practice is to keep the file name extensions 546244406Sdelphijwhen installing a file and to install a soft link 547244406Sdelphijfrom the generic names specified elsewhere on this page 548244406Sdelphijto the generated files. 549244406SdelphijThis allows new file generations to be activated simply 550244406Sdelphijby changing the link. 551244406SdelphijIf a link is present, ntpd follows it to the file name 552244406Sdelphijto extract the filestamp. 553244406SdelphijIf a link is not present, 554244406Sdelphij<code>ntpd(1ntpdmdoc)</code> 555244406Sdelphijextracts the filestamp from the file itself. 556244406SdelphijThis allows clients to verify that the file and generation times 557244406Sdelphijare always current. 558244406SdelphijThe 559244406Sdelphij<code>ntp-keygen</code> 560244406Sdelphijprogram uses the same timestamp extension for all files generated 561244406Sdelphijat one time, so each generation is distinct and can be readily 562244406Sdelphijrecognized in monitoring data. 563244406Sdelphij 564244406Sdelphij<h5 class="subsubsection">Running the program</h5> 565244406Sdelphij 566244406Sdelphij<p>The safest way to run the 567244406Sdelphij<code>ntp-keygen</code> 568244406Sdelphijprogram is logged in directly as root. 569244406SdelphijThe recommended procedure is change to the keys directory, 570244406Sdelphijusually 571244406Sdelphij<span class="file">/usr/local/etc</span>, 572244406Sdelphijthen run the program. 573244406SdelphijWhen run for the first time, 574244406Sdelphijor if all 575244406Sdelphij<code>ntpkey</code> 576244406Sdelphijfiles have been removed, 577244406Sdelphijthe program generates a RSA host key file and matching RSA-MD5 certificate file, 578244406Sdelphijwhich is all that is necessary in many cases. 579244406SdelphijThe program also generates soft links from the generic names 580244406Sdelphijto the respective files. 581244406SdelphijIf run again, the program uses the same host key file, 582244406Sdelphijbut generates a new certificate file and link. 583244406Sdelphij 584244406Sdelphij <p>The host key is used to encrypt the cookie when required and so must be RSA type. 585244406SdelphijBy default, the host key is also the sign key used to encrypt signatures. 586244406SdelphijWhen necessary, a different sign key can be specified and this can be 587244406Sdelphijeither RSA or DSA type. 588244406SdelphijBy default, the message digest type is MD5, but any combination 589244406Sdelphijof sign key type and message digest type supported by the OpenSSL library 590244406Sdelphijcan be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 591244406Sdelphijand RIPE160 message digest algorithms. 592244406SdelphijHowever, the scheme specified in the certificate must be compatible 593244406Sdelphijwith the sign key. 594244406SdelphijCertificates using any digest algorithm are compatible with RSA sign keys; 595244406Sdelphijhowever, only SHA and SHA1 certificates are compatible with DSA sign keys. 596244406Sdelphij 597244406Sdelphij <p>Private/public key files and certificates are compatible with 598244406Sdelphijother OpenSSL applications and very likely other libraries as well. 599244406SdelphijCertificates or certificate requests derived from them should be compatible 600244406Sdelphijwith extant industry practice, although some users might find 601244406Sdelphijthe interpretation of X509v3 extension fields somewhat liberal. 602244406SdelphijHowever, the identification parameter files, although encoded 603244406Sdelphijas the other files, are probably not compatible with anything other than Autokey. 604244406Sdelphij 605244406Sdelphij <p>Running the program as other than root and using the Unix 606244406Sdelphij<code>su</code> 607244406Sdelphijcommand 608244406Sdelphijto assume root may not work properly, since by default the OpenSSL library 609244406Sdelphijlooks for the random seed file 610244406Sdelphij<code>.rnd</code> 611244406Sdelphijin the user home directory. 612244406SdelphijHowever, there should be only one 613244406Sdelphij<code>.rnd</code>, 614244406Sdelphijmost conveniently 615244406Sdelphijin the root directory, so it is convenient to define the 616244406Sdelphij<code>$RANDFILE</code> 617244406Sdelphijenvironment variable used by the OpenSSL library as the path to 618244406Sdelphij<code>/.rnd</code>. 619244406Sdelphij 620244406Sdelphij <p>Installing the keys as root might not work in NFS-mounted 621244406Sdelphijshared file systems, as NFS clients may not be able to write 622244406Sdelphijto the shared keys directory, even as root. 623244406SdelphijIn this case, NFS clients can specify the files in another 624244406Sdelphijdirectory such as 625244406Sdelphij<span class="file">/etc</span> 626244406Sdelphijusing the 627244406Sdelphij<code>keysdir</code> 628244406Sdelphijcommand. 629244406SdelphijThere is no need for one client to read the keys and certificates 630244406Sdelphijof other clients or servers, as these data are obtained automatically 631244406Sdelphijby the Autokey protocol. 632244406Sdelphij 633244406Sdelphij <p>Ordinarily, cryptographic files are generated by the host that uses them, 634244406Sdelphijbut it is possible for a trusted agent (TA) to generate these files 635244406Sdelphijfor other hosts; however, in such cases files should always be encrypted. 636244406SdelphijThe subject name and trusted name default to the hostname 637244406Sdelphijof the host generating the files, but can be changed by command line options. 638244406SdelphijIt is convenient to designate the owner name and trusted name 639244406Sdelphijas the subject and issuer fields, respectively, of the certificate. 640244406SdelphijThe owner name is also used for the host and sign key files, 641244406Sdelphijwhile the trusted name is used for the identity files. 642244406Sdelphijseconds. 643244406Sdelphijseconds. 644244406Sdelphij 645244406Sdelphij <p>s Trusted Hosts and Groups 646244406SdelphijEach cryptographic configuration involves selection of a signature scheme 647244406Sdelphijand identification scheme, called a cryptotype, 648244406Sdelphijas explained in the 649244406Sdelphij<a href="#Authentication-Options">Authentication Options</a> 650244406Sdelphijsection of 651244406Sdelphij<code>ntp.conf(5)</code>. 652244406SdelphijThe default cryptotype uses RSA encryption, MD5 message digest 653244406Sdelphijand TC identification. 654244406SdelphijFirst, configure a NTP subnet including one or more low-stratum 655244406Sdelphijtrusted hosts from which all other hosts derive synchronization 656244406Sdelphijdirectly or indirectly. 657244406SdelphijTrusted hosts have trusted certificates; 658244406Sdelphijall other hosts have nontrusted certificates. 659244406SdelphijThese hosts will automatically and dynamically build authoritative 660244406Sdelphijcertificate trails to one or more trusted hosts. 661244406SdelphijA trusted group is the set of all hosts that have, directly or indirectly, 662244406Sdelphija certificate trail ending at a trusted host. 663244406SdelphijThe trail is defined by static configuration file entries 664244406Sdelphijor dynamic means described on the 665244406Sdelphij<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a> 666244406Sdelphijsection of 667244406Sdelphij<code>ntp.conf(5)</code>. 668244406Sdelphij 669244406Sdelphij <p>On each trusted host as root, change to the keys directory. 670244406SdelphijTo insure a fresh fileset, remove all 671244406Sdelphij<code>ntpkey</code> 672244406Sdelphijfiles. 673244406SdelphijThen run 674244406Sdelphij<code>ntp-keygen</code> 675244406Sdelphij<code>-T</code> 676244406Sdelphijto generate keys and a trusted certificate. 677244406SdelphijOn all other hosts do the same, but leave off the 678244406Sdelphij<code>-T</code> 679244406Sdelphijflag to generate keys and nontrusted certificates. 680244406SdelphijWhen complete, start the NTP daemons beginning at the lowest stratum 681244406Sdelphijand working up the tree. 682244406SdelphijIt may take some time for Autokey to instantiate the certificate trails 683244406Sdelphijthroughout the subnet, but setting up the environment is completely automatic. 684144411Sscottl 685144411Sscottl <p>If it is necessary to use a different sign key or different digest/signature 686144411Sscottlscheme than the default, run 687144411Sscottl<code>ntp-keygen</code> 688144411Sscottlwith the 689144411Sscottl<code>-S</code> <kbd>type</kbd> 690144411Sscottloption, where 691144411Sscottl<kbd>type</kbd> 692144411Sscottlis either 693144411Sscottl<code>RSA</code> 694144411Sscottlor 695144411Sscottl<code>DSA</code>. 696144411SscottlThe most often need to do this is when a DSA-signed certificate is used. 697144411SscottlIf it is necessary to use a different certificate scheme than the default, 698144411Sscottlrun 699144411Sscottl<code>ntp-keygen</code> 700144411Sscottlwith the 701144411Sscottl<code>-c</code> <kbd>scheme</kbd> 702144411Sscottloption and selected 703144411Sscottl<kbd>scheme</kbd> 704174451Sscottlas needed. 