manpagez: man pages & more
man ntp-genkeys(8)
Home | html | info | man
NTP_GENKEYS(8)            BSD System Manager's Manual           NTP_GENKEYS(8)


NAME

     ntp-genkeys -- generate public and private keys


SYNOPSIS

     ntp-genkeys [-dfhlnt] [-c conffile] [-g target] [-k keyfile]


DESCRIPTION

     The ntp-genkeys utility generates random keys used by either or both the
     NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey) cryptographic
     authentication schemes.

     The following options are available:

     -c conffile
             Location of ntp.conf(8) file.

     -d      enable debug messages (can be used multiple times)

     -f      force installation of generated keys.

     -g -target
             Generate file or files indicated by the characters in the target
             string:

             d  Generate D-H parameter file.

             m  Generate MD5 key file.

             r  Generate RSA keys.

     -h      Build keys here (current directory).  Implies -l.

     -k keyfile
             Location of key file.

     -l      Do not make the symlinks.

     -n      Do not actually do anything, just say what would be done.

     -t      Trash the (old) files at the end of symlink.

     By default the program generates the ntp.keys(5) file containing 16 ran-
     dom symmetric keys.  In addition, if the rsaref20 package is configured
     for the software build, the program generates cryptographic values used
     by the Autokey scheme.  These values are incorporated as a set of three
     files, ntpkey containing the RSA private key, ntpkey_host containing the
     RSA public key, where host is the DNS name of the generating machine, and
     ntpkey_dh containing the parameters for the Diffie-Hellman key-agreement
     algorithm.  All files and are in printable ASCII format.  A timestamp in
     NTP seconds is appended to each.  Since the algorithms are seeded by the
     system clock, each run of this program produces a different file and file
     name.

     The ntp.keys(5) file contains 16 MD5 keys.  Each key consists of 16 char-
     acters randomized over the ASCII 95-character printing subset.  The file
     is read by the daemon at the location specified by the keys configuration
     file command and made visible only to root.  An additional key consisting
     of an easily remembered password should be added by hand for use with the
     ntpq(8) and ntpdc(8) programs.  The file must be distributed by secure
     means to other servers and clients sharing the same security compartment.
     While the key identifiers for MD5 and DES keys must be in the range
     1-65534, inclusive, the ntp-genkeys utility uses only the identifiers
     from 1 to 16.  The key identifier for each association is specified as
     the key argument in the server or peer configuration file command.

     The ntpkey file contains the RSA private key.  It is read by the daemon
     at the location specified by the privatekey argument of the crypto con-
     figuration file command and made visible only to root.  This file is use-
     ful only to the machine that generated it and never shared with any other
     daemon or application program.

     The ntpkey_host file contains the RSA public key, where host is the DNS
     name of the host that generated it.  The file is read by the daemon at
     the location specified by the publickey argument to the server or peer
     configuration file command.  This file can be widely distributed and
     stored without using secure means, since the data are public values.

     The ntp_dh file contains two Diffie-Hellman parameters: the prime modulus
     and the generator.  The file is read by the daemon at the location speci-
     fied by the dhparams argument of the crypto configuration file command.
     The file can be distributed by insecure means to other servers and
     clients sharing the same key agreement compartment, since the data are
     public values.

     The file formats begin with two lines, the first containing the generat-
     ing system DNS name and the second the datestamp.  Lines beginning with
     `#' are considered comments and ignored by the daemon.  In the
     ntp.keys(5) file, the next 16 lines contain the MD5 keys in order.  If
     necessary, this file can be further customized by an ordinary text edi-
     tor.  The format is described in the following section.  In the ntpkey
     and ntpkey_host files, the next line contains the modulus length in bits
     followed by the key as a PEM encoded string.  In the ntpkey_dh file, the
     next line contains the prime length in bytes followed by the prime as a
     PEM encoded string, and the next and final line contains the generator
     length in bytes followed by the generator as a PEM encoded string.

     Note: See the file ./source/rsaref.h in the rsaref20 package for explana-
     tion of return values, if necessary.


SEE ALSO

     ntp.keys(5), ntpdc(8), ntpq(8)


BUGS

     It can take quite a while to generate the RSA public/private key pair and
     Diffie-Hellman parameters, from a few seconds on a modern workstation to
     several minutes on older machines.

BSD                             August 2, 2001                             BSD

Mac OS X 10.4 - Generated Fri Apr 29 08:12:36 CDT 2005
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.