1ntp-keygen(8) System Manager's Manual ntp-keygen(8)
2
3
4
6 ntp-keygen - generate public and private keys
7
8
10 ntp-keygen [ -deGHIMPT ] [ -b modulus ] [ -c [RSA-MD2 | RSA-MD5 | RSA-
11 SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ] [ -C
12 cipher ] [ -i group ] [ -m modulus ] [ -p passwd2 ] [ -q passwd1 ] [ -S
13 [ RSA | DSA ] ] [ -s host ] [ -V nkeys ]
14
15
17 This program generates cryptographic data files used by the NTPv4
18 authentication and identity schemes. It can generate message digest
19 keys used in symmetric key cryptography and, if the OpenSSL software
20 library has been installed, it can generate host keys, sign keys, cer‐
21 tificates and identity keys used by the Autokey public key cryptogra‐
22 phy. The message digest keys file is generated in a format compatible
23 with NTPv3. All other files are in PEM-encoded printable ASCII format
24 so they can be embedded as MIME attachments in mail to other sites.
25
26 When used to generate message digest keys, the program produces a file
27 containing ten pseudo-random printable ASCII strings suitable for the
28 MD5 message digest algorithm included in the distribution. If the
29 OpenSSL library is installed, it produces an additional ten hex-encoded
30 random bit strings suitable for the SHA1 and other message digest algo‐
31 rithms. Printable ASCII keys can have length from one to 20 characters,
32 inclusive. Bit string keys have length 20 octets (40 hex characters).
33 All keys are 160 bits in length.
34
35 The file can be edited later with purpose-chosen passwords for the
36 ntpq and ntpdc programs. Each line of the file contains three fields,
37 first an integer between 1 and 65534, inclusive, representing the key
38 identifier used in the server and peer configuration commands. Next is
39 the key type for the message digest algorithm, which in the absence of
40 the OpenSSL library should be the string MD5 to designate the MD5 mes‐
41 sage digest algorithm. If the OpenSSL library is installed, the key
42 type can be any message digest algorithm supported by that library.
43 However, if compatibility with FIPS 140-2 is required, the key type
44 must be either SHA or SHA1.Finally is the key itself as a printable
45 ASCII string excluding the space and # characters. If not greater than
46 20 characters in length, the string is the key itself; otherwise, it is
47 interpreted as a hex-encoded bit string. As is custom, # and the
48 remaining characters on the line are ignored. Later, this file can be
49 edited to include the passwords for the ntpq and ntpdc utilities. If
50 this is the only need, run ntp-keygen with the -M option and disregard
51 the remainder of this page.
52
53 The remaining generated files are compatible with other OpenSSL appli‐
54 cations and other Public Key Infrastructure (PKI) resources. Certifi‐
55 cates generated by this program should be compatible with extant indus‐
56 try practice, although some users might find the interpretation of
57 X509v3 extension fields somewhat liberal. However, the identity keys
58 are probably not compatible with anything other than Autokey.
59
60 Most files used by this program are encrypted using a private password.
61 The -p option specifies the password for local files and the -q option
62 the password for files sent to remote sites. If no local password is
63 specified, the host name returned by the Unix gethostname() function,
64 normally the DNS name of the host, is used. If no remote password is
65 specified, the local password is used.
66
67 The pw option of the crypto configuration command specifies the read
68 password for previously encrypted files. This must match the local
69 password used by this program. If not specified, the host name is used.
70 Thus, if files are generated by this program without password, they can
71 be read back by ntpd without password, but only on the same host.
72
73 All files and links are usually installed in the directory
74 /usr/local/etc, which is normally in a shared filesystem in NFS-mounted
75 networks and cannot be changed by shared clients. The location of the
76 keys directory can be changed by the keysdir configuration command in
77 such cases. Normally, encrypted files for each host are generated by
78 that host and used only by that host, although exceptions exist as
79 noted later on this page.
