diff options
Diffstat (limited to 'util/ntp-keygen.html')
-rw-r--r-- | util/ntp-keygen.html | 1811 |
1 files changed, 1811 insertions, 0 deletions
diff --git a/util/ntp-keygen.html b/util/ntp-keygen.html new file mode 100644 index 0000000..b5315d2 --- /dev/null +++ b/util/ntp-keygen.html @@ -0,0 +1,1811 @@ +<html lang="en"> +<head> +<title>Ntp-keygen User's Manual</title> +<meta http-equiv="Content-Type" content="text/html"> +<meta name="description" content="Ntp-keygen User's Manual"> +<meta name="generator" content="makeinfo 4.7"> +<link title="Top" rel="top" href="#Top"> +<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage"> +<meta http-equiv="Content-Style-Type" content="text/css"> +<style type="text/css"><!-- + pre.display { font-family:inherit } + pre.format { font-family:inherit } + pre.smalldisplay { font-family:inherit; font-size:smaller } + pre.smallformat { font-family:inherit; font-size:smaller } + pre.smallexample { font-size:smaller } + pre.smalllisp { font-size:smaller } + span.sc { font-variant:small-caps } + span.roman { font-family: serif; font-weight: normal; } +--></style> +</head> +<body> +<h1 class="settitle">Ntp-keygen User's Manual</h1> + <div class="shortcontents"> +<h2>Short Contents</h2> +<ul> +<a href="#Top">Top</a> +<a href="#Top">NTP Key Generation Program User Manual</a> +</ul> +</div> + + + +<div class="node"> +<p><hr> +<a name="Top"></a>Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> +<br> +</div> + +<h2 class="unnumbered">Top</h2> + +<ul class="menu"> +<li><a accesskey="1" href="#Description">Description</a> +<li><a accesskey="2" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>: Invoking ntp-keygen +<li><a accesskey="3" href="#Running-the-Program">Running the Program</a> +<li><a accesskey="4" href="#Random-Seed-File">Random Seed File</a> +<li><a accesskey="5" href="#Cryptographic-Data-Files">Cryptographic Data Files</a> +</ul> + +<div class="node"> +<p><hr> +<a name="Top"></a>Next: <a rel="next" accesskey="n" href="#Description">Description</a>, +Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>, +Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> +<br> +</div> + +<h2 class="unnumbered">NTP Key Generation Program User Manual</h2> + +<p>This document describes the use of the NTP Project's <code>ntp-keygen</code> +program, that generates cryptographic data files used by the NTPv4 +authentication and identity schemes. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software +library has been installed, it can generate host keys, sign keys, +certificates, and identity keys and parameters used by the Autokey +public key cryptography. +The message digest keys file is generated in a +format compatible with NTPv3. +All other files are in PEM-encoded +printable ASCII format so they can be embedded as MIME attachments in +mail to other sites. + + <p>This document applies to version 4.2.7p482 of <code>ntp-keygen</code>. + +<div class="node"> +<p><hr> +<a name="Description"></a>Next: <a rel="next" accesskey="n" href="#Running-the-Program">Running the Program</a>, +Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>, +Up: <a rel="up" accesskey="u" href="#Top">Top</a> +<br> +</div> + +<!-- node-name, next, previous, up --> +<h3 class="section">Description</h3> + +<p>This program generates cryptographic data files used by the NTPv4 +authentication and identity schemes. It can generate message digest +keys used in symmetric key cryptography and, if the OpenSSL software +library has been installed, it can generate host keys, sign keys, +certificates, and identity keys and parameters used by the Autokey +public key cryptography. The message digest keys file is generated in a +format compatible with NTPv3. All other files are in PEM-encoded +printable ASCII format so they can be embedded as MIME attachments in +mail to other sites. + + <p>When used to generate message digest keys, the program produces a file +containing ten pseudo-random printable ASCII strings suitable for the +MD5 message digest algorithm included in the distribution. +If the +OpenSSL library is installed, it produces an additional ten hex-encoded +random bit strings suitable for the SHA1 and other message digest +algorithms. +The message digest keys file must be distributed and stored +using secure means beyond the scope of NTP itself. +Besides the keys +used for ordinary NTP associations, additional keys can be defined as +passwords for the ntpq and ntpdc utility programs. + + <p>The remaining generated files are compatible with other OpenSSL +applications and other Public Key Infrastructure (PKI) resources. +Certificates generated by this program are compatible with extant +industry practice, although some users might find the interpretation of +X509v3 extension fields somewhat liberal. +However, the identity keys +are probably not compatible with anything other than Autokey. + + <p>Some files used by this program are encrypted using a private password. +The <code>-p</code> option specifies the password for local encrypted files and the +<code>-q</code> option the password for encrypted files sent to remote sites. +If no password is specified, the host name returned by the Unix +<code>gethostname()</code> function, normally the DNS name of the host, is used. + + <p>The <kbd>pw</kbd> option of the <code>crypto</code> configuration command +specifies the read password for previously encrypted local files. +This must match the local password used by this program. +If not specified, the host name is used. +Thus, if files are generated by this program without password, +they can be read back by ntpd without password, but only on the same +host. + + <p>Normally, encrypted files for each host are generated by that host and +used only by that host, although exceptions exist as noted later on +this page. +The symmetric keys file, normally called <code>ntp.keys</code>, is +usually installed in <code>/etc</code>. +Other files and links are usually installed +in <code>/usr/local/etc</code>, which is normally in a shared filesystem in +NFS-mounted networks and cannot be changed by shared clients. +The location of the keys directory can be changed by the keysdir +configuration command in such cases. +Normally, this is in <code>/etc</code>. + + <p>This program directs commentary and error messages to the standard +error stream <code>stderr</code> and remote files to the standard output stream +<code>stdout</code> where they can be piped to other applications or redirected to +files. +The names used for generated files and links all begin with the +string <code>ntpkey</code> and include the file type, +generating host and filestamp, +as described in the <a href="#Cryptographic-Data-Files">Cryptographic Data Files</a> section below. + +<div class="node"> +<p><hr> +<a name="Running-the-Program"></a>Next: <a rel="next" accesskey="n" href="#Random-Seed-File">Random Seed File</a>, +Previous: <a rel="previous" accesskey="p" href="#Description">Description</a>, +Up: <a rel="up" accesskey="u" href="#Top">Top</a> +<br> +</div> + +<!-- node-name, next, previous, up --> +<h3 class="section">Running the Program</h3> + +<p>To test and gain experience with Autokey concepts, log in as root and +change to the keys directory, usually <code>/usr/local/etc</code>. +When run for the +first time, or if all files with names beginning <code>ntpkey</code>] have been +removed, use the <code>ntp-keygen</code> command without arguments to generate a +default RSA host key and matching RSA-MD5 certificate with expiration +date one year hence. +If run again without options, the program uses the +existing keys and parameters and generates only a new certificate with +new expiration date one year hence. + + <p>Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using <code>ntp-keygen</code> +with the <code>-T</code> option and configure +it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. + + <p>The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt signatures. +A different sign key can be assigned using the <code>-S</code> option +and this can be either RSA or DSA type. +By default, the signature +message digest type is MD5, but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the <code>-c</code> option. + + <p>The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. + + <p>Additional information on trusted groups and