1ntp-keygen(8)               System Manager's Manual              ntp-keygen(8)
2
3
4

NAME

6       ntp-keygen - generate public and private keys
7
8

SYNOPSIS

10       ntp-keygen  [ -deGHIMPT ] [ -b modulus ] [ -c [RSA-MD2 | RSA-MD5 | RSA-
11       SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ] [ -C
12       cipher ] [ -i group ] [ -m modulus ] [ -p passwd2 ] [ -q passwd1 ] [ -S
13       [ RSA | DSA ] ] [ -s host ] [ -V nkeys ]
14
15

DESCRIPTION

17       This program generates cryptographic  data  files  used  by  the  NTPv4
18       authentication  and  identity  schemes.  It can generate message digest
19       keys used in symmetric key cryptography and, if  the  OpenSSL  software
20       library  has been installed, it can generate host keys, sign keys, cer‐
21       tificates and identity keys used by the Autokey public  key  cryptogra‐
22       phy.  The  message digest keys file is generated in a format compatible
23       with NTPv3. All other files are in PEM-encoded printable  ASCII  format
24       so they can be embedded as MIME attachments in mail to other sites.
25
26       When  used to generate message digest keys, the program produces a file
27       containing ten pseudo-random printable ASCII strings suitable  for  the
28       MD5  message  digest  algorithm  included  in  the distribution. If the
29       OpenSSL library is installed, it produces an additional ten hex-encoded
30       random bit strings suitable for the SHA1 and other message digest algo‐
31       rithms. Printable ASCII keys can have length from one to 20 characters,
32       inclusive.  Bit  string keys have length 20 octets (40 hex characters).
33       All keys are 160 bits in length.
34
35        The file can be edited later with  purpose-chosen  passwords  for  the
36       ntpq  and  ntpdc programs. Each line of the file contains three fields,
37       first an integer between 1 and 65534, inclusive, representing  the  key
38       identifier  used in the server and peer configuration commands. Next is
39       the key type for the message digest algorithm, which in the absence  of
40       the  OpenSSL library should be the string MD5 to designate the MD5 mes‐
41       sage digest algorithm. If the OpenSSL library  is  installed,  the  key
42       type  can  be  any  message digest algorithm supported by that library.
43       However, if compatibility with FIPS 140-2 is  required,  the  key  type
44       must  be  either  SHA  or SHA1.Finally is the key itself as a printable
45       ASCII string excluding the space and # characters. If not greater  than
46       20 characters in length, the string is the key itself; otherwise, it is
47       interpreted as a hex-encoded bit  string.  As  is  custom,  #  and  the
48       remaining  characters  on the line are ignored. Later, this file can be
49       edited to include the passwords for the ntpq and  ntpdc  utilities.  If
50       this  is the only need, run ntp-keygen with the -M option and disregard
51       the remainder of this page.
52
53       The remaining generated files are compatible with other OpenSSL  appli‐
54       cations  and  other Public Key Infrastructure (PKI) resources. Certifi‐
55       cates generated by this program should be compatible with extant indus‐
56       try  practice,  although  some  users  might find the interpretation of
57       X509v3 extension fields somewhat liberal. However,  the  identity  keys
58       are probably not compatible with anything other than Autokey.
59
60       Most files used by this program are encrypted using a private password.
61       The -p option specifies the password for local files and the -q  option
62       the  password  for  files sent to remote sites. If no local password is
63       specified, the host name returned by the Unix  gethostname()  function,
64       normally  the  DNS  name of the host, is used. If no remote password is
65       specified, the local password is used.
66
67       The pw option of the crypto configuration command  specifies  the  read
68       password  for  previously  encrypted  files.  This must match the local
69       password used by this program. If not specified, the host name is used.
70       Thus, if files are generated by this program without password, they can
71       be read back by ntpd without password, but only on the same host.
72
73       All  files  and  links  are  usually   installed   in   the   directory
74       /usr/local/etc, which is normally in a shared filesystem in NFS-mounted
75       networks and cannot be changed by shared clients. The location  of  the
76       keys  directory  can be changed by the keysdir configuration command in
77       such cases. Normally, encrypted files for each host  are  generated  by
78       that  host  and  used  only  by that host, although exceptions exist as
79       noted later on this page.
80
81       This program directs commentary and  error  messages  to  the  standard
82       error stream stderr and remote files to the standard output stream std‐
83       out where they can be piped to other applications or  redirected  to  a
84       file.  The  names used for generated files and links all begin with the
85       string ntpkey and include the file type, generating host and filestamp,
86       as described in the Cryptographic Data Files section below
87
88