80
81 This program directs commentary and error messages to the standard
82 error stream stderr and remote files to the standard output stream std‐
83 out where they can be piped to other applications or redirected to a
84 file. The names used for generated files and links all begin with the
85 string ntpkey and include the file type, generating host and filestamp,
86 as described in the Cryptographic Data Files section below
87
88
90 To test and gain experience with Autokey concepts, log in as root and
91 change to the keys directory, usually /usr/local/etc. When run for the
92 first time, or if all files with names beginning ntpkey have been
93 removed, use the ntp-keygen command without arguments to generate a
94 default RSA host key and matching RSA-MD5 certificate with expiration
95 date one year hence. If run again, the program uses the existing keys
96 and parameters and generates only a new certificate with new expiration
97 date one year hence; however, the certificate is not generated if the
98 -e or -q options are present.
99
100 Run the command on as many hosts as necessary. Designate one of them as
101 the trusted host (TH) using ntp-keygen with the -T option and configure
102 it to synchronize from reliable Internet servers. Then configure the
103 other hosts to synchronize to the TH directly or indirectly. A certifi‐
104 cate trail is created when Autokey asks the immediately ascendant host
105 towards the TH to sign its certificate, which is then provided to the
106 immediately descendant host on request. All group hosts should have
107 acyclic certificate trails ending on the TH.
108
109 The host key is used to encrypt the cookie when required and so must be
110 RSA type. By default, the host key is also the sign key used to encrypt
111 signatures. A different sign key can be assigned using the -S option
112 and this can be either RSA or DSA type. By default, the signature mes‐
113 sage digest type is MD5, but any combination of sign key type and sign
114 digest type supported by the OpenSSL library can be specified using the
115 -c option. At the moment, legacy considerations require the NTP packet
116 header digest type to be MD5.
117
118
120 As described on the Authentication Options page, an NTP secure group
121 consists of one or more low-stratum THs as the root from which all
122 other group hosts derive synchronization directly or indirectly. For
123 authentication purposes all hosts in a group must have the same group
124 name specified by the -i option and matching the ident option of the
125 crypto configuration command. The group name is used in the subject and
126 issuer fields of trusted, self-signed certificates and when construct‐
127 ing the file names for identity keys. All hosts must have different
128 host names, either the default host name or as specified by the -s
129 option and matching the host option of the crypto configuration com‐
130 mand. Most installations need not specify the -i option nor the host
131 option. Host names are used in the subject and issuer fields of self-
132 signed, nontrusted certificates and when constructing the file names
133 for host and sign keys and certificates. Host and group names are used
134 only for authentication purposes and have nothing to do with DNS names.
135
136
138 As described on the Authentication Options page, there are five iden‐
139 tity schemes, three of which - IFF, GQ and MV - require identity keys
140 specific to each scheme. There are two types of files for each scheme,
141 an encrypted keys file and a nonencrypted parameters file, which usu‐
142 ally contains a subset of the keys file. In general, NTP secondary
143 servers operating as certificate signing authorities (CSA) use the keys
144 file and clients use the parameters file. Both files are generated by
145 the TA operating as a certificate authority (CA) on behalf of all
146 servers and clients in the group.
147
148 The parameters files are public; they can be stored in a public place
149 and sent in the clear. The keys files are encrypted with the local
150 password. To retrieve the keys file, a host can send a mail request to
151 the TA including its local password. The TA encrypts the keys file with
152 this password and returns it as an attachment. The attachment is then
153 copied intact to the keys directory with name given in the first line
154 of the file, but all in lower case and with the filestamp deleted.
155 Alternatively, the parameters file can be retrieved from a secure web
156 site.
157
158 For example, the TA generates default host key, IFF keys and trusted
159 certificate using the command
160
161 ntp-keygen -p local_passwd -T -I -igroup_name
162
163 Each group host generates default host keys and nontrusted certificate
164 use the same command line but omitting the -i option. Once these media
165 have been generated, the TA can then generate the public parameters
166 using the command
167
168 ntp-keygen -p local_passwd -e >parameters_file
169
170 where the -e option redirects the unencrypted parameters to the stan‐
171 dard output stream for a mail application or stored locally for later
172 distribution. In a similar fashion the -q option redirects the
173 encrypted server keys to the standard output stream.