705174451Sscottlf 706144411Sscottl<code>ntp-keygen</code> 707144411Sscottlis run again without these options, it generates a new certificate 708165155Sscottlusing the same scheme and sign key. 709144411Sscottl 710144411Sscottl <p>After setting up the environment it is advisable to update certificates 711144411Sscottlfrom time to time, if only to extend the validity interval. 712144411SscottlSimply run 713165155Sscottl<code>ntp-keygen</code> 714144411Sscottlwith the same flags as before to generate new certificates 715144411Sscottlusing existing keys. 716144411SscottlHowever, if the host or sign key is changed, 717144411Sscottl<code>ntpd(1ntpdmdoc)</code> 718144411Sscottlshould be restarted. 719144411SscottlWhen 720144411Sscottl<code>ntpd(1ntpdmdoc)</code> 721144411Sscottlis restarted, it loads any new files and restarts the protocol. 722144411SscottlOther dependent hosts will continue as usual until signatures are refreshed, 723144411Sscottlat which time the protocol is restarted. 724144411Sscottl 725144411Sscottl<h5 class="subsubsection">Identity Schemes</h5> 726144411Sscottl 727144411Sscottl<p>As mentioned on the Autonomous Authentication page, 728144411Sscottlthe default TC identity scheme is vulnerable to a middleman attack. 729144411SscottlHowever, there are more secure identity schemes available, 730144411Sscottlincluding PC, IFF, GQ and MV described on the 731144411Sscottl"Identification Schemes" 732144411Sscottlpage 733144411Sscottl(maybe available at 734144411Sscottl<code>http://www.eecis.udel.edu/%7emills/keygen.html</code>). 735144411SscottlThese schemes are based on a TA, one or more trusted hosts 736144411Sscottland some number of nontrusted hosts. 737144411SscottlTrusted hosts prove identity using values provided by the TA, 738144411Sscottlwhile the remaining hosts prove identity using values provided 739144411Sscottlby a trusted host and certificate trails that end on that host. 740144411SscottlThe name of a trusted host is also the name of its sugroup 741144411Sscottland also the subject and issuer name on its trusted certificate. 742144411SscottlThe TA is not necessarily a trusted host in this sense, but often is. 743144411Sscottl 744174451Sscottl <p>In some schemes there are separate keys for servers and clients. 745165155SscottlA server can also be a client of another server, 746165155Sscottlbut a client can never be a server for another client. 747165155SscottlIn general, trusted hosts and nontrusted hosts that operate 748165155Sscottlas both server and client have parameter files that contain 749165155Sscottlboth server and client keys. 750165155SscottlHosts that operate 751165155Sscottlonly as clients have key files that contain only client keys. 752165155Sscottl 753174451Sscottl <p>The PC scheme supports only one trusted host in the group. 754174451SscottlOn trusted host alice run 755174451Sscottl<code>ntp-keygen</code> 756174451Sscottl<code>-P</code> 757165155Sscottl<code>-p</code> <kbd>password</kbd> 758144411Sscottlto generate the host key file 759144411Sscottl<span class="file">ntpkey_RSAkey_</span><kbd>alice.filestamp</kbd> 760144411Sscottland trusted private certificate file 761144411Sscottl<span class="file">ntpkey_RSA-MD5_cert_</span><kbd>alice.filestamp</kbd>. 762144411SscottlCopy both files to all group hosts; 763144411Sscottlthey replace the files which would be generated in other schemes. 764174451SscottlOn each host bob install a soft link from the generic name 765174451Sscottl<span class="file">ntpkey_host_</span><kbd>bob</kbd> 766174451Sscottlto the host key file and soft link 767174451Sscottl<span class="file">ntpkey_cert_</span><kbd>bob</kbd> 768174451Sscottlto the private certificate file. 769174451SscottlNote the generic links are on bob, but point to files generated 770174451Sscottlby trusted host alice. 771174451SscottlIn this scheme it is not possible to refresh 772174451Sscottleither the keys or certificates without copying them 773210358Sdelphijto all other hosts in the group. 774210358Sdelphij 775210358Sdelphij <p>For the IFF scheme proceed as in the TC scheme to generate keys 776210358Sdelphijand certificates for all group hosts, then for every trusted host in the group, 777210358Sdelphijgenerate the IFF parameter file. 778210358SdelphijOn trusted host alice run 779210358Sdelphij<code>ntp-keygen</code> 780210358Sdelphij<code>-T</code> 781210358Sdelphij<code>-I</code> 782210358Sdelphij<code>-p</code> <kbd>password</kbd> 783210358Sdelphijto produce her parameter file 784210358Sdelphij<span class="file">ntpkey_IFFpar_</span><kbd>alice.filestamp</kbd>, 785210358Sdelphijwhich includes both server and client keys. 786210358SdelphijCopy this file to all group hosts that operate as both servers 787210358Sdelphijand clients and install a soft link from the generic 788210358Sdelphij<span class="file">ntpkey_iff_</span><kbd>alice</kbd> 789210358Sdelphijto this file. 790210358SdelphijIf there are no hosts restricted to operate only as clients, 791210358Sdelphijthere is nothing further to do. 792210358SdelphijAs the IFF scheme is independent 793210358Sdelphijof keys and certificates, these files can be refreshed as needed. 794210358Sdelphij 795210358Sdelphij <p>If a rogue client has the parameter file, it could masquerade 796210358Sdelphijas a legitimate server and present a middleman threat. 797210358SdelphijTo eliminate this threat, the client keys can be extracted 798210358Sdelphijfrom the parameter file and distributed to all restricted clients. 799210358SdelphijAfter generating the parameter file, on alice run 800210358Sdelphij<code>ntp-keygen</code> 801210358Sdelphij<code>-e</code> 802210358Sdelphijand pipe the output to a file or mail program. 803210358SdelphijCopy or mail this file to all restricted clients. 804210358SdelphijOn these clients install a soft link from the generic 805210358Sdelphij<span class="file">ntpkey_iff_</span><kbd>alice</kbd> 806210358Sdelphijto this file. 807210358SdelphijTo further protect the integrity of the keys, 808210358Sdelphijeach file can be encrypted with a secret password. 809210358Sdelphij 810210358Sdelphij <p>For the GQ scheme proceed as in the TC scheme to generate keys 811210358Sdelphijand certificates for all group hosts, then for every trusted host 812210358Sdelphijin the group, generate the IFF parameter file. 813210358SdelphijOn trusted host alice run 814210358Sdelphij<code>ntp-keygen</code> 815210358Sdelphij<code>-T</code> 816210358Sdelphij<code>-G</code> 817210358Sdelphij<code>-p</code> <kbd>password</kbd> 818210358Sdelphijto produce her parameter file 819210358Sdelphij<span class="file">ntpkey_GQpar_</span><kbd>alice.filestamp</kbd>, 820210358Sdelphijwhich includes both server and client keys. 821210358SdelphijCopy this file to all group hosts and install a soft link 822210358Sdelphijfrom the generic 823210358Sdelphij<span class="file">ntpkey_gq_</span><kbd>alice</kbd> 824210358Sdelphijto this file. 825210358SdelphijIn addition, on each host bob install a soft link 826210358Sdelphijfrom generic 827210358Sdelphij<span class="file">ntpkey_gq_</span><kbd>bob</kbd> 828210358Sdelphijto this file. 829210358SdelphijAs the GQ scheme updates the GQ parameters file and certificate 830210358Sdelphijat the same time, keys and certificates can be regenerated as needed. 831210358Sdelphij 832210358Sdelphij <p>For the MV scheme, proceed as in the TC scheme to generate keys 833210358Sdelphijand certificates for all group hosts. 834210358SdelphijFor illustration assume trish is the TA, alice one of several trusted hosts 835210358Sdelphijand bob one of her clients. 836210358SdelphijOn TA trish run 837210358Sdelphij<code>ntp-keygen</code> 838210358Sdelphij<code>-V</code> <kbd>n</kbd> 839210358Sdelphij<code>-p</code> <kbd>password</kbd>, 840210358Sdelphijwhere 841210358Sdelphij<kbd>n</kbd> 842210358Sdelphijis the number of revokable keys (typically 5) to produce 843210358Sdelphijthe parameter file 844210358Sdelphij<span class="file">ntpkeys_MVpar_</span><kbd>trish.filestamp</kbd> 845210358Sdelphijand client key files 846210358Sdelphij<span class="file">ntpkeys_MVkeyd_</span><kbd>trish.filestamp</kbd> 847210358Sdelphijwhere 848210358Sdelphij<kbd>d</kbd> 849210358Sdelphijis the key number (0 < 850210358Sdelphij<kbd>d</kbd> 851210358Sdelphij< 852210358Sdelphij<kbd>n</kbd>). 853210358SdelphijCopy the parameter file to alice and install a soft link 854210358Sdelphijfrom the generic 855210358Sdelphij<span class="file">ntpkey_mv_</span><kbd>alice</kbd> 856210358Sdelphijto this file. 857210358SdelphijCopy one of the client key files to alice for later distribution 858210358Sdelphijto her clients. 859210358SdelphijIt doesn't matter which client key file goes to alice, 860210358Sdelphijsince they all work the same way. 861210358SdelphijAlice copies the client key file to all of her cliens. 