RUNNING THE PROGRAM

90       To  test  and gain experience with Autokey concepts, log in as root and
91       change to the keys directory, usually /usr/local/etc. When run for  the
92       first  time,  or  if  all  files  with names beginning ntpkey have been
93       removed, use the ntp-keygen command without  arguments  to  generate  a
94       default  RSA  host key and matching RSA-MD5 certificate with expiration
95       date one year hence. If run again, the program uses the  existing  keys
96       and parameters and generates only a new certificate with new expiration
97       date one year hence; however, the certificate is not generated  if  the
98       -e or -q options are present.
99
100       Run the command on as many hosts as necessary. Designate one of them as
101       the trusted host (TH) using ntp-keygen with the -T option and configure
102       it  to  synchronize  from reliable Internet servers. Then configure the
103       other hosts to synchronize to the TH directly or indirectly. A certifi‐
104       cate  trail is created when Autokey asks the immediately ascendant host
105       towards the TH to sign its certificate, which is then provided  to  the
106       immediately  descendant  host  on  request. All group hosts should have
107       acyclic certificate trails ending on the TH.
108
109       The host key is used to encrypt the cookie when required and so must be
110       RSA type. By default, the host key is also the sign key used to encrypt
111       signatures. A different sign key can be assigned using  the  -S  option
112       and  this can be either RSA or DSA type. By default, the signature mes‐
113       sage digest type is MD5, but any combination of sign key type and  sign
114       digest type supported by the OpenSSL library can be specified using the
115       -c option. At the moment, legacy considerations require the NTP  packet
116       header digest type to be MD5.
117
118

TRUSTED HOSTS AND SECURE GROUPS

120       As  described  on  the Authentication Options page, an NTP secure group
121       consists of one or more low-stratum THs as  the  root  from  which  all
122       other  group  hosts  derive synchronization directly or indirectly. For
123       authentication purposes all hosts in a group must have the  same  group
124       name  specified  by  the -i option and matching the ident option of the
125       crypto configuration command. The group name is used in the subject and
126       issuer  fields of trusted, self-signed certificates and when construct‐
127       ing the file names for identity keys. All  hosts  must  have  different
128       host  names,  either  the  default  host name or as specified by the -s
129       option and matching the host option of the  crypto  configuration  com‐
130       mand.  Most  installations  need not specify the -i option nor the host
131       option. Host names are used in the subject and issuer fields  of  self-
132       signed,  nontrusted  certificates  and when constructing the file names
133       for host and sign keys and certificates. Host and group names are  used
134       only for authentication purposes and have nothing to do with DNS names.
135
136

IDENTITY SCHEMES

138       As  described  on the Authentication Options page, there are five iden‐
139       tity schemes, three of which - IFF, GQ and MV - require  identity  keys
140       specific  to each scheme. There are two types of files for each scheme,
141       an encrypted keys file and a nonencrypted parameters file,  which  usu‐
142       ally  contains  a  subset  of  the keys file. In general, NTP secondary
143       servers operating as certificate signing authorities (CSA) use the keys
144       file  and  clients use the parameters file. Both files are generated by
145       the TA operating as a certificate  authority  (CA)  on  behalf  of  all
146       servers and clients in the group.
147
148       The  parameters  files are public; they can be stored in a public place
149       and sent in the clear. The keys files  are  encrypted  with  the  local
150       password.  To retrieve the keys file, a host can send a mail request to
151       the TA including its local password. The TA encrypts the keys file with
152       this  password  and returns it as an attachment. The attachment is then
153       copied intact to the keys directory with name given in the  first  line
154       of  the  file,  but  all  in lower case and with the filestamp deleted.
155       Alternatively, the parameters file can be retrieved from a  secure  web
156       site.
157
158       For  example,  the  TA generates default host key, IFF keys and trusted
159       certificate using the command
160
161       ntp-keygen -p local_passwd -T -I -igroup_name
162
163       Each group host generates default host keys and nontrusted  certificate
164       use  the same command line but omitting the -i option. Once these media
165       have been generated, the TA can then  generate  the  public  parameters
166       using the command
167
168       ntp-keygen -p local_passwd -e >parameters_file
169
170       where  the  -e option redirects the unencrypted parameters to the stan‐
171       dard output stream for a mail application or stored locally  for  later
172       distribution.  In  a  similar  fashion  the  -q  option  redirects  the
173       encrypted server keys to the standard output stream.
174
175