identity schemes is on the +Autokey Public-Key Authentication page. + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-Invocation"></a> +<br> +</div> + +<h3 class="section">Invoking ntp-keygen</h3> + +<p><a name="index-ntp_002dkeygen-1"></a><a name="index-Create-a-NTP-host-key-2"></a> + + <p>This program generates cryptographic data files used by the NTPv4 +authentication and identification schemes. +It generates MD5 key files used in symmetric key cryptography. +In addition, if the OpenSSL software library has been installed, +it generates keys, certificate and identity files used in public key +cryptography. +These files are used for cookie encryption, +digital signature and challenge/response identification algorithms +compatible with the Internet standard security infrastructure. + + <p>All files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in mail to other sites +and certificate authorities. +By default, files are not encrypted. + + <p>When used to generate message digest keys, the program produces a file +containing ten pseudo-random printable ASCII strings suitable for the +MD5 message digest algorithm included in the distribution. +If the OpenSSL library is installed, it produces an additional ten +hex-encoded random bit strings suitable for the SHA1 and other message +digest algorithms. +The message digest keys file must be distributed and stored +using secure means beyond the scope of NTP itself. +Besides the keys used for ordinary NTP associations, additional keys +can be defined as passwords for the +<code>ntpq(1ntpqmdoc)</code> +and +<code>ntpdc(1ntpdcmdoc)</code> +utility programs. + + <p>The remaining generated files are compatible with other OpenSSL +applications and other Public Key Infrastructure (PKI) resources. +Certificates generated by this program are compatible with extant +industry practice, although some users might find the interpretation of +X509v3 extension fields somewhat liberal. +However, the identity keys are probably not compatible with anything +other than Autokey. + + <p>Some files used by this program are encrypted using a private password. +The +<code>-p</code> +option specifies the password for local encrypted files and the +<code>-q</code> +option the password for encrypted files sent to remote sites. +If no password is specified, the host name returned by the Unix +<code>gethostname()</code> +function, normally the DNS name of the host is used. + + <p>The +<kbd>pw</kbd> +option of the +<kbd>crypto</kbd> +configuration command specifies the read +password for previously encrypted local files. +This must match the local password used by this program. +If not specified, the host name is used. +Thus, if files are generated by this program without password, +they can be read back by +<kbd>ntpd</kbd> +without password but only on the same host. + + <p>Normally, encrypted files for each host are generated by that host and +used only by that host, although exceptions exist as noted later on +this page. +The symmetric keys file, normally called +<kbd>ntp.keys</kbd>, +is usually installed in +<span class="file">/etc</span>. +Other files and links are usually installed in +<span class="file">/usr/local/etc</span>, +which is normally in a shared filesystem in +NFS-mounted networks and cannot be changed by shared clients. +The location of the keys directory can be changed by the +<kbd>keysdir</kbd> +configuration command in such cases. +Normally, this is in +<span class="file">/etc</span>. + + <p>This program directs commentary and error messages to the standard +error stream +<kbd>stderr</kbd> +and remote files to the standard output stream +<kbd>stdout</kbd> +where they can be piped to other applications or redirected to files. +The names used for generated files and links all begin with the +string +<kbd>ntpkey</kbd> +and include the file type, generating host and filestamp, +as described in the +Cryptographic Data Files +section below. + +<h5 class="subsubsection">Running the Program</h5> + +<p>To test and gain experience with Autokey concepts, log in as root and +change to the keys directory, usually +<span class="file">/usr/local/etc</span> +When run for the first time, or if all files with names beginning with +<kbd>ntpkey</kbd> +have been removed, use the +<code>ntp-keygen</code> +command without arguments to generate a +default RSA host key and matching RSA-MD5 certificate with expiration +date one year hence. +If run again without options, the program uses the +existing keys and parameters and generates only a new certificate with +new expiration date one year hence. + + <p>Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using +<code>ntp-keygen</code> +with the +<code>-T</code> +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. + + <p>The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +<code>-S</code> +option and this can be either RSA or DSA type. +By default, the signature +message digest type is MD5, but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +<code>-c</code> +option. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. + + <p>Additional information on trusted groups and identity schemes is on the +Autokey Public-Key Authentication +page. + + <p>The +<code>ntpd(1ntpdmdoc)</code> +configuration command +<code>crypto</code> <code>pw</code> <kbd>password</kbd> +specifies the read password for previously encrypted files. +The daemon expires on the spot if the password is missing +or incorrect. +For convenience, if a file has been previously encrypted, +the default read password is the name of the host running +the program. +If the previous write password is specified as the host name, +these files can be read by that host with no explicit password. + + <p>File names begin with the prefix +<code>ntpkey_</code> +and end with the postfix +<kbd>_hostname.filestamp</kbd>, +where +<kbd>hostname</kbd> +is the owner name, usually the string returned +by the Unix gethostname() routine, and +<kbd>filestamp</kbd> +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +<code>rm</code> <code>ntpkey*</code> +command or all files generated +at a specific time can be removed by a +<code>rm</code> +<kbd>*filestamp</kbd> +command. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. + + <p>All files are installed by default in the keys directory +<span class="file">/usr/local/etc</span>, +which is normally in a shared filesystem +in NFS-mounted networks. +The actual location of the keys directory +and each file can be overridden by configuration commands, +but this is not recommended. +Normally, the files for each host are generated by that host +and used only by that host, although exceptions exist +as noted later on this page. + + <p>Normally, files containing private values, +including the host key, sign key and identification parameters, +are permitted root read/write-only; +while others containing public values are permitted world readable. +Alternatively, files containing private values can be encrypted +and these files permitted world readable, +which simplifies maintenance in shared file systems. +Since uniqueness is insured by the hostname and +file name extensions, the files for a NFS server and +dependent clients can all be installed in the same shared directory. + + <p>The recommended practice is to keep the file name extensions +when installing a file and to install a soft link +from the generic names specified elsewhere on this page +to the generated files. +This allows new file generations to be activated simply +by changing the link. +If a link is present, ntpd follows it to the file name +to extract the filestamp. +If a link is not present, +<code>ntpd(1ntpdmdoc)</code> +extracts the filestamp from the file itself. +This allows clients to verify that the file and generation times +are always current. +The +<code>ntp-keygen</code> +program uses the same timestamp extension for all files generated +at one time, so each generation is distinct and can be readily +recognized in monitoring data. + +<h5 class="subsubsection">Running the program</h5> + +<p>The safest way to run the +<code>ntp-keygen</code> +program is logged in directly as root. +The recommended procedure is change to the keys directory, +usually +<span class="file">/usr/local/etc</span>, +then run the program. +When run for the first time, +or if all +<code>ntpkey</code> +files