862210358SdelphijOn client bob install a soft link from generic 863210358Sdelphij<span class="file">ntpkey_mvkey_</span><kbd>bob</kbd> 864210358Sdelphijto the client key file. 865210358SdelphijAs the MV scheme is independent of keys and certificates, 866210358Sdelphijthese files can be refreshed as needed. 867210358Sdelphij 868210358Sdelphij<h5 class="subsubsection">Command Line Options</h5> 869210358Sdelphij 870210358Sdelphij <dl> 871210358Sdelphij<dt><code>-c</code> <kbd>scheme</kbd><dd>Select certificate message digest/signature encryption scheme. 872210358SdelphijThe 873210358Sdelphij<kbd>scheme</kbd> 874210358Sdelphijcan be one of the following: 875210358Sdelphij. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , 876210358Sdelphijor 877210358Sdelphij<code>DSA-SHA1</code>. 878210358SdelphijNote that RSA schemes must be used with a RSA sign key and DSA 879210358Sdelphijschemes must be used with a DSA sign key. 880210358SdelphijThe default without this option is 881210358Sdelphij<code>RSA-MD5</code>. 882210358Sdelphij<br><dt><code>-d</code><dd>Enable debugging. 883210358SdelphijThis option displays the cryptographic data produced in eye-friendly billboards. 884210358Sdelphij<br><dt><code>-e</code><dd>Write the IFF client keys to the standard output. 885210358SdelphijThis is intended for automatic key distribution by mail. 886210358Sdelphij<br><dt><code>-G</code><dd>Generate parameters and keys for the GQ identification scheme, 887210358Sdelphijobsoleting any that may exist. 888210358Sdelphij<br><dt><code>-g</code><dd>Generate keys for the GQ identification scheme 889210358Sdelphijusing the existing GQ parameters. 890210358SdelphijIf the GQ parameters do not yet exist, create them first. 891210358Sdelphij<br><dt><code>-H</code><dd>Generate new host keys, obsoleting any that may exist. 892210358Sdelphij<br><dt><code>-I</code><dd>Generate parameters for the IFF identification scheme, 893210358Sdelphijobsoleting any that may exist. 894210358Sdelphij<br><dt><code>-i</code> <kbd>name</kbd><dd>Set the suject name to 895210358Sdelphij<kbd>name</kbd>. 896210358SdelphijThis is used as the subject field in certificates 897210358Sdelphijand in the file name for host and sign keys. 898210358Sdelphij<br><dt><code>-M</code><dd>Generate MD5 keys, obsoleting any that may exist. 899210358Sdelphij<br><dt><code>-P</code><dd>Generate a private certificate. 900210358SdelphijBy default, the program generates public certificates. 901144411Sscottl<br><dt><code>-p</code> <kbd>password</kbd><dd>Encrypt generated files containing private data with 902144411Sscottl<kbd>password</kbd> 903144411Sscottland the DES-CBC algorithm. 904165155Sscottl<br><dt><code>-q</code><dd>Set the password for reading files to password. 905165155Sscottl<br><dt><code>-S</code> <code>[RSA | DSA]</code><dd>Generate a new sign key of the designated type, 906165155Sscottlobsoleting any that may exist. 907165155SscottlBy default, the program uses the host key as the sign key. 908165155Sscottl<br><dt><code>-s</code> <kbd>name</kbd><dd>Set the issuer name to 909210358Sdelphij<kbd>name</kbd>. 910165155SscottlThis is used for the issuer field in certificates 911165155Sscottland in the file name for identity files. 912165155Sscottl<br><dt><code>-T</code><dd>Generate a trusted certificate. 913165155SscottlBy default, the program generates a non-trusted certificate. 914165155Sscottl<br><dt><code>-V</code> <kbd>nkeys</kbd><dd>Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. 915210358Sdelphij</dl> 916165155Sscottl 917165155Sscottl<h5 class="subsubsection">Random Seed File</h5> 918165155Sscottl 919165155Sscottl<p>All cryptographically sound key generation schemes must have means 920165155Sscottlto randomize the entropy seed used to initialize 921165155Sscottlthe internal pseudo-random number generator used 922165155Sscottlby the library routines. 923165155SscottlThe OpenSSL library uses a designated random seed file for this purpose. 924165155SscottlThe file must be available when starting the NTP daemon and 925165155Sscottl<code>ntp-keygen</code> 926165155Sscottlprogram. 927165155SscottlIf a site supports OpenSSL or its companion OpenSSH, 928165155Sscottlit is very likely that means to do this are already available. 929165155Sscottl 930165155Sscottl <p>It is important to understand that entropy must be evolved 931165155Sscottlfor each generation, for otherwise the random number sequence 932165155Sscottlwould be predictable. 933165155SscottlVarious means dependent on external events, such as keystroke intervals, 934165155Sscottlcan be used to do this and some systems have built-in entropy sources. 935165155SscottlSuitable means are described in the OpenSSL software documentation, 936165155Sscottlbut are outside the scope of this page. 937244406Sdelphij 938244406Sdelphij <p>The entropy seed used by the OpenSSL library is contained in a file, 939244406Sdelphijusually called 940244406Sdelphij<code>.rnd</code>, 941244406Sdelphijwhich must be available when starting the NTP daemon 942244406Sdelphijor the 943244406Sdelphij<code>ntp-keygen</code> 944144411Sscottlprogram. 945165155SscottlThe NTP daemon will first look for the file 946165155Sscottlusing the path specified by the 947165155Sscottl<code>randfile</code> 948210358Sdelphijsubcommand of the 949210358Sdelphij<code>crypto</code> 950210358Sdelphijconfiguration command. 951210358SdelphijIf not specified in this way, or when starting the 952210358Sdelphij<code>ntp-keygen</code> 953165155Sscottlprogram, 954215234Sdelphijthe OpenSSL library will look for the file using the path specified 955215234Sdelphijby the 956215234Sdelphij.Ev RANDFILE 957215234Sdelphijenvironment variable in the user home directory, 958215234Sdelphijwhether root or some other user. 959215234SdelphijIf the 960215234Sdelphij.Ev RANDFILE 961215234Sdelphijenvironment variable is not present, 962215234Sdelphijthe library will look for the 963210358Sdelphij<code>.rnd</code> 964210358Sdelphijfile in the user home directory. 965210358SdelphijIf the file is not available or cannot be written, 966165155Sscottlthe daemon exits with a message to the system log and the program 967210358Sdelphijexits with a suitable error message. 968210358Sdelphij 969210358Sdelphij<h5 class="subsubsection">Cryptographic Data Files</h5> 970210358Sdelphij 971210358Sdelphij<p>All other file formats begin with two lines. 972210358SdelphijThe first contains the file name, including the generated host name 973210358Sdelphijand filestamp. 974210358SdelphijThe second contains the datestamp in conventional Unix date format. 975210358SdelphijLines beginning with # are considered comments and ignored by the 976210358Sdelphij<code>ntp-keygen</code> 977210358Sdelphijprogram and 978210358Sdelphij<code>ntpd(1ntpdmdoc)</code> 979210358Sdelphijdaemon. 980210358SdelphijCryptographic values are encoded first using ASN.1 rules, 981210358Sdelphijthen encrypted if necessary, and finally written PEM-encoded 982210358Sdelphijprintable ASCII format preceded and followed by MIME content identifier lines. 983210358Sdelphij 984210358Sdelphij <p>The format of the symmetric keys file is somewhat different 985210358Sdelphijthan the other files in the interest of backward compatibility. 986210358SdelphijSince DES-CBC is deprecated in NTPv4, the only key format of interest 987210358Sdelphijis MD5 alphanumeric strings. 988210358SdelphijFollowing hte heard the keys are 989210358Sdelphijentered one per line in the format 990210358Sdelphij<pre class="example"> <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd> 991210358Sdelphij</pre> 992210358Sdelphij <p>where 993210358Sdelphij<kbd>keyno</kbd> 994165155Sscottlis a positive integer in the range 1-65,535, 995165155Sscottl<kbd>type</kbd> 996144411Sscottlis the string MD5 defining the key format and 997144411Sscottl<kbd>key</kbd> 998144411Sscottlis the key itself, 999165155Sscottlwhich is a printable ASCII string 16 characters or less in length. 1000215234SdelphijEach character is chosen from the 93 printable characters 1001215234Sdelphijin the range 0x21 through 0x7f excluding space and the 1002215234Sdelphij# 1003215234Sdelphijcharacter. 1004174451Sscottl 1005215234Sdelphij <p>Note that the keys used by the 1006215234Sdelphij<code>ntpq(1ntpqmdoc)</code> 1007215234Sdelphijand 1008210358Sdelphij<code>ntpdc(1ntpdcmdoc)</code> 1009174451Sscottlprograms 1010215234Sdelphijare checked against passwords requested by the programs 1011215234Sdelphijand entered by hand, so it is generally appropriate to specify these keys 1012174451Sscottlin human readable ASCII format. 1013215234Sdelphij 1014144411Sscottl <p>The 1015144411Sscottl<code>ntp-keygen</code> 1016244406Sdelphijprogram generates a MD5 symmetric keys file 1017144411Sscottl<span class="file">ntpkey_MD5key_</span><kbd>hostname.filestamp</kbd>. 