COMMAND LINE OPTIONS

177       -b modulus
178               Set the modulus for generating identity keys to  modulus  bits.
179               The  modulus  defaults  to  256,  but  can  be set from 256 (32
180               octets) to 2048 (256 octets). Use the larger moduli  with  cau‐
181               tion,  as this can consume considerable computing resources and
182               increases the size of authenticated packets.
183
184       -c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 |  RSA-RIPEMD160
185       | DSA-SHA | DSA-SHA1 ]
186               Select  certificate  and  message  digest/signature  encryption
187               scheme. Note that RSA schemes must be used with a RSA sign  key
188               and  DSA  schemes must be used with a DSA sign key. The default
189               without this option is  RSA-MD5.  If  compatibility  with  FIPS
190               140-2  is  required, either the DSA-SHA or DSA-SHA1 scheme must
191               be used.
192
193       -C cipher
194               Select the cipher which is used to encrypt the files containing
195               private  keys. The default is three-key triple DES in CBC mode,
196               equivalent to "-C des-ede3-cbc". The openssl tool lists ciphers
197               available in "openssl -h" output.
198
199       -d      Enable  debugging.  This option displays the cryptographic data
200               produced for eye-friendly billboards.
201
202       -e      Extract the IFF or GQ public  parameters  from  the  IFFkey  or
203               GQkey keys file previously specified. Send the unencrypted data
204               to the standard output stream stdout. While the IFF  parameters
205               do  not reveal the private group key,  the GQ parameters should
206               be used with caution, as they include the group key. Use the -q
207               option  with  password  instead. Note: a new certificate is not
208               generated when this option is  present.  This  allows  multiple
209               commands  with  this  option  but  without  disturbing existing
210               media.
211
212       -G      Generate a new encrypted GQ key file and link for the  Guillou-
213               Quisquater (GQ) identity scheme.
214
215       -H      Generate  a  new encrypted RSA public/private host key file and
216               link. Note that if the sign key is the same as  the  host  key,
217               generating  a  new host key invalidates all certificates signed
218               with the old host key.
219
220       -i group
221               Set the group name to group. This is used in the identity  file
222               names.  It  must  match  the  group name specified in the ident
223               option of the crypto configuration command.
224
225       -I      Generate a new encrypted IFF key file and link for the  Schnorr
226               (IFF) identity scheme.
227
228       -m modulus
229               Set the modulus for generating files to modulus bits. The modu‐
230               lus defaults to 512, but can be set from  256  (32  octets)  to
231               2048 (256 octets).
232
233       -M      Generate  a new MD5 key file containing 16, 128-bit pseudo-ran‐
234               dom keys for symmetric cryptography..
235
236       -P      Generate a new private certificate  used  by  the  PC  identity
237               scheme.  By default, the program generates public certificates.
238               Note: the PC identity scheme is not recommended for new instal‐
239               lations.
240
241       -p passwd
242               Set  the  password  for  reading and writing encrypted files to
243               passwd. By default, the password is the host name.
244
245       -q passwd
246               Extract the encrypted IFF or GQ server keys from the IFFkey  or
247               GQkey  key  file previously generated. The data are sent to the
248               standard output stream stdout. Set the password for writing the
249               data,  which  is  also  the  password  to read the data file in
250               another host. By default, the password is the host name.  Note:
251               a new certificate is not generated when this option is present.
252               This allows multiple commands with this option but without dis‐
253               turbing existing media.
254
255       -S [ RSA | DSA ]
256               Generate  a new sign key of the specified type. By default, the
257               sign key is the host key and has the same type.  If  compatibly
258               with  FIPS  140-2  is  required, the sign key type must be DSA.
259               Note that generating a new sign key  invalidates  all  certifi‐
260               cates signed with the old sign key.
261
262       -s host Set  the  host  name to host. This is used in the host and sign
263               key file names. It must match the host name  specified  in  the
264               host option of the crypto configuration command.
265
266       -T      Generate  a trusted certificate. By default, the program gener‐
267               ates nontrusted certificates.
268
269       -V nkeys
270               Generate server parameters MV and nkeys client keys for the Mu-
271               Varadharajan  (MV)  identity  scheme.  Note:  support  for this
272               option should be considered a work in progress.
273
274