have been removed, +the program generates a RSA host key file and matching RSA-MD5 certificate file, +which is all that is necessary in many cases. +The program also generates soft links from the generic names +to the respective files. +If run again, the program uses the same host key file, +but generates a new certificate file and link. + + <p>The host key is used to encrypt the cookie when required and so must be RSA type. +By default, the host key is also the sign key used to encrypt signatures. +When necessary, a different sign key can be specified and this can be +either RSA or DSA type. +By default, the message digest type is MD5, but any combination +of sign key type and message digest type supported by the OpenSSL library +can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 +and RIPE160 message digest algorithms. +However, the scheme specified in the certificate must be compatible +with the sign key. +Certificates using any digest algorithm are compatible with RSA sign keys; +however, only SHA and SHA1 certificates are compatible with DSA sign keys. + + <p>Private/public key files and certificates are compatible with +other OpenSSL applications and very likely other libraries as well. +Certificates or certificate requests derived from them should be compatible +with extant industry practice, although some users might find +the interpretation of X509v3 extension fields somewhat liberal. +However, the identification parameter files, although encoded +as the other files, are probably not compatible with anything other than Autokey. + + <p>Running the program as other than root and using the Unix +<code>su</code> +command +to assume root may not work properly, since by default the OpenSSL library +looks for the random seed file +<code>.rnd</code> +in the user home directory. +However, there should be only one +<code>.rnd</code>, +most conveniently +in the root directory, so it is convenient to define the +<code>$RANDFILE</code> +environment variable used by the OpenSSL library as the path to +<code>/.rnd</code>. + + <p>Installing the keys as root might not work in NFS-mounted +shared file systems, as NFS clients may not be able to write +to the shared keys directory, even as root. +In this case, NFS clients can specify the files in another +directory such as +<span class="file">/etc</span> +using the +<code>keysdir</code> +command. +There is no need for one client to read the keys and certificates +of other clients or servers, as these data are obtained automatically +by the Autokey protocol. + + <p>Ordinarily, cryptographic files are generated by the host that uses them, +but it is possible for a trusted agent (TA) to generate these files +for other hosts; however, in such cases files should always be encrypted. +The subject name and trusted name default to the hostname +of the host generating the files, but can be changed by command line options. +It is convenient to designate the owner name and trusted name +as the subject and issuer fields, respectively, of the certificate. +The owner name is also used for the host and sign key files, +while the trusted name is used for the identity files. + + <p>All files are installed by default in the keys directory +<span class="file">/usr/local/etc</span>, +which is normally in a shared filesystem +in NFS-mounted networks. +The actual location of the keys directory +and each file can be overridden by configuration commands, +but this is not recommended. +Normally, the files for each host are generated by that host +and used only by that host, although exceptions exist +as noted later on this page. + + <p>Normally, files containing private values, +including the host key, sign key and identification parameters, +are permitted root read/write-only; +while others containing public values are permitted world readable. +Alternatively, files containing private values can be encrypted +and these files permitted world readable, +which simplifies maintenance in shared file systems. +Since uniqueness is insured by the hostname and +file name extensions, the files for a NFS server and +dependent clients can all be installed in the same shared directory. + + <p>The recommended practice is to keep the file name extensions +when installing a file and to install a soft link +from the generic names specified elsewhere on this page +to the generated files. +This allows new file generations to be activated simply +by changing the link. +If a link is present, ntpd follows it to the file name +to extract the filestamp. +If a link is not present, +<code>ntpd(1ntpdmdoc)</code> +extracts the filestamp from the file itself. +This allows clients to verify that the file and generation times +are always current. +The +<code>ntp-keygen</code> +program uses the same timestamp extension for all files generated +at one time, so each generation is distinct and can be readily +recognized in monitoring data. + +<h5 class="subsubsection">Running the program</h5> + +<p>The safest way to run the +<code>ntp-keygen</code> +program is logged in directly as root. +The recommended procedure is change to the keys directory, +usually +<span class="file">/usr/local/etc</span>, +then run the program. +When run for the first time, +or if all +<code>ntpkey</code> +files have been removed, +the program generates a RSA host key file and matching RSA-MD5 certificate file, +which is all that is necessary in many cases. +The program also generates soft links from the generic names +to the respective files. +If run again, the program uses the same host key file, +but generates a new certificate file and link. + + <p>The host key is used to encrypt the cookie when required and so must be RSA type. +By default, the host key is also the sign key used to encrypt signatures. +When necessary, a different sign key can be specified and this can be +either RSA or DSA type. +By default, the message digest type is MD5, but any combination +of sign key type and message digest type supported by the OpenSSL library +can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 +and RIPE160 message digest algorithms. +However, the scheme specified in the certificate must be compatible +with the sign key. +Certificates using any digest algorithm are compatible with RSA sign keys; +however, only SHA and SHA1 certificates are compatible with DSA sign keys. + + <p>Private/public key files and certificates are compatible with +other OpenSSL applications and very likely other libraries as well. +Certificates or certificate requests derived from them should be compatible +with extant industry practice, although some users might find +the interpretation of X509v3 extension fields somewhat liberal. +However, the identification parameter files, although encoded +as the other files, are probably not compatible with anything other than Autokey. + + <p>Running the program as other than root and using the Unix +<code>su</code> +command +to assume root may not work properly, since by default the OpenSSL library +looks for the random seed file +<code>.rnd</code> +in the user home directory. +However, there should be only one +<code>.rnd</code>, +most conveniently +in the root directory, so it is convenient to define the +<code>$RANDFILE</code> +environment variable used by the OpenSSL library as the path to +<code>/.rnd</code>. + + <p>Installing the keys as root might not work in NFS-mounted +shared file systems, as NFS clients may not be able to write +to the shared keys directory, even as root. +In this case, NFS clients can specify the files in another +directory such as +<span class="file">/etc</span> +using the +<code>keysdir</code> +command. +There is no need for one client to read the keys and certificates +of other clients or servers, as these data are obtained automatically +by the Autokey protocol. + + <p>Ordinarily, cryptographic files are generated by the host that uses them, +but it is possible for a trusted agent (TA) to generate these files +for other hosts; however, in such cases files should always be encrypted. +The subject name and trusted name default to the hostname +of the host generating the files, but can be changed by command line options. +It is convenient to designate the owner name and trusted name +as the subject and issuer fields, respectively, of the certificate. +The owner name is also used for the host