1018144411SscottlSince the file contains private shared keys, 1019144411Sscottlit should be visible only to root and distributed by secure means 1020215234Sdelphijto other subnet hosts. 1021244406SdelphijThe NTP daemon loads the file 1022244406Sdelphij<span class="file">ntp.keys</span>, 1023244406Sdelphijso 1024244406Sdelphij<code>ntp-keygen</code> 1025244406Sdelphijinstalls a soft link from this name to the generated file. 1026244406SdelphijSubsequently, similar soft links must be installed by manual 1027244406Sdelphijor automated means on the other subnet hosts. 1028244406SdelphijWhile this file is not used with the Autokey Version 2 protocol, 1029244406Sdelphijit is needed to authenticate some remote configuration commands 1030244406Sdelphijused by the 1031244406Sdelphij<code>ntpq(1ntpqmdoc)</code> 1032244406Sdelphijand 1033244406Sdelphij<code>ntpdc(1ntpdcmdoc)</code> 1034244406Sdelphijutilities. 1035244406Sdelphij 1036244406Sdelphij <p>This section was generated by <strong>AutoGen</strong>, 1037144411Sscottlusing the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp-keygen</code> program. 1038144411SscottlThis software is released under the NTP license, <http://ntp.org/license>. 1039144411Sscottl 1040144411Sscottl<ul class="menu"> 1041144411Sscottl<li><a accesskey="1" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>: ntp-keygen help/usage (<span class="option">--help</span>) 1042144411Sscottl<li><a accesskey="2" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>: imbits option (-b) 1043144411Sscottl<li><a accesskey="3" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>: certificate option (-c) 1044144411Sscottl<li><a accesskey="4" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>: cipher option (-C) 1045144411Sscottl<li><a accesskey="5" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>: id-key option (-e) 1046244406Sdelphij<li><a accesskey="6" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>: gq-params option (-G) 1047215234Sdelphij<li><a accesskey="7" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>: host-key option (-H) 1048215234Sdelphij<li><a accesskey="8" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>: iffkey option (-I) 1049215234Sdelphij<li><a accesskey="9" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>: ident option (-i) 1050144411Sscottl<li><a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>: lifetime option (-l) 1051144411Sscottl<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M) 1052144411Sscottl<li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m) 1053144411Sscottl<li><a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>: pvt-cert option (-P) 1054144411Sscottl<li><a href="#ntp_002dkeygen-password">ntp-keygen password</a>: password option (-p) 1055144411Sscottl<li><a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>: export-passwd option (-q) 1056144411Sscottl<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S) 1057144411Sscottl<li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s) 1058165155Sscottl<li><a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>: trusted-cert option (-T) 1059210358Sdelphij<li><a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>: mv-params option (-V) 1060244406Sdelphij<li><a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>: mv-keys option (-v) 1061210358Sdelphij<li><a href="#ntp_002dkeygen-config">ntp-keygen config</a>: presetting/configuring ntp-keygen 1062165155Sscottl<li><a href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>: exit status 1063210358Sdelphij<li><a href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>: Usage 1064210358Sdelphij<li><a href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>: Notes 1065215234Sdelphij<li><a href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>: Bugs 1066215234Sdelphij</ul> 1067244406Sdelphij 1068244406Sdelphij<div class="node"> 1069220403Sdelphij<p><hr> 1070144411Sscottl<a name="ntp_002dkeygen-usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, 1071144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1072210358Sdelphij<br> 1073210358Sdelphij</div> 1074210358Sdelphij 1075210358Sdelphij<h4 class="subsection">ntp-keygen help/usage (<span class="option">--help</span>)</h4> 1076210358Sdelphij 1077210358Sdelphij<p><a name="index-ntp_002dkeygen-help-3"></a> 1078210358SdelphijThis is the automatically generated usage text for ntp-keygen. 1079210358Sdelphij 1080210358Sdelphij <p>The text printed is the same whether selected with the <code>help</code> option 1081210358Sdelphij(<span class="option">--help</span>) or the <code>more-help</code> option (<span class="option">--more-help</span>). <code>more-help</code> will print 1082220403Sdelphijthe usage text by passing it through a pager program. 1083220403Sdelphij<code>more-help</code> is disabled on platforms without a working 1084210358Sdelphij<code>fork(2)</code> function. The <code>PAGER</code> environment variable is 1085210358Sdelphijused to select the program, defaulting to <span class="file">more</span>. Both will exit 1086210358Sdelphijwith a status code of 0. 1087210358Sdelphij 1088210358Sdelphij<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p4 1089210358SdelphijUsage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]... 1090210358Sdelphij Flg Arg Option-Name Description 1091210358Sdelphij -b Num imbits identity modulus bits 1092210358Sdelphij - it must be in the range: 1093244406Sdelphij 256 to 2048 1094244406Sdelphij -c Str certificate certificate scheme 1095244406Sdelphij -C Str cipher privatekey cipher 1096244406Sdelphij -d no debug-level Increase debug verbosity level 1097144411Sscottl - may appear multiple times 1098144411Sscottl -D Num set-debug-level Set the debug verbosity level 1099144411Sscottl - may appear multiple times 1100144411Sscottl -e no id-key Write IFF or GQ identity keys 1101144411Sscottl -G no gq-params Generate GQ parameters and keys 1102215234Sdelphij -H no host-key generate RSA host key 1103215234Sdelphij -I no iffkey generate IFF parameters 1104210358Sdelphij -i Str ident set Autokey group name 1105244406Sdelphij -l Num lifetime set certificate lifetime 1106215234Sdelphij -M no md5key generate MD5 keys 1107210358Sdelphij -m Num modulus modulus 1108210358Sdelphij - it must be in the range: 1109210358Sdelphij 256 to 2048 1110215234Sdelphij -P no pvt-cert generate PC private certificate 1111215234Sdelphij -p Str password local private password 1112215234Sdelphij -q Str export-passwd export IFF or GQ group keys with password 1113215234Sdelphij -S Str sign-key generate sign key (RSA or DSA) 1114215234Sdelphij -s Str subject-name set host and optionally group name 1115215234Sdelphij -T no trusted-cert trusted certificate (TC scheme) 1116165155Sscottl -V Num mv-params generate <num> MV parameters 1117144411Sscottl -v Num mv-keys update <num> MV keys 1118165155Sscottl opt version output version information and exit 1119144411Sscottl -? no help display extended usage information and exit 1120220403Sdelphij -! no more-help extended usage information passed thru pager 1121144411Sscottl -> opt save-opts save the option state to a config file 1122215234Sdelphij -< Str load-opts load options from a config file 1123174451Sscottl - disabled as '--no-load-opts' 1124220403Sdelphij - may appear multiple times 1125220403Sdelphij 1126220403SdelphijOptions are specified by doubled hyphens and their name or by a single 1127174451Sscottlhyphen and the flag character. 1128144411Sscottl 1129165155Sscottl 1130165155SscottlThe following option preset mechanisms are supported: 1131220403Sdelphij - reading file $HOME/.ntprc 1132215234Sdelphij - reading file ./.ntprc 1133210358Sdelphij - examining environment variables named NTP_KEYGEN_* 1134210358Sdelphij 1135210358SdelphijPlease send bug reports to: <http://bugs.ntp.org, bugs@ntp.org> 1136210358Sdelphij</pre> 1137210358Sdelphij <div class="node"> 1138210358Sdelphij<p><hr> 1139210358Sdelphij<a name="ntp_002dkeygen-imbits"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, 1140210358SdelphijPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>, 1141165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1142165155Sscottl<br> 1143174451Sscottl</div> 1144220403Sdelphij 1145174451Sscottl<h4 class="subsection">imbits option (-b)</h4> 1146215234Sdelphij 1147165155Sscottl<p><a name="index-ntp_002dkeygen_002dimbits-4"></a> 1148215234SdelphijThis is the “identity modulus bits” option. 1149174451SscottlThis option takes a number argument <span class="file">imbits</span>. 1150220403Sdelphij 1151220403Sdelphij<p class="noindent">This option has some usage constraints. It: 1152165155Sscottl <ul> 1153165155Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1154165155Sscottl</ul> 1155174451Sscottl 1156165155Sscottl <p>The number of bits in the identity modulus. The default is 256. 