RANDOM SEED FILE

276       All cryptographically sound key generation schemes must have  means  to
277       randomize  the entropy seed used to initialize the internal pseudo-ran‐
278       dom number generator used by the OpenSSL library routines.  If  a  site
279       supports  ssh,  it  is  very  likely  that means to do this are already
280       available. The entropy seed used by the OpenSSL library is contained in
281       a  file, usually called .rnd, which must be available when starting the
282       ntp-keygen program or ntpd daemon.
283
284       The OpenSSL library looks for the file using the path specified by  the
285       RANDFILE  environment variable in the user home directory, whether root
286       or some other  user.  If  the  RANDFILE  environment  variable  is  not
287       present,  the  library  looks for the .rnd file in the user home direc‐
288       tory. Since both the ntp-keygen program and ntpd  daemon  must  run  as
289       root,  the logical place to put this file is in /.rnd or /root/.rnd. If
290       the file is not available or cannot be written, the program exits  with
291       a message to the system log.
292
293

CRYPTOGRAPHIC DATA FILES

295       File  and  link names are in the form ntpkey_key_name.fstamp, where key
296       is the key or parameter type, name is the host or group name and fstamp
297       is  the  filestamp (NTP seconds) when the file was created). By conven‐
298       tion, key fields in generated file names include both upper  and  lower
299       case  alphanumeric characters, while key fields in generated link names
300       include only lower case characters. The filestamp is not used in gener‐
301       ated link names.
302
303       The key type is a string defining the cryptographic function. Key types
304       include public/private keys host and sign, certificate cert and several
305       challenge/response  key types. By convention, files used for challenges
306       have a par subtype, as in the IFF challenge  IFFpar,  while  files  for
307       responses have a key subtype, as in the GQ response GQkey.
308
309       All  files  begin  with two nonencrypted lines. The first line contains
310       the file name in the format  ntpkey_key_host.fstamp.  The  second  line
311       contains  the  datestamp in conventional Unix date format. Lines begin‐
312       ning with # are ignored.
313
314       The remainder of the file contains  cryptographic  data  encoded  first
315       using ASN.1 rules, then encrypted using the cipher selected with -C and
316       given password and finally written in PEM-encoded printable ASCII  text
317       preceded and followed by MIME content identifier lines.
318
319       The  format  of  the symmetric keys file is somewhat different than the
320       other files in the interest of backward compatibility. Since DES-CBC is
321       deprecated  in  NTPv4,  the only key format of interest is MD5 alphanu‐
322       meric strings. Following the header the keys are entered one  per  line
323       in the format
324
325       keyno type key
326
327       where  keyno  is  a positive integer in the range 1-65,535, type is the
328       string MD5 defining the key format and key is the key itself, which  is
329       a  printable ASCII string 16 characters or less in length. Each charac‐
330       ter is chosen from the  93  printable  characters  in  the  range  0x21
331       through 0x7f excluding space and the '#' character.
332
333       Note  that  the  keys  used  by the ntpq and ntpdc programs are checked
334       against passwords requested by the programs and entered by hand, so  it
335       is  generally appropriate to specify these keys in human readable ASCII
336       format.
337
338       The ntp-keygen  program  generates  a  MD5  symmetric  keys  file  ntp‐
339       key_MD5key_hostname.filestamp.  Since  the file contains private shared
340       keys, it should be visible only to root and distributed by secure means
341       to  other subnet hosts. The NTP daemon loads the file ntp.keys, so ntp-
342       keygen installs a soft link from this name to the generated file.  Sub‐
343       sequently,  similar soft links must be installed by manual or automated
344       means on the other subnet hosts. While this file is not used  with  the
345       Autokey  Version  2  protocol, it is needed to authenticate some remote
346       configuration commands used by the ntpq and ntpdc utilities.
347
348

BUGS

350       It can take quite a while to generate some cryptographic  values,  from
351       one to several minutes with modern architectures such as UltraSPARC and
352       up to tens of minutes to an hour with older architectures such as SPARC
353       IPC.
354
355

SEE ALSO

357       ntpd(8), ntp_auth(5)
358
359       The official HTML documentation.
360
361       This file was automatically generated from HTML source.
362
363
364
365
366                                                                 ntp-keygen(8)
Impressum