1NTP.KEYS(5) NTPsec NTP.KEYS(5)
2
3
4
6 ntp.keys - NTP symmetric key file format
7
9 This document describes the format of an NTP symmetric key file. For a
10 description of the use of this type of file, see the "Authentication
11 Support" page of the Web documentation.
12
13 ntpd(8) reads its keys from a file specified using the -k command line
14 option or the keys statement in the configuration file. While key
15 number 0 is fixed by the NTP standard (as 56 zero bits) and may not be
16 changed, one or more keys numbered between 1 and 65535 may be
17 arbitrarily set in the keys file.
18
19 The key file uses the same comment conventions as the configuration
20 file. Key entries use a fixed format of the form
21
22 keyno type key
23
24 where keyno is a positive integer (between 1 and 65535), type is the
25 message digest or cipher algorithm, and key is the key itself.
26
27 The file does not need to be sorted by keyno.
28
29 type can be the name of any digest or cipher supported by your OpenSSL
30 package. Digests or CMACs longer than 20 bytes will be truncated.
31
32 You can get a list from openssl list -digest-algorithms or openssl list
33 -cipher-algorithms. (As of Jan 2018, they lie. Be sure to try it.
34 ntpd(8) will print an error on startup if a selected type isn’t
35 supported.)
36
37 The following types are widely supported:
38
39 md5, sha1, ripemd160, sha224, sha256, sha384, sha512
40 aes-128, aes-192, aes-256
41
42 Only the -cbc cipher modes are useful. The -cbc is appended to the type
43 internally. Do not include it in type.
44
45 AES is an abbreviation for aes-128.
46
47 Note that MD5 was deprecated by RFC 8573 in June of 2019. AES-128 is
48 currently prefered. The code still supports MD5 for backwards
49 compatibility.
50
51 FIPS 140-2, FIPS 180-4, and/or FIPS 202 may restrict your choices. If
52 it matters to you, check with your lawyer. (Let us know if you find a
53 good reference.)
54
55 The key may be printable ASCII excluding "#" or hex encoded. Keys
56 longer than 20 characters are assumed to be hex. The max length of a
57 (de-hexified) key is 32 bytes. If you want to use an ASCII key longer
58 than 20 bytes, you must hexify it.
59
60 Note that the keys used by the ntpq(1) programs are checked against
61 passwords entered by hand, so it is generally appropriate to specify
62 these keys in ASCII format. Or you can cut-paste a hex string from your
63 password manager.
64
66 In order to use symmetric keys, the client side configuration file
67 needs:
68
69 keys <path-to-client-keys-file>
70 trustedkey <keyno>
71 server ... key <keyno>
72
73 The server side needs:
74
75 keys <path-to-server-keys-file>
76 trustedkey <keyno>
77
78 Note that the client and server key files must both contain identical
79 copies of the line specified by keyno.
80
82 /etc/ntp.keys
83 is a common location for the keys file
84
85 Reminder: You have to keep it secret.
86
88 ntp.conf(5), ntpd(8), ntpq(1), ntpkeygen(8), ntpdig(1).
89
90
91
92NTPsec 2021-02-01 NTP.KEYS(5)