1157165155Sscottl<div class="node"> 1158165155Sscottl<p><hr> 1159174451Sscottl<a name="ntp_002dkeygen-certificate"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, 1160165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, 1161165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1162165155Sscottl<br> 1163174451Sscottl</div> 1164244406Sdelphij 1165244406Sdelphij<h4 class="subsection">certificate option (-c)</h4> 1166244406Sdelphij 1167215234Sdelphij<p><a name="index-ntp_002dkeygen_002dcertificate-5"></a> 1168174451SscottlThis is the “certificate scheme” option. 1169165155SscottlThis option takes a string argument <span class="file">scheme</span>. 1170165155Sscottl 1171165155Sscottl<p class="noindent">This option has some usage constraints. It: 1172215234Sdelphij <ul> 1173215234Sdelphij<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1174215234Sdelphij</ul> 1175215234Sdelphij 1176210358Sdelphij <p>scheme is one of 1177215234SdelphijRSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, 1178215234SdelphijDSA-SHA, or DSA-SHA1. 1179210358Sdelphij 1180210358Sdelphij <p>Select the certificate message digest/signature encryption scheme. 1181220403SdelphijNote that RSA schemes must be used with a RSA sign key and DSA 1182220403Sdelphijschemes must be used with a DSA sign key. The default without 1183240079Sdelphijthis option is RSA-MD5. 1184240079Sdelphij<div class="node"> 1185252857Sdelphij<p><hr> 1186144411Sscottl<a name="ntp_002dkeygen-cipher"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, 1187210358SdelphijPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, 1188210358SdelphijUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1189210358Sdelphij<br> 1190210358Sdelphij</div> 1191210358Sdelphij 1192210358Sdelphij<h4 class="subsection">cipher option (-C)</h4> 1193210358Sdelphij 1194210358Sdelphij<p><a name="index-ntp_002dkeygen_002dcipher-6"></a> 1195210358SdelphijThis is the “privatekey cipher” option. 1196210358SdelphijThis option takes a string argument <span class="file">cipher</span>. 1197210358Sdelphij 1198210358Sdelphij<p class="noindent">This option has some usage constraints. It: 1199210358Sdelphij <ul> 1200210358Sdelphij<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1201210358Sdelphij</ul> 1202210358Sdelphij 1203210358Sdelphij <p>Select the cipher which is used to encrypt the files containing 1204240079Sdelphijprivate keys. The default is three-key triple DES in CBC mode, 1205240079Sdelphijequivalent to "<code>-C des-ede3-cbc". The openssl tool lists ciphers 1206240079Sdelphijavailable in "openssl -h" output. 1207240079Sdelphij</code><div class="node"> 1208144411Sscottl<p><hr> 1209144411Sscottl<a name="ntp_002dkeygen-id_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, 1210144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, 1211144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1212165155Sscottl<br> 1213215234Sdelphij</div> 1214215234Sdelphij 1215215234Sdelphij<h4 class="subsection">id-key option (-e)</h4> 1216215234Sdelphij 1217215234Sdelphij<p><a name="index-ntp_002dkeygen_002did_002dkey-7"></a> 1218215234SdelphijThis is the “write iff or gq identity keys” option. 1219215234Sdelphij 1220215234Sdelphij<p class="noindent">This option has some usage constraints. It: 1221215234Sdelphij <ul> 1222215234Sdelphij<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1223215234Sdelphij</ul> 1224215234Sdelphij 1225215234Sdelphij <p>Write the IFF or GQ client keys to the standard output. This is 1226215234Sdelphijintended for automatic key distribution by mail. 1227215234Sdelphij<div class="node"> 1228144411Sscottl<p><hr> 1229144411Sscottl<a name="ntp_002dkeygen-gq_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, 1230144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, 1231144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1232144411Sscottl<br> 1233144411Sscottl</div> 1234215234Sdelphij 1235215234Sdelphij<h4 class="subsection">gq-params option (-G)</h4> 1236215234Sdelphij 1237215234Sdelphij<p><a name="index-ntp_002dkeygen_002dgq_002dparams-8"></a> 1238215234SdelphijThis is the “generate gq parameters and keys” option. 1239215234Sdelphij 1240215234Sdelphij<p class="noindent">This option has some usage constraints. It: 1241215234Sdelphij <ul> 1242215234Sdelphij<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1243215234Sdelphij</ul> 1244215234Sdelphij 1245144411Sscottl <p>Generate parameters and keys for the GQ identification scheme, 1246144411Sscottlobsoleting any that may exist. 1247144411Sscottl<div class="node"> 1248144411Sscottl<p><hr> 1249144411Sscottl<a name="ntp_002dkeygen-host_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, 1250144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, 1251144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1252144411Sscottl<br> 1253144411Sscottl</div> 1254144411Sscottl 1255144411Sscottl<h4 class="subsection">host-key option (-H)</h4> 1256144411Sscottl 1257144411Sscottl<p><a name="index-ntp_002dkeygen_002dhost_002dkey-9"></a> 1258144411SscottlThis is the “generate rsa host key” option. 1259144411Sscottl 1260144411Sscottl<p class="noindent">This option has some usage constraints. It: 1261144411Sscottl <ul> 1262144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1263144411Sscottl</ul> 1264144411Sscottl 1265144411Sscottl <p>Generate new host keys, obsoleting any that may exist. 1266144411Sscottl<div class="node"> 1267144411Sscottl<p><hr> 1268144411Sscottl<a name="ntp_002dkeygen-iffkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, 1269144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, 1270144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1271144411Sscottl<br> 1272144411Sscottl</div> 1273144411Sscottl 1274144411Sscottl<h4 class="subsection">iffkey option (-I)</h4> 1275144411Sscottl 1276144411Sscottl<p><a name="index-ntp_002dkeygen_002diffkey-10"></a> 1277144411SscottlThis is the “generate iff parameters” option. 1278144411Sscottl 1279144411Sscottl<p class="noindent">This option has some usage constraints. It: 1280144411Sscottl <ul> 1281144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1282144411Sscottl</ul> 1283144411Sscottl 1284144411Sscottl <p>Generate parameters for the IFF identification scheme, obsoleting 1285144411Sscottlany that may exist. 1286144411Sscottl<div class="node"> 1287144411Sscottl<p><hr> 1288144411Sscottl<a name="ntp_002dkeygen-ident"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, 1289144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, 1290144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1291144411Sscottl<br> 1292144411Sscottl</div> 1293144411Sscottl 1294144411Sscottl<h4 class="subsection">ident option (-i)</h4> 1295144411Sscottl 1296144411Sscottl<p><a name="index-ntp_002dkeygen_002dident-11"></a> 1297144411SscottlThis is the “set autokey group name” option. 1298144411SscottlThis option takes a string argument <span class="file">group</span>. 1299144411Sscottl 1300144411Sscottl<p class="noindent">This option has some usage constraints. It: 1301144411Sscottl <ul> 1302144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1303144411Sscottl</ul> 1304144411Sscottl 1305144411Sscottl <p>Set the optional Autokey group name to name. This is used in 1306144411Sscottlthe file name of IFF, GQ, and MV client parameters files. In 1307144411Sscottlthat role, the default is the host name if this option is not 1308144411Sscottlprovided. The group name, if specified using <code>-i/--ident</code> or 1309144411Sscottlusing <code>-s/--subject-name</code> following an '<code>}' character, 1310144411Sscottlis also a part of the self-signed host certificate's subject and 1311144411Sscottlissuer names in the form host 1312144411Sscottl <p>'crypto ident' or 'server ident' configuration in 1313144411Sscottlntpd's configuration file. 1314144411Sscottl</code><div class="node"> 1315144411Sscottl<p><hr> 1316144411Sscottl<a name="ntp_002dkeygen-lifetime"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, 1317144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, 1318144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1319144411Sscottl<br> 1320144411Sscottl</div> 1321165155Sscottl 1322165155Sscottl<h4 class="subsection">lifetime option (-l)</h4> 1323165155Sscottl 1324165155Sscottl<p><a name="index-ntp_002dkeygen_002dlifetime-12"></a> 1325144411SscottlThis is the ``set certificate lifetime'' option. 1326144411SscottlThis option takes a number argument <span class="file">lifetime</span>. 