and sign key files, +while the trusted name is used for the identity files. +seconds. +seconds. + + <p>s Trusted Hosts and Groups +Each cryptographic configuration involves selection of a signature scheme +and identification scheme, called a cryptotype, +as explained in the +<a href="#Authentication-Options">Authentication Options</a> +section of +<code>ntp.conf(5)</code>. +The default cryptotype uses RSA encryption, MD5 message digest +and TC identification. +First, configure a NTP subnet including one or more low-stratum +trusted hosts from which all other hosts derive synchronization +directly or indirectly. +Trusted hosts have trusted certificates; +all other hosts have nontrusted certificates. +These hosts will automatically and dynamically build authoritative +certificate trails to one or more trusted hosts. +A trusted group is the set of all hosts that have, directly or indirectly, +a certificate trail ending at a trusted host. +The trail is defined by static configuration file entries +or dynamic means described on the +<a href="#Automatic-NTP-Configuration-Options">Automatic NTP Configuration Options</a> +section of +<code>ntp.conf(5)</code>. + + <p>On each trusted host as root, change to the keys directory. +To insure a fresh fileset, remove all +<code>ntpkey</code> +files. +Then run +<code>ntp-keygen</code> +<code>-T</code> +to generate keys and a trusted certificate. +On all other hosts do the same, but leave off the +<code>-T</code> +flag to generate keys and nontrusted certificates. +When complete, start the NTP daemons beginning at the lowest stratum +and working up the tree. +It may take some time for Autokey to instantiate the certificate trails +throughout the subnet, but setting up the environment is completely automatic. + + <p>If it is necessary to use a different sign key or different digest/signature +scheme than the default, run +<code>ntp-keygen</code> +with the +<code>-S</code> <kbd>type</kbd> +option, where +<kbd>type</kbd> +is either +<code>RSA</code> +or +<code>DSA</code>. +The most often need to do this is when a DSA-signed certificate is used. +If it is necessary to use a different certificate scheme than the default, +run +<code>ntp-keygen</code> +with the +<code>-c</code> <kbd>scheme</kbd> +option and selected +<kbd>scheme</kbd> +as needed. +f +<code>ntp-keygen</code> +is run again without these options, it generates a new certificate +using the same scheme and sign key. + + <p>After setting up the environment it is advisable to update certificates +from time to time, if only to extend the validity interval. +Simply run +<code>ntp-keygen</code> +with the same flags as before to generate new certificates +using existing keys. +However, if the host or sign key is changed, +<code>ntpd(1ntpdmdoc)</code> +should be restarted. +When +<code>ntpd(1ntpdmdoc)</code> +is restarted, it loads any new files and restarts the protocol. +Other dependent hosts will continue as usual until signatures are refreshed, +at which time the protocol is restarted. + +<h5 class="subsubsection">Identity Schemes</h5> + +<p>As mentioned on the Autonomous Authentication page, +the default TC identity scheme is vulnerable to a middleman attack. +However, there are more secure identity schemes available, +including PC, IFF, GQ and MV described on the +"Identification Schemes" +page +(maybe available at +<code>http://www.eecis.udel.edu/%7emills/keygen.html</code>). +These schemes are based on a TA, one or more trusted hosts +and some number of nontrusted hosts. +Trusted hosts prove identity using values provided by the TA, +while the remaining hosts prove identity using values provided +by a trusted host and certificate trails that end on that host. +The name of a trusted host is also the name of its sugroup +and also the subject and issuer name on its trusted certificate. +The TA is not necessarily a trusted host in this sense, but often is. + + <p>In some schemes there are separate keys for servers and clients. +A server can also be a client of another server, +but a client can never be a server for another client. +In general, trusted hosts and nontrusted hosts that operate +as both server and client have parameter files that contain +both server and client keys. +Hosts that operate +only as clients have key files that contain only client keys. + + <p>The PC scheme supports only one trusted host in the group. +On trusted host alice run +<code>ntp-keygen</code> +<code>-P</code> +<code>-p</code> <kbd>password</kbd> +to generate the host key file +<span class="file">ntpkey_RSAkey_</span><kbd>alice.filestamp</kbd> +and trusted private certificate file +<span class="file">ntpkey_RSA-MD5_cert_</span><kbd>alice.filestamp</kbd>. +Copy both files to all group hosts; +they replace the files which would be generated in other schemes. +On each host bob install a soft link from the generic name +<span class="file">ntpkey_host_</span><kbd>bob</kbd> +to the host key file and soft link +<span class="file">ntpkey_cert_</span><kbd>bob</kbd> +to the private certificate file. +Note the generic links are on bob, but point to files generated +by trusted host alice. +In this scheme it is not possible to refresh +either the keys or certificates without copying them +to all other hosts in the group. + + <p>For the IFF scheme proceed as in the TC scheme to generate keys +and certificates for all group hosts, then for every trusted host in the group, +generate the IFF parameter file. +On trusted host alice run +<code>ntp-keygen</code> +<code>-T</code> +<code>-I</code> +<code>-p</code> <kbd>password</kbd> +to produce her parameter file +<span class="file">ntpkey_IFFpar_</span><kbd>alice.filestamp</kbd>, +which includes both server and client keys. +Copy this file to all group hosts that operate as both servers +and clients and install a soft link from the generic +<span class="file">ntpkey_iff_</span><kbd>alice</kbd> +to this file. +If there are no hosts restricted to operate only as clients, +there is nothing further to do. +As the IFF scheme is independent +of keys and certificates, these files can be refreshed as needed. + + <p>If a rogue client has the parameter file, it could masquerade +as a legitimate server and present a middleman threat. +To eliminate this threat, the client keys can be extracted +from the parameter file and distributed to all restricted clients. +After generating the parameter file, on alice run +<code>ntp-keygen</code> +<code>-e</code> +and pipe the output to a file or mail program. +Copy or mail this file to all restricted clients. +On these clients install a soft link from the generic +<span class="file">ntpkey_iff_</span><kbd>alice</kbd> +to this file. +To further protect the integrity of the keys, +each file can be encrypted with a secret password. + + <p>For the GQ scheme proceed as in the TC scheme to generate keys +and certificates for all group hosts, then for every trusted host +in the group, generate the IFF parameter file. +On trusted host alice run +<code>ntp-keygen</code> +<code>-T</code> +<code>-G</code> +<code>-p</code> <kbd>password</kbd> +to produce her parameter file +<span class="file">ntpkey_GQpar_</span><kbd>alice.filestamp</kbd>, +which includes both server and client keys. +Copy this file to all group hosts and install a soft link +from the generic +<span class="file">ntpkey_gq_</span><kbd>alice</kbd> +to this file. +In addition, on each host bob install a soft link +from generic +<span class="file">ntpkey_gq_</span><kbd>bob</kbd> +to this file. +As the GQ scheme updates the GQ parameters file and certificate +at the same time, keys and certificates can be regenerated as needed. + + <p>For the MV scheme, proceed as in the TC scheme to generate keys +and certificates for all group hosts. +For illustration assume trish is the TA, alice one of several trusted hosts +and bob one of her clients. +On TA trish run +<code>ntp-keygen</code> +<code>-V</code> <kbd>n</kbd> +<code>-p</code> <kbd>password</kbd>, +where +<kbd>n</kbd> +is the number of revokable keys (typically 5) to produce +the parameter file +<span class="file">ntpkeys_MVpar_</span><kbd>trish.filestamp</kbd> +and client key files +<span class="file">ntpkeys_MVkeyd_</span><kbd>trish.filestamp</kbd> +where +<kbd>d</kbd> +is the key number (0 < +<kbd>d</kbd> +< +<kbd>n</kbd>). +Copy the parameter file to alice and install a soft link +from the generic +<span class="file">ntpkey_mv_</span><kbd>alice</kbd> +to this file. +Copy one of the client key files to alice for later distribution +to her clients. +It doesn't matter which client key file goes to alice, +since they all work the same way. +Alice copies the client key file to all of her cliens. +On client bob install a soft link from generic +<span class="file">ntpkey_mvkey_</span><kbd>bob</kbd> +to the client key file. +As the MV scheme is independent of keys and certificates, +these files can be refreshed as needed. + +<h5 class="subsubsection">Command Line Options</h5> + + <dl> +<dt><code>-c</code> <kbd>scheme</kbd><dd>Select certificate message digest/signature encryption scheme. +The +<kbd>scheme</kbd> +can be one of the following: +. