xref: /freebsd-10.3-release/contrib/ntp/ntpd/invoke-ntp.keys.texi

@node ntp.keys Notes
@section Notes about ntp.keys
@pindex ntp.keys
@cindex NTP symmetric key file format
@ignore
#
# EDIT THIS FILE WITH CAUTION  (invoke-ntp.keys.texi)
#
# It has been AutoGen-ed  March 21, 2017 at 10:31:04 AM by AutoGen 5.18.5
# From the definitions    ntp.keys.def
# and the template file   agtexi-file.tpl
@end ignore



This document describes the format of an NTP symmetric key file.
For a description of the use of this type of file, see the
"Authentication Support"
section of the
@code{ntp.conf(5)}
page.

@code{ntpd(8)}
reads its keys from a file specified using the
@code{-k}
command line option or the
@code{keys}
statement in the configuration file.
While key number 0 is fixed by the NTP standard
(as 56 zero bits)
and may not be changed,
one or more keys numbered between 1 and 65534
may be arbitrarily set in the keys file.

The key file uses the same comment conventions
as the configuration file.
Key entries use a fixed format of the form

@example
@kbd{keyno} @kbd{type} @kbd{key} @kbd{opt_IP_list}
@end example

where
@kbd{keyno}
is a positive integer (between 1 and 65534),
@kbd{type}
is the message digest algorithm,
and
@kbd{key}
is the key itself, and
@kbd{opt_IP_list}
is an optional comma-separated list of IPs
that are allowed to serve time.
If
@kbd{opt_IP_list}
is empty,
any properly-authenticated server message will be
accepted.

The
@kbd{key}
may be given in a format
controlled by the
@kbd{type}
field.
The
@kbd{type}
@code{MD5}
is always supported.
If
@code{ntpd}
was built with the OpenSSL library
then any digest library supported by that library may be specified.
However, if compliance with FIPS 140-2 is required the
@kbd{type}
must be either
@code{SHA}
or
@code{SHA1}.

What follows are some key types, and corresponding formats:

@table @asis
@item @code{MD5}
The key is 1 to 16 printable characters terminated by
an EOL,
whitespace,
or
a
@code{#}
(which is the "start of comment" character).

@item @code{SHA}
@item @code{SHA1}
@item @code{RMD160}
The key is a hex-encoded ASCII string of 40 characters,
which is truncated as necessary.
@end table

Note that the keys used by the
@code{ntpq(8)}
and
@code{ntpdc(8)}
programs are checked against passwords
requested by the programs and entered by hand,
so it is generally appropriate to specify these keys in ASCII format.

This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp.keys} program.
This software is released under the NTP license, <http://ntp.org/license>.

@menu
* ntp.keys Files::                  Files
* ntp.keys See Also::               See Also
* ntp.keys Notes::                  Notes
@end menu

@node ntp.keys Files
@subsection ntp.keys Files
@table @asis
@item @file{/etc/ntp.keys}
the default name of the configuration file
@end table
@node ntp.keys See Also
@subsection ntp.keys See Also
@code{ntp.conf(5)},
@code{ntpd(1ntpdmdoc)},
@code{ntpdate(1ntpdatemdoc)},
@code{ntpdc(1ntpdcmdoc)},
@code{sntp(1sntpmdoc)}
@node ntp.keys Notes
@subsection ntp.keys Notes
This document was derived from FreeBSD.