1327144411Sscottl 1328165155Sscottl<p class="noindent">This option has some usage constraints. It: 1329165155Sscottl <ul> 1330144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1331144411Sscottl</ul> 1332165155Sscottl 1333165155Sscottl <p>Set the certificate expiration to lifetime days from now. 1334144411Sscottl<div class="node"> 1335165155Sscottl<p><hr> 1336165155Sscottl<a name="ntp_002dkeygen-md5key"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, 1337165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, 1338144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1339165155Sscottl<br> 1340165155Sscottl</div> 1341165155Sscottl 1342165155Sscottl<h4 class="subsection">md5key option (-M)</h4> 1343165155Sscottl 1344165155Sscottl<p><a name="index-ntp_002dkeygen_002dmd5key-13"></a> 1345144411SscottlThis is the ``generate md5 keys'' option. 1346165155SscottlGenerate MD5 keys, obsoleting any that may exist. 1347165155Sscottl<div class="node"> 1348165155Sscottl<p><hr> 1349165155Sscottl<a name="ntp_002dkeygen-modulus"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, 1350144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, 1351165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1352165155Sscottl<br> 1353144411Sscottl</div> 1354144411Sscottl 1355144411Sscottl<h4 class="subsection">modulus option (-m)</h4> 1356144411Sscottl 1357144411Sscottl<p><a name="index-ntp_002dkeygen_002dmodulus-14"></a> 1358144411SscottlThis is the ``modulus'' option. 1359144411SscottlThis option takes a number argument <span class="file">modulus</span>. 1360144411Sscottl 1361144411Sscottl<p class="noindent">This option has some usage constraints. It: 1362144411Sscottl <ul> 1363144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1364144411Sscottl</ul> 1365144411Sscottl 1366144411Sscottl <p>The number of bits in the prime modulus. The default is 512. 1367215234Sdelphij<div class="node"> 1368215234Sdelphij<p><hr> 1369144411Sscottl<a name="ntp_002dkeygen-pvt_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>, 1370144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, 1371144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1372144411Sscottl<br> 1373165155Sscottl</div> 1374165155Sscottl 1375144411Sscottl<h4 class="subsection">pvt-cert option (-P)</h4> 1376144411Sscottl 1377165155Sscottl<p><a name="index-ntp_002dkeygen_002dpvt_002dcert-15"></a> 1378165155SscottlThis is the ``generate pc private certificate'' option. 1379165155Sscottl 1380165155Sscottl<p class="noindent">This option has some usage constraints. It: 1381165155Sscottl <ul> 1382165155Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1383165155Sscottl</ul> 1384165155Sscottl 1385165155Sscottl <p>Generate a private certificate. By default, the program generates 1386144411Sscottlpublic certificates. 1387144411Sscottl<div class="node"> 1388144411Sscottl<p><hr> 1389165155Sscottl<a name="ntp_002dkeygen-password"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, 1390165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, 1391144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1392144411Sscottl<br> 1393165155Sscottl</div> 1394165155Sscottl 1395144411Sscottl<h4 class="subsection">password option (-p)</h4> 1396144411Sscottl 1397144411Sscottl<p><a name="index-ntp_002dkeygen_002dpassword-16"></a> 1398144411SscottlThis is the ``local private password'' option. 1399165155SscottlThis option takes a string argument <span class="file">passwd</span>. 1400165155Sscottl 1401165155Sscottl<p class="noindent">This option has some usage constraints. It: 1402144411Sscottl <ul> 1403144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1404144411Sscottl</ul> 1405144411Sscottl 1406144411Sscottl <p>Local files containing private data are encrypted with the 1407144411SscottlDES-CBC algorithm and the specified password. The same password 1408165155Sscottlmust be specified to the local ntpd via the "crypto pw password" 1409144411Sscottlconfiguration command. The default password is the local 1410144411Sscottlhostname. 1411144411Sscottl<div class="node"> 1412144411Sscottl<p><hr> 1413144411Sscottl<a name="ntp_002dkeygen-export_002dpasswd"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, 1414144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-password">ntp-keygen password</a>, 1415144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1416144411Sscottl<br> 1417144411Sscottl</div> 1418144411Sscottl 1419144411Sscottl<h4 class="subsection">export-passwd option (-q)</h4> 1420144411Sscottl 1421144411Sscottl<p><a name="index-ntp_002dkeygen_002dexport_002dpasswd-17"></a> 1422144411SscottlThis is the ``export iff or gq group keys with password'' option. 1423144411SscottlThis option takes a string argument <span class="file">passwd</span>. 1424144411Sscottl 1425144411Sscottl<p class="noindent">This option has some usage constraints. It: 1426144411Sscottl <ul> 1427144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1428144411Sscottl</ul> 1429144411Sscottl 1430144411Sscottl <p>Export IFF or GQ identity group keys to the standard output, 1431144411Sscottlencrypted with the DES-CBC algorithm and the specified password. 1432165155SscottlThe same password must be specified to the remote ntpd via the 1433165155Sscottl"crypto pw password" configuration command. See also the option 1434165155Sscottl--id-key (-e) for unencrypted exports. 1435144411Sscottl<div class="node"> 1436165155Sscottl<p><hr> 1437165155Sscottl<a name="ntp_002dkeygen-sign_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, 1438144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, 1439144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1440144411Sscottl<br> 1441144411Sscottl</div> 1442144411Sscottl 1443144411Sscottl<h4 class="subsection">sign-key option (-S)</h4> 1444144411Sscottl 1445144411Sscottl<p><a name="index-ntp_002dkeygen_002dsign_002dkey-18"></a> 1446144411SscottlThis is the ``generate sign key (rsa or dsa)'' option. 1447144411SscottlThis option takes a string argument <span class="file">sign</span>. 1448144411Sscottl 1449144411Sscottl<p class="noindent">This option has some usage constraints. It: 1450165155Sscottl <ul> 1451165155Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1452165155Sscottl</ul> 1453144411Sscottl 1454144411Sscottl <p>Generate a new sign key of the designated type, obsoleting any 1455144411Sscottlthat may exist. By default, the program uses the host key as the 1456144411Sscottlsign key. 1457144411Sscottl<div class="node"> 1458144411Sscottl<p><hr> 1459165155Sscottl<a name="ntp_002dkeygen-subject_002dname"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, 1460165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, 1461165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1462144411Sscottl<br> 1463144411Sscottl</div> 1464144411Sscottl 1465144411Sscottl<h4 class="subsection">subject-name option (-s)</h4> 1466144411Sscottl 1467144411Sscottl<p><a name="index-ntp_002dkeygen_002dsubject_002dname-19"></a> 1468144411SscottlThis is the ``set host and optionally group name'' option. 1469144411SscottlThis option takes a string argument <span class="file">host@group</span>. 1470144411Sscottl 1471165155Sscottl<p class="noindent">This option has some usage constraints. It: 1472165155Sscottl <ul> 1473144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1474144411Sscottl</ul> 1475144411Sscottl 1476144411Sscottl <p>Set the Autokey host name, and optionally, group name specified 1477144411Sscottlfollowing an '<code>}' character. The host name is used in the file 1478144411Sscottlname of generated host and signing certificates, without the 1479144411Sscottlgroup name. The host name, and if provided, group name are used 1480144411Sscottlin host 1481144411Sscottl <p>fields. Specifying '-s 1482144411Sscottl <p>leaving the host name unchanged while appending 1483144411Sscottl <p>subject and issuer fields, as with -i group. The group name, or 1484144411Sscottlif not provided, the host name are also used in the file names 1485144411Sscottlof IFF, GQ, and MV client parameter files. 1486144411Sscottl</code><div class="node"> 1487144411Sscottl<p><hr> 1488144411Sscottl<a name="ntp_002dkeygen-trusted_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, 1489144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, 1490144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1491144411Sscottl<br> 1492144411Sscottl</div> 1493144411Sscottl 1494144411Sscottl<h4 class="subsection">trusted-cert option (-T)</h4> 1495144411Sscottl 1496144411Sscottl<p><a name="index-ntp_002dkeygen_002dtrusted_002dcert-20"></a> 1497144411SscottlThis is the ``trusted certificate (tc scheme)'' option. 1498144411Sscottl 1499144411Sscottl<p class="noindent">This option has some usage constraints. It: 1500165155Sscottl <ul> 1501165155Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1502165155Sscottl</ul> 1503165155Sscottl 1504144411Sscottl <p>Generate a trusted certificate. By default, the program generates 1505165155Sscottla non-trusted certificate. 