NTP_GENKEYS(8) BSD System Manager's Manual NTP_GENKEYS(8)
NAME
ntp-genkeys -- generate public and private keys
SYNOPSIS
ntp-genkeys [-dfhlnt] [-c conffile] [-g target] [-k keyfile]
DESCRIPTION
The ntp-genkeys utility generates random keys used by either or both the NTPv3/NTPv4 symmetric key or the NTPv4 public key (Autokey) cryptographic authentication schemes. The following options are available: -c conffile Location of ntp.conf(8) file. -d enable debug messages (can be used multiple times) -f force installation of generated keys. -g -target Generate file or files indicated by the characters in the target string: d Generate D-H parameter file. m Generate MD5 key file. r Generate RSA keys. -h Build keys here (current directory). Implies -l. -k keyfile Location of key file. -l Do not make the symlinks. -n Do not actually do anything, just say what would be done. -t Trash the (old) files at the end of symlink. By default the program generates the ntp.keys(5) file containing 16 ran- dom symmetric keys. In addition, if the rsaref20 package is configured for the software build, the program generates cryptographic values used by the Autokey scheme. These values are incorporated as a set of three files, ntpkey containing the RSA private key, ntpkey_host containing the RSA public key, where host is the DNS name of the generating machine, and ntpkey_dh containing the parameters for the Diffie-Hellman key-agreement algorithm. All files and are in printable ASCII format. A timestamp in NTP seconds is appended to each. Since the algorithms are seeded by the system clock, each run of this program produces a different file and file name. The ntp.keys(5) file contains 16 MD5 keys. Each key consists of 16 char- acters randomized over the ASCII 95-character printing subset. The file is read by the daemon at the location specified by the keys configuration file command and made visible only to root. An additional key consisting of an easily remembered password should be added by hand for use with the ntpq(8) and ntpdc(8) programs. The file must be distributed by secure means to other servers and clients sharing the same security compartment. While the key identifiers for MD5 and DES keys must be in the range 1-65534, inclusive, the ntp-genkeys utility uses only the identifiers from 1 to 16. The key identifier for each association is specified as the key argument in the server or peer configuration file command. The ntpkey file contains the RSA private key. It is read by the daemon at the location specified by the privatekey argument of the crypto con- figuration file command and made visible only to root. This file is use- ful only to the machine that generated it and never shared with any other daemon or application program. The ntpkey_host file contains the RSA public key, where host is the DNS name of the host that generated it. The file is read by the daemon at the location specified by the publickey argument to the server or peer configuration file command. This file can be widely distributed and stored without using secure means, since the data are public values. The ntp_dh file contains two Diffie-Hellman parameters: the prime modulus and the generator. The file is read by the daemon at the location speci- fied by the dhparams argument of the crypto configuration file command. The file can be distributed by insecure means to other servers and clients sharing the same key agreement compartment, since the data are public values. The file formats begin with two lines, the first containing the generat- ing system DNS name and the second the datestamp. Lines beginning with `#' are considered comments and ignored by the daemon. In the ntp.keys(5) file, the next 16 lines contain the MD5 keys in order. If necessary, this file can be further customized by an ordinary text edi- tor. The format is described in the following section. In the ntpkey and ntpkey_host files, the next line contains the modulus length in bits followed by the key as a PEM encoded string. In the ntpkey_dh file, the next line contains the prime length in bytes followed by the prime as a PEM encoded string, and the next and final line contains the generator length in bytes followed by the generator as a PEM encoded string. Note: See the file ./source/rsaref.h in the rsaref20 package for explana- tion of return values, if necessary.
SEE ALSO
ntp.keys(5), ntpdc(8), ntpq(8)
BUGS
It can take quite a while to generate the RSA public/private key pair and Diffie-Hellman parameters, from a few seconds on a modern workstation to several minutes on older machines. BSD August 2, 2001 BSD
Mac OS X 10.4 - Generated Fri Apr 29 08:12:36 CDT 2005