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +or +<code>DSA-SHA1</code>. +Note that RSA schemes must be used with a RSA sign key and DSA +schemes must be used with a DSA sign key. +The default without this option is +<code>RSA-MD5</code>. +<br><dt><code>-d</code><dd>Enable debugging. +This option displays the cryptographic data produced in eye-friendly billboards. +<br><dt><code>-e</code><dd>Write the IFF client keys to the standard output. +This is intended for automatic key distribution by mail. +<br><dt><code>-G</code><dd>Generate parameters and keys for the GQ identification scheme, +obsoleting any that may exist. +<br><dt><code>-g</code><dd>Generate keys for the GQ identification scheme +using the existing GQ parameters. +If the GQ parameters do not yet exist, create them first. +<br><dt><code>-H</code><dd>Generate new host keys, obsoleting any that may exist. +<br><dt><code>-I</code><dd>Generate parameters for the IFF identification scheme, +obsoleting any that may exist. +<br><dt><code>-i</code> <kbd>name</kbd><dd>Set the suject name to +<kbd>name</kbd>. +This is used as the subject field in certificates +and in the file name for host and sign keys. +<br><dt><code>-M</code><dd>Generate MD5 keys, obsoleting any that may exist. +<br><dt><code>-P</code><dd>Generate a private certificate. +By default, the program generates public certificates. +<br><dt><code>-p</code> <kbd>password</kbd><dd>Encrypt generated files containing private data with +<kbd>password</kbd> +and the DES-CBC algorithm. +<br><dt><code>-q</code><dd>Set the password for reading files to password. +<br><dt><code>-S</code> <code>[RSA | DSA]</code><dd>Generate a new sign key of the designated type, +obsoleting any that may exist. +By default, the program uses the host key as the sign key. +<br><dt><code>-s</code> <kbd>name</kbd><dd>Set the issuer name to +<kbd>name</kbd>. +This is used for the issuer field in certificates +and in the file name for identity files. +<br><dt><code>-T</code><dd>Generate a trusted certificate. +By default, the program generates a non-trusted certificate. +<br><dt><code>-V</code> <kbd>nkeys</kbd><dd>Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +</dl> + +<h5 class="subsubsection">Random Seed File</h5> + +<p>All cryptographically sound key generation schemes must have means +to randomize the entropy seed used to initialize +the internal pseudo-random number generator used +by the library routines. +The OpenSSL library uses a designated random seed file for this purpose. +The file must be available when starting the NTP daemon and +<code>ntp-keygen</code> +program. +If a site supports OpenSSL or its companion OpenSSH, +it is very likely that means to do this are already available. + + <p>It is important to understand that entropy must be evolved +for each generation, for otherwise the random number sequence +would be predictable. +Various means dependent on external events, such as keystroke intervals, +can be used to do this and some systems have built-in entropy sources. +Suitable means are described in the OpenSSL software documentation, +but are outside the scope of this page. + + <p>The entropy seed used by the OpenSSL library is contained in a file, +usually called +<code>.rnd</code>, +which must be available when starting the NTP daemon +or the +<code>ntp-keygen</code> +program. +The NTP daemon will first look for the file +using the path specified by the +<code>randfile</code> +subcommand of the +<code>crypto</code> +configuration command. +If not specified in this way, or when starting the +<code>ntp-keygen</code> +program, +the OpenSSL library will look for the file using the path specified +by the +.Ev RANDFILE +environment variable in the user home directory, +whether root or some other user. +If the +.Ev RANDFILE +environment variable is not present, +the library will look for the +<code>.rnd</code> +file in the user home directory. +If the file is not available or cannot be written, +the daemon exits with a message to the system log and the program +exits with a suitable error message. + +<h5 class="subsubsection">Cryptographic Data Files</h5> + +<p>All other file formats begin with two lines. +The first contains the file name, including the generated host name +and filestamp. +The second contains the datestamp in conventional Unix date format. +Lines beginning with # are considered comments and ignored by the +<code>ntp-keygen</code> +program and +<code>ntpd(1ntpdmdoc)</code> +daemon. +Cryptographic values are encoded first using ASN.1 rules, +then encrypted if necessary, and finally written PEM-encoded +printable ASCII format preceded and followed by MIME content identifier lines. + + <p>The format of the symmetric keys file is somewhat different +than the other files in the interest of backward compatibility. +Since DES-CBC is deprecated in NTPv4, the only key format of interest +is MD5 alphanumeric strings. +Following hte heard the keys are +entered one per line in the format +<pre class="example"> <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd> +</pre> + <p>where +<kbd>keyno</kbd> +is a positive integer in the range 1-65,535, +<kbd>type</kbd> +is the string MD5 defining the key format and +<kbd>key</kbd> +is the key itself, +which is a printable ASCII string 16 characters or less in length. +Each character is chosen from the 93 printable characters +in the range 0x21 through 0x7f excluding space and the +# +character. + + <p>Note that the keys used by the +<code>ntpq(1ntpqmdoc)</code> +and +<code>ntpdc(1ntpdcmdoc)</code> +programs +are checked against passwords requested by the programs +and entered by hand, so it is generally appropriate to specify these keys +in human readable ASCII format. + + <p>The +<code>ntp-keygen</code> +program generates a MD5 symmetric keys file +<span class="file">ntpkey_MD5key_</span><kbd>hostname.filestamp</kbd>. +Since the file contains private shared keys, +it should be visible only to root and distributed by secure means +to other subnet hosts. +The NTP daemon loads the file +<span class="file">ntp.keys</span>, +so +<code>ntp-keygen</code> +installs a soft link from this name to the generated file. +Subsequently, similar soft links must be installed by manual +or automated means on the other subnet hosts. +While this file is not used with the Autokey Version 2 protocol, +it is needed to authenticate some remote configuration commands +used by the +<code>ntpq(1ntpqmdoc)</code> +and +<code>ntpdc(1ntpdcmdoc)</code> +utilities. + + <p>This section was generated by <strong>AutoGen</strong>, +using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp-keygen</code> program. +This software is released under the NTP license, <http://ntp.org/license>. + +<ul class="menu"> +<li><a accesskey="1" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>: ntp-keygen help/usage (<span class="option">--help</span>) +<li><a accesskey="2" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>: imbits option (-b) +<li><a accesskey="3" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>: certificate option (-c) +<li><a accesskey="4" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>: cipher option (-C) +<li><a accesskey="5" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>: id-key option (-e) +<li><a accesskey="6" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>: gq-params option (-G) +<li><a accesskey="7" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>: host-key option (-H) +<li><a accesskey="8" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>: iffkey option (-I) +<li><a