1506165155Sscottl<div class="node"> 1507165155Sscottl<p><hr> 1508144411Sscottl<a name="ntp_002dkeygen-mv_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, 1509165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, 1510165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1511165155Sscottl<br> 1512144411Sscottl</div> 1513144411Sscottl 1514144411Sscottl<h4 class="subsection">mv-params option (-V)</h4> 1515144411Sscottl 1516165155Sscottl<p><a name="index-ntp_002dkeygen_002dmv_002dparams-21"></a> 1517165155SscottlThis is the ``generate <num> mv parameters'' option. 1518144411SscottlThis option takes a number argument <span class="file">num</span>. 1519144411Sscottl 1520165155Sscottl<p class="noindent">This option has some usage constraints. It: 1521165155Sscottl <ul> 1522165155Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1523144411Sscottl</ul> 1524165155Sscottl 1525165155Sscottl <p>Generate parameters and keys for the Mu-Varadharajan (MV) 1526144411Sscottlidentification scheme. 1527144411Sscottl<div class="node"> 1528144411Sscottl<p><hr> 1529165155Sscottl<a name="ntp_002dkeygen-mv_002dkeys"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-config">ntp-keygen config</a>, 1530165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, 1531165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1532144411Sscottl<br> 1533144411Sscottl</div> 1534144411Sscottl 1535144411Sscottl<h4 class="subsection">mv-keys option (-v)</h4> 1536165155Sscottl 1537165155Sscottl<p><a name="index-ntp_002dkeygen_002dmv_002dkeys-22"></a> 1538144411SscottlThis is the ``update <num> mv keys'' option. 1539144411SscottlThis option takes a number argument <span class="file">num</span>. 1540144411Sscottl 1541144411Sscottl<p class="noindent">This option has some usage constraints. It: 1542144411Sscottl <ul> 1543144411Sscottl<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. 1544165155Sscottl</ul> 1545165155Sscottl 1546144411Sscottl <p>This option has no <span class="samp">doc</span> documentation. 1547144411Sscottl 1548144411Sscottl<div class="node"> 1549165155Sscottl<p><hr> 1550165155Sscottl<a name="ntp_002dkeygen-config"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, 1551165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, 1552165155SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1553165155Sscottl<br> 1554144411Sscottl</div> 1555144411Sscottl 1556144411Sscottl<h4 class="subsection">presetting/configuring ntp-keygen</h4> 1557165155Sscottl 1558165155Sscottl<p>Any option that is not marked as <i>not presettable</i> may be preset by 1559144411Sscottlloading values from configuration ("rc" or "ini") files, and values from environment variables named <code>NTP-KEYGEN</code> and <code>NTP-KEYGEN_<OPTION_NAME></code>. <code><OPTION_NAME></code> must be one of 1560165155Sscottlthe options listed above in upper case and segmented with underscores. 1561165155SscottlThe <code>NTP-KEYGEN</code> variable will be tokenized and parsed like 1562165155Sscottlthe command line. The remaining variables are tested for existence and their 1563165155Sscottlvalues are treated like option arguments. 1564165155Sscottl 1565165155Sscottl<p class="noindent"><code>libopts</code> will search in 2 places for configuration files: 1566165155Sscottl <ul> 1567165155Sscottl<li>$HOME 1568165155Sscottl<li>$PWD 1569144411Sscottl</ul> 1570144411Sscottl The environment variables <code>HOME</code>, and <code>PWD</code> 1571144411Sscottlare expanded and replaced when <span class="file">ntp-keygen</span> runs. 1572144411SscottlFor any of these that are plain files, they are simply processed. 1573144411SscottlFor any that are directories, then a file named <span class="file">.ntprc</span> is searched for 1574144411Sscottlwithin that directory and processed. 1575144411Sscottl 1576144411Sscottl <p>Configuration files may be in a wide variety of formats. 1577144411SscottlThe basic format is an option name followed by a value (argument) on the 1578144411Sscottlsame line. Values may be separated from the option name with a colon, 1579144411Sscottlequal sign or simply white space. Values may be continued across multiple 1580144411Sscottllines by escaping the newline with a backslash. 1581144411Sscottl 1582144411Sscottl <p>Multiple programs may also share the same initialization file. 1583144411SscottlCommon options are collected at the top, followed by program specific 1584144411Sscottlsegments. The segments are separated by lines like: 1585144411Sscottl<pre class="example"> [NTP-KEYGEN] 1586144411Sscottl</pre> 1587144411Sscottl <p class="noindent">or by 1588144411Sscottl<pre class="example"> <?program ntp-keygen> 1589144411Sscottl</pre> 1590144411Sscottl <p class="noindent">Do not mix these styles within one configuration file. 1591144411Sscottl 1592144411Sscottl <p>Compound values and carefully constructed string values may also be 1593144411Sscottlspecified using XML syntax: 1594144411Sscottl<pre class="example"> <option-name> 1595165155Sscottl <sub-opt>...&lt;...&gt;...</sub-opt> 1596165155Sscottl </option-name> 1597144411Sscottl</pre> 1598165155Sscottl <p class="noindent">yielding an <code>option-name.sub-opt</code> string value of 1599165155Sscottl<pre class="example"> "...<...>..." 1600165155Sscottl</pre> 1601144411Sscottl <p><code>AutoOpts</code> does not track suboptions. You simply note that it is a 1602165155Sscottlhierarchicly valued option. <code>AutoOpts</code> does provide a means for searching 1603165155Sscottlthe associated name/value pair list (see: optionFindValue). 1604144411Sscottl 1605144411Sscottl <p>The command line options relating to configuration and/or usage help are: 1606144411Sscottl 1607144411Sscottl<h5 class="subsubheading">version (-)</h5> 1608144411Sscottl 1609144411Sscottl<p>Print the program version to standard out, optionally with licensing 1610144411Sscottlinformation, then exit 0. The optional argument specifies how much licensing 1611144411Sscottldetail to provide. The default is to print just the version. The licensing infomation may be selected with an option argument. 1612144411SscottlOnly the first letter of the argument is examined: 1613144411Sscottl 1614144411Sscottl <dl> 1615144411Sscottl<dt><span class="samp">version</span><dd>Only print the version. This is the default. 1616144411Sscottl<br><dt><span class="samp">copyright</span><dd>Name the copyright usage licensing terms. 1617144411Sscottl<br><dt><span class="samp">verbose</span><dd>Print the full copyright usage licensing terms. 1618165155Sscottl</dl> 1619165155Sscottl 1620144411Sscottl<div class="node"> 1621165155Sscottl<p><hr> 1622165155Sscottl<a name="ntp_002dkeygen-exit-status"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, 1623165155SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-config">ntp-keygen config</a>, 1624144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1625165155Sscottl<br> 1626165155Sscottl</div> 1627144411Sscottl 1628144411Sscottl<h4 class="subsection">ntp-keygen exit status</h4> 1629144411Sscottl 1630144411Sscottl<p>One of the following exit values will be returned: 1631144411Sscottl <dl> 1632144411Sscottl<dt><span class="samp">0 (EXIT_SUCCESS)</span><dd>Successful program execution. 1633144411Sscottl<br><dt><span class="samp">1 (EXIT_FAILURE)</span><dd>The operation failed or the command syntax was not valid. 1634144411Sscottl<br><dt><span class="samp">66 (EX_NOINPUT)</span><dd>A specified configuration file could not be loaded. 1635144411Sscottl<br><dt><span class="samp">70 (EX_SOFTWARE)</span><dd>libopts had an internal operational error. Please report 1636144411Sscottlit to autogen-users@lists.sourceforge.net. Thank you. 1637144411Sscottl</dl> 1638144411Sscottl <div class="node"> 1639144411Sscottl<p><hr> 1640144411Sscottl<a name="ntp_002dkeygen-Usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, 1641144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, 1642144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1643144411Sscottl<br> 1644144411Sscottl</div> 1645144411Sscottl 1646144411Sscottl<h4 class="subsection">ntp-keygen Usage</h4> 1647144411Sscottl 1648144411Sscottl<div class="node"> 1649144411Sscottl<p><hr> 1650144411Sscottl<a name="ntp_002dkeygen-Notes"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>, 1651144411SscottlPrevious: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, 1652144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1653144411Sscottl<br> 1654144411Sscottl</div> 1655144411Sscottl 1656144411Sscottl<h4 class="subsection">ntp-keygen Notes</h4> 1657144411Sscottl 1658144411Sscottl<div class="node"> 1659144411Sscottl<p><hr> 1660144411Sscottl<a name="ntp_002dkeygen-Bugs"></a>Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, 1661144411SscottlUp: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> 1662144411Sscottl<br> 1663144411Sscottl</div> 1664165155Sscottl 1665144411Sscottl<h4 class="subsection">ntp-keygen Bugs</h4> 1666144411Sscottl 1667144411Sscottl<div class="node"> 1668144411Sscottl<p><hr> 1669144411Sscottl<a name="Random-Seed-File"></a>Next: <a rel="next" accesskey="n" href="#Cryptographic-Data-Files">Cryptographic Data Files</a>, 1670144411SscottlPrevious: <a rel="previous" accesskey="p" href="#Running-the-Program">Running the Program</a>, 1671144411SscottlUp: <a rel="up" accesskey="u" href="#Top">Top</a> 1672144411Sscottl<br> 1673144411Sscottl</div> 1674144411Sscottl 1675144411Sscottl<!