174
175
177 -b modulus
178 Set the modulus for generating identity keys to modulus bits.
179 The modulus defaults to 256, but can be set from 256 (32
180 octets) to 2048 (256 octets). Use the larger moduli with cau‐
181 tion, as this can consume considerable computing resources and
182 increases the size of authenticated packets.
183
184 -c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160
185 | DSA-SHA | DSA-SHA1 ]
186 Select certificate and message digest/signature encryption
187 scheme. Note that RSA schemes must be used with a RSA sign key
188 and DSA schemes must be used with a DSA sign key. The default
189 without this option is RSA-MD5. If compatibility with FIPS
190 140-2 is required, either the DSA-SHA or DSA-SHA1 scheme must
191 be used.
192
193 -C cipher
194 Select the cipher which is used to encrypt the files containing
195 private keys. The default is DES in CBC mode, equivalent to "-C
196 des-cbc". The openssl tool lists ciphers available in "openssl
197 -h" output.
198
199 -d Enable debugging. This option displays the cryptographic data
200 produced for eye-friendly billboards.
201
202 -e Extract the IFF or GQ public parameters from the IFFkey or
203 GQkey keys file previously specified. Send the unencrypted data
204 to the standard output stream stdout. While the IFF parameters
205 do not reveal the private group key, the GQ parameters should
206 be used with caution, as they include the group key. Use the -q
207 option with password instead. Note: a new certificate is not
208 generated when this option is present. This allows multiple
209 commands with this option but without disturbing existing
210 media.
211
212 -G Generate a new encrypted GQ key file and link for the Guillou-
213 Quisquater (GQ) identity scheme.
214
215 -H Generate a new encrypted RSA public/private host key file and
216 link. Note that if the sign key is the same as the host key,
217 generating a new host key invalidates all certificates signed
218 with the old host key.
219
220 -i group
221 Set the group name to group. This is used in the identity file
222 names. It must match the group name specified in the ident
223 option of the crypto configuration command.
224
225 -I Generate a new encrypted IFF key file and link for the Schnorr
226 (IFF) identity scheme.
227
228 -m modulus
229 Set the modulus for generating files to modulus bits. The modu‐
230 lus defaults to 512, but can be set from 256 (32 octets) to
231 2048 (256 octets).
232
233 -M Generate a new MD5 key file containing 16, 128-bit pseudo-ran‐
234 dom keys for symmetric cryptography..
235
236 -P Generate a new private certificate used by the PC identity
237 scheme. By default, the program generates public certificates.
238 Note: the PC identity scheme is not recommended for new instal‐
239 lations.
240
241 -p passwd
242 Set the password for reading and writing encrypted files to
243 passwd. By default, the password is the host name.
244
245 -q passwd
246 Extract the encrypted IFF or GQ server keys from the IFFkey or
247 GQkey key file previously generated. The data are sent to the
248 standard output stream stdout. Set the password for writing the
249 data, which is also the password to read the data file in
250 another host. By default, the password is the host name. Note:
251 a new certificate is not generated when this option is present.
252 This allows multiple commands with this option but without dis‐
253 turbing existing media.
254
255 -S [ RSA | DSA ]
256 Generate a new sign key of the specified type. By default, the
257 sign key is the host key and has the same type. If compatibly
258 with FIPS 140-2 is required, the sign key type must be DSA.
259 Note that generating a new sign key invalidates all certifi‐
260 cates signed with the old sign key.
261
262 -s host Set the host name to host. This is used in the host and sign
263 key file names. It must match the host name specified in the
264 host option of the crypto configuration command.
265
266 -T Generate a trusted certificate. By default, the program gener‐
267 ates nontrusted certificates.