accesskey="9" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>: ident option (-i) +<li><a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>: lifetime option (-l) +<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M) +<li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m) +<li><a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>: pvt-cert option (-P) +<li><a href="#ntp_002dkeygen-password">ntp-keygen password</a>: password option (-p) +<li><a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>: export-passwd option (-q) +<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S) +<li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s) +<li><a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>: trusted-cert option (-T) +<li><a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>: mv-params option (-V) +<li><a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>: mv-keys option (-v) +<li><a href="#ntp_002dkeygen-config">ntp-keygen config</a>: presetting/configuring ntp-keygen +<li><a href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>: exit status +<li><a href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>: Usage +<li><a href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>: Notes +<li><a href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>: Bugs +</ul> + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ntp-keygen help/usage (<span class="option">--help</span>)</h4> + +<p><a name="index-ntp_002dkeygen-help-3"></a> +This is the automatically generated usage text for ntp-keygen. + + <p>The text printed is the same whether selected with the <code>help</code> option +(<span class="option">--help</span>) or the <code>more-help</code> option (<span class="option">--more-help</span>). <code>more-help</code> will print +the usage text by passing it through a pager program. +<code>more-help</code> is disabled on platforms without a working +<code>fork(2)</code> function. The <code>PAGER</code> environment variable is +used to select the program, defaulting to <span class="file">more</span>. Both will exit +with a status code of 0. + +<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p481 +Usage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]... + Flg Arg Option-Name Description + -b Num imbits identity modulus bits + - it must be in the range: + 256 to 2048 + -c Str certificate certificate scheme + -C Str cipher privatekey cipher + -d no debug-level Increase debug verbosity level + - may appear multiple times + -D Num set-debug-level Set the debug verbosity level + - may appear multiple times + -e no id-key Write IFF or GQ identity keys + -G no gq-params Generate GQ parameters and keys + -H no host-key generate RSA host key + -I no iffkey generate IFF parameters + -i Str ident set Autokey group name + -l Num lifetime set certificate lifetime + -M no md5key generate MD5 keys + -m Num modulus modulus + - it must be in the range: + 256 to 2048 + -P no pvt-cert generate PC private certificate + -p Str password local private password + -q Str export-passwd export IFF or GQ group keys with password + -S Str sign-key generate sign key (RSA or DSA) + -s Str subject-name set host and optionally group name + -T no trusted-cert trusted certificate (TC scheme) + -V Num mv-params generate <num> MV parameters + -v Num mv-keys update <num> MV keys + opt version output version information and exit + -? no help display extended usage information and exit + -! no more-help extended usage information passed thru pager + -> opt save-opts save the option state to a config file + -< Str load-opts load options from a config file + - disabled as '--no-load-opts' + - may appear multiple times + +Options are specified by doubled hyphens and their name or by a single +hyphen and the flag character. + + +The following option preset mechanisms are supported: + - reading file $HOME/.ntprc + - reading file ./.ntprc + - examining environment variables named NTP_KEYGEN_* + +Please send bug reports to: <http://bugs.ntp.org, bugs@ntp.org> +</pre> + <div class="node"> +<p><hr> +<a name="ntp_002dkeygen-imbits"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-usage">ntp-keygen usage</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">imbits option (-b)</h4> + +<p><a name="index-ntp_002dkeygen_002dimbits-4"></a> +This is the “identity modulus bits” option. +This option takes a number argument <span class="file">imbits</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>The number of bits in the identity modulus. The default is 256. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-certificate"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-imbits">ntp-keygen imbits</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">certificate option (-c)</h4> + +<p><a name="index-ntp_002dkeygen_002dcertificate-5"></a> +This is the “certificate scheme” option. +This option takes a string argument <span class="file">scheme</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>scheme is one of +RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, +DSA-SHA, or DSA-SHA1. + + <p>Select the certificate message digest/signature encryption scheme. +Note that RSA schemes must be used with a RSA sign key and DSA +schemes must be used with a DSA sign key. The default without +this option is RSA-MD5. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-cipher"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-certificate">ntp-keygen certificate</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">cipher option (-C)</h4> + +<p><a name="index-ntp_002dkeygen_002dcipher-6"></a> +This is the “privatekey cipher” option. +This option takes a string argument <span class="file">cipher</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Select the cipher which is used to encrypt the files containing +private keys. The default is three-key triple DES in CBC mode, +equivalent to "<code>-C des-ede3-cbc". The openssl tool lists ciphers +available in "openssl -h" output. +</code><div class="node"> +<p><hr> +<a name="ntp_002dkeygen-id_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">id-key option (-e)</h4> + +<p><a name="index-ntp_002dkeygen_002did_002dkey-7"></a> +This is the “write iff or gq identity keys” option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Write the IFF or GQ client keys to the standard output. This is +intended for automatic key distribution by mail. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-gq_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-id_002dkey">ntp-keygen id-key</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">gq-params option (-G)</h4> + +<p><a name="index-ntp_002dkeygen_002dgq_002dparams-8"></a> +This is the “generate gq parameters and keys” option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate parameters and keys for the GQ identification scheme, +obsoleting any that may exist. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-host_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">host-key option (-H)</h4> + +<p><a name="index-ntp_002dkeygen_002dhost_002dkey-9"></a> +This is the “generate rsa host key” option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate new host keys, obsoleting any that may exist. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-iffkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">iffkey option (-I)</h4> + +<p><a name="index-ntp_002dkeygen_002diffkey-10"></a> +This is the “generate iff parameters” option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate parameters for the IFF identification scheme, obsoleting +any that may exist. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-ident"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ident option (-i)</h4> + +<p><a name="index-ntp_002dkeygen_002dident-11"></a> +This is the “set autokey group name” option. +This option takes a string argument <span class="file">group</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Set the optional Autokey group name to name. This is used in +the file name of IFF, GQ, and MV client parameters files. In +that role, the default is the host name if this option is not +provided. The group name, if specified using <code>-i/--ident</code> or +using <code>-s/--subject-name</code> following an '<code>}' character, +is also a part of the self-signed host certificate's subject and +issuer names in the form host + <p>'crypto ident' or 'server ident' configuration in +ntpd's configuration file. +</code><div class="node"> +<p><hr> +<a name="ntp_002dkeygen-lifetime"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">lifetime option (-l)</h4> + +<p><a name="index-ntp_002dkeygen_002dlifetime-12"></a> +This is the ``set certificate lifetime'' option. +This option takes a number argument <span class="file">lifetime</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Set the certificate expiration to lifetime days from now. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-md5key"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">md5key option (-M)</h4> + +<p><a name="index-ntp_002dkeygen_002dmd5key-13"></a> +This is the ``generate md5 keys'' option. +Generate MD5 keys, obsoleting any that may exist. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-modulus"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">modulus option (-m)</h4> + +<p><a name="index-ntp_002dkeygen_002dmodulus-14"></a> +This is the ``modulus'' option. +This option takes a number argument <span class="file">modulus</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>The number of bits in the prime modulus. The default is 512. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-pvt_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">pvt-cert option (-P)</h4> + +<p><a name="index-ntp_002dkeygen_002dpvt_002dcert-15"></a> +This is the ``generate pc private certificate'' option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate a private certificate. By default, the program generates +public certificates. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-password"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">password option (-p)</h4> + +<p><a name="index-ntp_002dkeygen_002dpassword-16"></a> +This is the ``local private password'' option. +This option takes a string argument <span class="file">passwd</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Local files containing private data are encrypted with the +DES-CBC algorithm and the specified password. The same password +must be specified to the local ntpd via the "crypto pw password" +configuration command. The default password is the local +hostname. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-export_002dpasswd"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-password">ntp-keygen password</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">export-passwd option (-q)</h4> + +<p><a name="index-ntp_002dkeygen_002dexport_002dpasswd-17"></a> +This is the ``export iff or gq group keys with password'' option. +This option takes a string argument <span class="file">passwd</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Export IFF or GQ identity group keys to the standard output, +encrypted with the DES-CBC algorithm and the specified password. +The same password must be specified to the remote ntpd via the +"crypto pw password" configuration command. See also the option +--id-key (-e) for unencrypted exports. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-sign_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">sign-key option (-S)</h4> + +<p><a name="index-ntp_002dkeygen_002dsign_002dkey-18"></a> +This is the ``generate sign key (rsa or dsa)'' option. +This option takes a string argument <span class="file">sign</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-subject_002dname"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">subject-name option (-s)</h4> + +<p><a name="index-ntp_002dkeygen_002dsubject_002dname-19"></a> +This is the ``set host and optionally group name'' option. +This option takes a string argument <span class="file">host@group</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Set the Autokey host name, and optionally, group name specified +following an '<code>}' character. The host name is used in the file +name of generated host and signing certificates, without the +group name. The host name, and if provided, group name are used +in host + <p>fields. Specifying '-s + <p>leaving the host name unchanged while appending + <p>subject and issuer fields, as with -i group. The group name, or +if not provided, the host name are also used in the file names +of IFF, GQ, and MV client parameter files. +</code><div class="node"> +<p><hr> +<a name="ntp_002dkeygen-trusted_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">trusted-cert option (-T)</h4> + +<p><a name="index-ntp_002dkeygen_002dtrusted_002dcert-20"></a> +This is the ``trusted certificate (tc scheme)'' option. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate a trusted certificate. By default, the program generates +a non-trusted certificate. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-mv_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">mv-params option (-V)</h4> + +<p><a name="index-ntp_002dkeygen_002dmv_002dparams-21"></a> +This is the ``generate <num> mv parameters'' option. +This option takes a number argument <span class="file">num</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>Generate parameters and keys for the Mu-Varadharajan (MV) +identification scheme. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-mv_002dkeys"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-config">ntp-keygen config</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">mv-keys option (-v)</h4> + +<p><a name="index-ntp_002dkeygen_002dmv_002dkeys-22"></a> +This is the ``update <num> mv keys'' option. +This option takes a number argument <span class="file">num</span>. + +<p class="noindent">This option has some usage constraints. It: + <ul> +<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. +</ul> + + <p>This option has no <span class="samp">doc</span> documentation. + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-config"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">presetting/configuring ntp-keygen</h4> + +<p>Any option that is not marked as <i>not presettable</i> may be preset by +loading values from configuration ("rc" or "ini") files, and values from environment variables named <code>NTP-KEYGEN</code> and <code>NTP-KEYGEN_<OPTION_NAME></code>. <code><OPTION_NAME></code> must be one of +the options listed above in upper case and segmented with underscores. +The <code>NTP-KEYGEN</code> variable will be tokenized and parsed like +the command line. The remaining variables are tested for existence and their +values are treated like option arguments. + +<p class="noindent"><code>libopts</code> will search in 2 places for configuration files: + <ul> +<li>$HOME +<li>$PWD +</ul> + The environment variables <code>HOME</code>, and <code>PWD</code> +are expanded and replaced when <span class="file">ntp-keygen</span> runs. +For any of these that are plain files, they are simply processed. +For any that are directories, then a file named <span class="file">.ntprc</span> is searched for +within that directory and processed. + + <p>Configuration files may be in a wide variety of formats. +The basic format is an option name followed by a value (argument) on the +same line. Values may be separated from the option name with a colon, +equal sign or simply white space. Values may be continued across multiple +lines by escaping the newline with a backslash. + + <p>Multiple programs may also share the same initialization file. +Common options are collected at the top, followed by program specific +segments. The segments are separated by lines like: +<pre class="example"> [NTP-KEYGEN] +</pre> + <p class="noindent">or by +<pre class="example"> <?program ntp-keygen> +</pre> + <p class="noindent">Do not mix these styles within one configuration file. + + <p>Compound values and carefully constructed string values may also be +specified using XML syntax: +<pre class="example"> <option-name> + <sub-opt>...&lt;...&gt;...</sub-opt> + </option-name> +</pre> + <p class="noindent">yielding an <code>option-name.sub-opt</code> string value of +<pre class="example"> "...<...