-- node-name, next, previous, up --> 1676144411Sscottl<h3 class="section">Random Seed File</h3> 1677144411Sscottl 1678144411Sscottl<p>All cryptographically sound key generation schemes must have means to 1679144411Sscottlrandomize the entropy seed used to initialize the internal 1680144411Sscottlpseudo-random number generator used by the OpenSSL library routines. 1681144411SscottlIf a site supports ssh, it is very likely that means to do this are 1682144411Sscottlalready available. 1683144411SscottlThe entropy seed used by the OpenSSL library is contained in a file, 1684144411Sscottlusually called <code>.rnd</code>, which must be available when 1685144411Sscottlstarting the <code>ntp-keygen</code> program or <code>ntpd</code> daemon. 1686165155Sscottl 1687165155Sscottl <p>The OpenSSL library looks for the file using the path specified by the 1688165155Sscottl<code>RANDFILE</code> environment variable in the user home directory, whether root 1689165155Sscottlor some other user. 1690165155SscottlIf the <code>RANDFILE</code> environment variable is not 1691165155Sscottlpresent, the library looks for the <code>.rnd</code> file in the user home 1692165155Sscottldirectory. 1693165155SscottlSince both the <code>ntp-keygen</code> program and <code>ntpd</code> daemon must run 1694144411Sscottlas root, the logical place to put this file is in <code>/.rnd</code> or 1695144411Sscottl<code>/root/.rnd</code>. 1696165155SscottlIf the file is not available or cannot be written, the program exits 1697165155Sscottlwith a message to the system log. 1698165155Sscottl 1699165155Sscottl<div class="node"> 1700165155Sscottl<p><hr> 1701165155Sscottl<a name="Cryptographic-Data-Files"></a>Previous: <a rel="previous" accesskey="p" href="#Random-Seed-File">Random Seed File</a>, 1702165155SscottlUp: <a rel="up" accesskey="u" href="#Top">Top</a> 1703165155Sscottl<br> 1704144411Sscottl</div> 1705144411Sscottl 1706144411Sscottl<!-- node-name, next, previous, up --> 1707144411Sscottl<h3 class="section">Cryptographic Data Files</h3> 1708165155Sscottl 1709165155Sscottl<p>File and link names are in the <code>form ntpkey_key_name.fstamp</code>, 1710144411Sscottlwhere <code>key</code> is the key or parameter type, 1711165155Sscottl<code>name</code> is the host or group name and 1712165155Sscottl<code>fstamp</code> is the filestamp (NTP seconds) when the file was created). 1713165155SscottlBy convention, key names in generated file names include both upper and 1714165155Sscottllower case characters, while key names in generated link names include 1715165155Sscottlonly lower case characters. The filestamp is not used in generated link 1716165155Sscottlnames. 1717165155Sscottl 1718144411Sscottl <p>The key name is a string defining the cryptographic key type. 1719144411SscottlKey types include public/private keys host and sign, certificate cert 1720165155Sscottland several challenge/response key types. 1721165155SscottlBy convention, client files used for 1722165155Sscottlchallenges have a par subtype, as in the IFF challenge IFFpar, while 1723165155Sscottlserver files for responses have a key subtype, as in the GQ response 1724165155SscottlGQkey. 1725165155Sscottl 1726144411Sscottl <p>All files begin with two nonencrypted lines. The first line contains 1727165155Sscottlthe file name in the format <code>ntpkey_key_host.fstamp</code>. 1728165155SscottlThe second line contains the datestamp in conventional Unix date format. 1729144411SscottlLines beginning with <code>#</code> are ignored. 1730144411Sscottl 1731165155Sscottl <p>The remainder of the file contains cryptographic data encoded first 1732165155Sscottlusing ASN.1 rules, then encrypted using the DES-CBC algorithm with 1733165155Sscottlgiven password and finally written in PEM-encoded printable ASCII text 1734165155Sscottlpreceded and followed by MIME content identifier lines. 1735165155Sscottl 1736165155Sscottl <p>The format of the symmetric keys file, ordinarily named <code>ntp.keys</code>, 1737174451Sscottlis somewhat different than the other files in the interest of backward 1738165155Sscottlcompatibility. 1739144411SscottlOrdinarily, the file is generated by this program, but 1740165155Sscottlit can be constructed and edited using an ordinary text editor. 1741165155Sscottl 1742165155Sscottl<pre class="example"> # ntpkey_MD5key_hms.local.3564038757 1743165155Sscottl # Sun Dec 9 02:45:57 2012 1744165155Sscottl 1745165155Sscottl 1 MD5 "]!ghT%O;3)WJ,/Nc:>I # MD5 key 1746165155Sscottl 2 MD5 lu+H^tF46BKR-6~pV_5 # MD5 key 1747165155Sscottl 3 MD5 :lnoVsE%Yz*avh%EtNC # MD5 key 1748165155Sscottl 4 MD5 |fdZrf0sF~^V # MD5 key 1749165155Sscottl 5 MD5 IyAG>O"y"LmCRS!*bHC # MD5 key 1750165155Sscottl 6 MD5 ">e\A # MD5 key 1751165155Sscottl 7 MD5 c9x=M'CfLxax9v)PV-si # MD5 key 1752165155Sscottl 8 MD5 E|=jvFVov?Bn|Ev=&aK\ # MD5 key 1753165155Sscottl 9 MD5 T!c4UT&`(m$+m+B6,`Q0 # MD5 key 1754165155Sscottl 10 MD5 JVF/1=)=IFbHbJQz..Cd # MD5 key 1755144411Sscottl 11 SHA1 6dea311109529e436c2b4fccae9bc753c16d1b48 # SHA1 key 1756165155Sscottl 12 SHA1 7076f373d86c4848c59ff8046e49cb7d614ec394 # SHA1 key 1757165155Sscottl 13 SHA1 5f48b1b60591eb01b7cf1d33b7774f08d20262d3 # SHA1 key 1758165155Sscottl 14 SHA1 eed5ab9d9497319ec60cf3781d52607e76720178 # SHA1 key 1759165155Sscottl 15 SHA1 f283562611a04c964da8126296f5f8e58c3f85de # SHA1 key 1760144411Sscottl 16 SHA1 1930da171297dd63549af50b29449de17dcf341f # SHA1 key 1761165155Sscottl 17 SHA1 fee892110358cd4382322b889869e750db8e8a8f # SHA1 key 1762165155Sscottl 18 SHA1 b5520c9fadd7ad3fd8bfa061c8821b65d029bb37 # SHA1 key 1763165155Sscottl 19 SHA1 8c74fb440ec80f453ec6aaa62b9baed0ab723b92 # SHA1 key 1764165155Sscottl 20 SHA1 6bc05f734306a189326000970c19b3910f403795 # SHA1 key 1765165155Sscottl</pre> 1766144411Sscottl <p>Figure 1. Typical Symmetric Key File 1767144411Sscottl 1768144411Sscottl <p>Figure 1 shows a typical symmetric keys file used by the reference 1769144411Sscottlimplementation. 1770144411SscottlEach line of the file contains three fields, first an 1771144411Sscottlinteger between 1 and 65534, inclusive, representing the key identifier 1772144411Sscottlused in the server and peer configuration commands. 1773144411SscottlNext is the key type for the message digest algorithm, 1774144411Sscottlwhich in the absence of the 1775144411SscottlOpenSSL library must be MD5 to designate the MD5 message digest 1776144411Sscottlalgorithm. 1777144411SscottlIf the OpenSSL library is installed, the key type can be any 1778144411Sscottlmessage digest algorithm supported by that library. 1779144411SscottlHowever, if 1780144411Sscottlcompatibility with FIPS 140-2 is required, the key type must be either 1781144411SscottlSHA or SHA1. 1782144411SscottlThe key type can be changed using an ASCII text editor. 1783144411Sscottl 1784144411Sscottl <p>An MD5 key consists of a printable ASCII string less than or equal to 1785144411Sscottl16 characters and terminated by whitespace or a # character. 1786144411SscottlAn OpenSSL 1787144411Sscottlkey consists of a hex-encoded ASCII string of 40 characters, which is 1788144411Sscottltruncated as necessary. 1789144411Sscottl 1790144411Sscottl <p>Note that the keys used by the <code>ntpq</code> and <code>ntpdc</code> programs are 1791144411Sscottlchecked against passwords requested by the programs and entered by hand, 1792144411Sscottlso it 1793144411Sscottlis generally appropriate to specify these keys in human readable ASCII 1794144411Sscottlformat. 1795144411Sscottl 1796144411Sscottl <p>The <code>ntp-keygen</code> program generates a MD5 symmetric keys file 1797144411Sscottl<code>ntpkey_MD5key_hostname.filestamp</code>. 1798144411SscottlSince the file contains private 1799144411Sscottlshared keys, it should be visible only to root and distributed by 1800144411Sscottlsecure means to other subnet hosts. 1801165155SscottlThe NTP daemon loads the file <code>ntp.keys</code>, so <code>ntp-keygen</code> 1802165155Sscottlinstalls a soft link from this name to the generated file. 1803144411SscottlSubsequently, similar soft links must be installed by 1804165155Sscottlmanual or automated means on the other subnet hosts. 1805165155SscottlWhile this file is 1806144411Sscottlnot used with the Autokey Version 2 protocol, it is needed to 1807144411Sscottlauthenticate some remote configuration commands used by the <code>ntpq</code> and 1808144411Sscottl<code>ntpdc</code> utilities. 1809144411Sscottl 1810144411Sscottl</body></html> 1811144411Sscottl 1812144411Sscottl