268
269 -V nkeys
270 Generate server parameters MV and nkeys client keys for the Mu-
271 Varadharajan (MV) identity scheme. Note: support for this
272 option should be considered a work in progress.
273
274
276 All cryptographically sound key generation schemes must have means to
277 randomize the entropy seed used to initialize the internal pseudo-ran‐
278 dom number generator used by the OpenSSL library routines. If a site
279 supports ssh, it is very likely that means to do this are already
280 available. The entropy seed used by the OpenSSL library is contained in
281 a file, usually called .rnd, which must be available when starting the
282 ntp-keygen program or ntpd daemon.
283
284 The OpenSSL library looks for the file using the path specified by the
285 RANDFILE environment variable in the user home directory, whether root
286 or some other user. If the RANDFILE environment variable is not
287 present, the library looks for the .rnd file in the user home direc‐
288 tory. Since both the ntp-keygen program and ntpd daemon must run as
289 root, the logical place to put this file is in /.rnd or /root/.rnd. If
290 the file is not available or cannot be written, the program exits with
291 a message to the system log.
292
293
295 File and link names are in the form ntpkey_key_name.fstamp, where key
296 is the key or parameter type, name is the host or group name and fstamp
297 is the filestamp (NTP seconds) when the file was created). By conven‐
298 tion, key fields in generated file names include both upper and lower
299 case alphanumeric characters, while key fields in generated link names
300 include only lower case characters. The filestamp is not used in gener‐
301 ated link names.
302
303 The key type is a string defining the cryptographic function. Key types
304 include public/private keys host and sign, certificate cert and several
305 challenge/response key types. By convention, files used for challenges
306 have a par subtype, as in the IFF challenge IFFpar, while files for
307 responses have a key subtype, as in the GQ response GQkey.
308
309 All files begin with two nonencrypted lines. The first line contains
310 the file name in the format ntpkey_key_host.fstamp. The second line
311 contains the datestamp in conventional Unix date format. Lines begin‐
312 ning with # are ignored.
313
314 The remainder of the file contains cryptographic data encoded first
315 using ASN.1 rules, then encrypted using the cipher selected with -C and
316 given password and finally written in PEM-encoded printable ASCII text
317 preceded and followed by MIME content identifier lines.
318
319 The format of the symmetric keys file is somewhat different than the
320 other files in the interest of backward compatibility. Since DES-CBC is
321 deprecated in NTPv4, the only key format of interest is MD5 alphanu‐
322 meric strings. Following the header the keys are entered one per line
323 in the format
324
325 keyno type key
326
327 where keyno is a positive integer in the range 1-65,535, type is the
328 string MD5 defining the key format and key is the key itself, which is
329 a printable ASCII string 16 characters or less in length. Each charac‐
330 ter is chosen from the 93 printable characters in the range 0x21
331 through 0x7f excluding space and the '#' character.
332
333 Note that the keys used by the ntpq and ntpdc programs are checked
334 against passwords requested by the programs and entered by hand, so it
335 is generally appropriate to specify these keys in human readable ASCII
336 format.
337
338 The ntp-keygen program generates a MD5 symmetric keys file ntp‐
339 key_MD5key_hostname.filestamp. Since the file contains private shared
340 keys, it should be visible only to root and distributed by secure means
341 to other subnet hosts. The NTP daemon loads the file ntp.keys, so ntp-
342 keygen installs a soft link from this name to the generated file. Sub‐
343 sequently, similar soft links must be installed by manual or automated
344 means on the other subnet hosts. While this file is not used with the
345 Autokey Version 2 protocol, it is needed to authenticate some remote
346 configuration commands used by the ntpq and ntpdc utilities.
347
348
350 It can take quite a while to generate some cryptographic values, from
351 one to several minutes with modern architectures such as UltraSPARC and
352 up to tens of minutes to an hour with older architectures such as SPARC
353 IPC.
354
355
357 ntpd(8), ntp_auth(5)
358
359 The official HTML documentation.
360
361 This file was automatically generated from HTML source.
362
363
364
365
366 ntp-keygen(8)