>..." +</pre> + <p><code>AutoOpts</code> does not track suboptions. You simply note that it is a +hierarchicly valued option. <code>AutoOpts</code> does provide a means for searching +the associated name/value pair list (see: optionFindValue). + + <p>The command line options relating to configuration and/or usage help are: + +<h5 class="subsubheading">version (-)</h5> + +<p>Print the program version to standard out, optionally with licensing +information, then exit 0. The optional argument specifies how much licensing +detail to provide. The default is to print just the version. The licensing infomation may be selected with an option argument. +Only the first letter of the argument is examined: + + <dl> +<dt><span class="samp">version</span><dd>Only print the version. This is the default. +<br><dt><span class="samp">copyright</span><dd>Name the copyright usage licensing terms. +<br><dt><span class="samp">verbose</span><dd>Print the full copyright usage licensing terms. +</dl> + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-exit-status"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-config">ntp-keygen config</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ntp-keygen exit status</h4> + +<p>One of the following exit values will be returned: + <dl> +<dt><span class="samp">0 (EXIT_SUCCESS)</span><dd>Successful program execution. +<br><dt><span class="samp">1 (EXIT_FAILURE)</span><dd>The operation failed or the command syntax was not valid. +<br><dt><span class="samp">66 (EX_NOINPUT)</span><dd>A specified configuration file could not be loaded. +<br><dt><span class="samp">70 (EX_SOFTWARE)</span><dd>libopts had an internal operational error. Please report +it to autogen-users@lists.sourceforge.net. Thank you. +</dl> + <div class="node"> +<p><hr> +<a name="ntp_002dkeygen-Usage"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ntp-keygen Usage</h4> + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-Notes"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ntp-keygen Notes</h4> + +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-Bugs"></a>Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + +<h4 class="subsection">ntp-keygen Bugs</h4> + +<div class="node"> +<p><hr> +<a name="Random-Seed-File"></a>Next: <a rel="next" accesskey="n" href="#Cryptographic-Data-Files">Cryptographic Data Files</a>, +Previous: <a rel="previous" accesskey="p" href="#Running-the-Program">Running the Program</a>, +Up: <a rel="up" accesskey="u" href="#Top">Top</a> +<br> +</div> + +<!-- node-name, next, previous, up --> +<h3 class="section">Random Seed File</h3> + +<p>All cryptographically sound key generation schemes must have means to +randomize the entropy seed used to initialize the internal +pseudo-random number generator used by the OpenSSL library routines. +If a site supports ssh, it is very likely that means to do this are +already available. +The entropy seed used by the OpenSSL library is contained in a file, +usually called <code>.rnd</code>, which must be available when +starting the <code>ntp-keygen</code> program or <code>ntpd</code> daemon. + + <p>The OpenSSL library looks for the file using the path specified by the +<code>RANDFILE</code> environment variable in the user home directory, whether root +or some other user. +If the <code>RANDFILE</code> environment variable is not +present, the library looks for the <code>.rnd</code> file in the user home +directory. +Since both the <code>ntp-keygen</code> program and <code>ntpd</code> daemon must run +as root, the logical place to put this file is in <code>/.rnd</code> or +<code>/root/.rnd</code>. +If the file is not available or cannot be written, the program exits +with a message to the system log. + +<div class="node"> +<p><hr> +<a name="Cryptographic-Data-Files"></a>Previous: <a rel="previous" accesskey="p" href="#Random-Seed-File">Random Seed File</a>, +Up: <a rel="up" accesskey="u" href="#Top">Top</a> +<br> +</div> + +<!-- node-name, next, previous, up --> +<h3 class="section">Cryptographic Data Files</h3> + +<p>File and link names are in the <code>form ntpkey_key_name.fstamp</code>, +where <code>key</code> is the key or parameter type, +<code>name</code> is the host or group name and +<code>fstamp</code> is the filestamp (NTP seconds) when the file was created). +By convention, key names in generated file names include both upper and +lower case characters, while key names in generated link names include +only lower case characters. The filestamp is not used in generated link +names. + + <p>The key name is a string defining the cryptographic key type. +Key types include public/private keys host and sign, certificate cert +and several challenge/response key types. +By convention, client files used for +challenges have a par subtype, as in the IFF challenge IFFpar, while +server files for responses have a key subtype, as in the GQ response +GQkey. + + <p>All files begin with two nonencrypted lines. The first line contains +the file name in the format <code>ntpkey_key_host.fstamp</code>. +The second line contains the datestamp in conventional Unix date format. +Lines beginning with <code>#</code> are ignored. + + <p>The remainder of the file contains cryptographic data encoded first +using ASN.1 rules, then encrypted using the DES-CBC algorithm with +given password and finally written in PEM-encoded printable ASCII text +preceded and followed by MIME content identifier lines. + + <p>The format of the symmetric keys file, ordinarily named <code>ntp.keys</code>, +is somewhat different than the other files in the interest of backward +compatibility. +Ordinarily, the file is generated by this program, but +it can be constructed and edited using an ordinary text editor. + +<pre class="example"> # ntpkey_MD5key_hms.local.3564038757 + # Sun Dec 9 02:45:57 2012 + + 1 MD5 "]!ghT%O;3)WJ,/Nc:>I # MD5 key + 2 MD5 lu+H^tF46BKR-6~pV_5 # MD5 key + 3 MD5 :lnoVsE%Yz*avh%EtNC # MD5 key + 4 MD5 |fdZrf0sF~^V # MD5 key + 5 MD5 IyAG>O"y"LmCRS!*bHC # MD5 key + 6 MD5 ">e\A # MD5 key + 7 MD5 c9x=M'CfLxax9v)PV-si # MD5 key + 8 MD5 E|=jvFVov?Bn|Ev=&aK\ # MD5 key + 9 MD5 T!c4UT&`(m$+m+B6,`Q0 # MD5 key + 10 MD5 JVF/1=)=IFbHbJQz..Cd # MD5 key + 11 SHA1 6dea311109529e436c2b4fccae9bc753c16d1b48 # SHA1 key + 12 SHA1 7076f373d86c4848c59ff8046e49cb7d614ec394 # SHA1 key + 13 SHA1 5f48b1b60591eb01b7cf1d33b7774f08d20262d3 # SHA1 key + 14 SHA1 eed5ab9d9497319ec60cf3781d52607e76720178 # SHA1 key + 15 SHA1 f283562611a04c964da8126296f5f8e58c3f85de # SHA1 key + 16 SHA1 1930da171297dd63549af50b29449de17dcf341f # SHA1 key + 17 SHA1 fee892110358cd4382322b889869e750db8e8a8f # SHA1 key + 18 SHA1 b5520c9fadd7ad3fd8bfa061c8821b65d029bb37 # SHA1 key + 19 SHA1 8c74fb440ec80f453ec6aaa62b9baed0ab723b92 # SHA1 key + 20 SHA1 6bc05f734306a189326000970c19b3910f403795 # SHA1 key +</pre> + <p>Figure 1. Typical Symmetric Key File + + <p>Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Each line of the file contains three fields, first an +integer between 1 and 65534, inclusive, representing the key identifier +used in the server and peer configuration commands. +Next is the key type for the message digest algorithm, +which in the absence of the +OpenSSL library must be MD5 to designate the MD5 message digest +algorithm. +If the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library. +However, if +compatibility with FIPS 140-2 is required, the key type must be either +SHA or SHA1. +The key type can be changed using an ASCII text editor. + + <p>An MD5 key consists of a printable ASCII string less than or equal to +16 characters and terminated by whitespace or a # character. +An OpenSSL +key consists of a hex-encoded ASCII string of 40 characters, which is +truncated as necessary. + + <p>Note that the keys used by the <code>ntpq</code> and <code>ntpdc</code> programs are +checked against passwords requested by the programs and entered by hand, +so it +is generally appropriate to specify these keys in human readable ASCII +format. + + <p>The <code>ntp-keygen</code> program generates a MD5 symmetric keys file +<code>ntpkey_MD5key_hostname.filestamp</code>. +Since the file contains private +shared keys, it should be visible only to root and distributed by +secure means to other subnet hosts. +The NTP daemon loads the file <code>ntp.keys</code>, so <code>ntp-keygen</code> +installs a soft link from this name to the generated file. +Subsequently, similar soft links must be installed by +manual or automated means on the other subnet hosts. +While this file is +not used with the Autokey Version 2 protocol, it is needed to +authenticate some remote configuration commands used by the <code>ntpq</code> and +<code>ntpdc</code> utilities. + +</body></html> + |