1NTP.KEYS(5)                         NTPsec                         NTP.KEYS(5)
2
3
4

NAME

6       ntp.keys - NTP symmetric key file format
7

DESCRIPTION

9       This document describes the format of an NTP symmetric key file. For a
10       description of the use of this type of file, see the "Authentication
11       Support" page of the Web documentation.
12
13       ntpd(8) reads its keys from a file specified using the -k command line
14       option or the keys statement in the configuration file. While key
15       number 0 is fixed by the NTP standard (as 56 zero bits) and may not be
16       changed, one or more keys numbered between 1 and 65535 may be
17       arbitrarily set in the keys file.
18
19       The key file uses the same comment conventions as the configuration
20       file. Key entries use a fixed format of the form
21
22           keyno type key
23
24       where keyno is a positive integer (between 1 and 65535), type is the
25       message digest or cipher algorithm, and key is the key itself.
26
27       The file does not need to be sorted by keyno.
28
29       type can be the name of any digest or cipher supported by your OpenSSL
30       package. Digests or CMACs longer than 20 bytes will be truncated.
31
32       You can get a list from openssl list -digest-algorithms or openssl list
33       -cipher-algorithms. (As of Jan 2018, they lie. Be sure to try it.
34       ntpd(8) will print an error on startup if a selected type isn’t
35       supported.)
36
37       The following types are widely supported:
38
39             md5, sha1, ripemd160, sha224, sha256, sha384, sha512
40             aes-128, aes-192, aes-256
41
42       Only the -cbc cipher modes are useful. The -cbc is appended to the type
43       internally. Do not include it in type.
44
45       AES is an abbreviation for aes-128.
46
47       Note that MD5 was deprecated by RFC 8573 in June of 2019. AES-128 is
48       currently preferred. The code still supports MD5 for backwards
49       compatibility.
50
51       FIPS 140-2, FIPS 180-4, and/or FIPS 202 may restrict your choices. If
52       it matters to you, check with your lawyer. (Let us know if you find a
53       good reference.)
54
55       The key may be printable ASCII excluding "#" or hex encoded. Keys
56       longer than 20 characters are assumed to be hex. The max length of a
57       (de-hexified) key is 32 bytes. If you want to use an ASCII key longer
58       than 20 bytes, you must hexify it.
59
60       Note that the keys used by the ntpq(1) programs are checked against
61       passwords entered by hand, so it is generally appropriate to specify
62       these keys in ASCII format. Or you can cut-paste a hex string from your
63       password manager.
64

USAGE

66       In order to use symmetric keys, the client side configuration file
67       needs:
68
69             keys <path-to-client-keys-file>
70             trustedkey <keyno>
71             server ... key <keyno>
72
73       The server side needs:
74
75             keys <path-to-server-keys-file>
76             trustedkey <keyno>
77
78       Note that the client and server key files must both contain identical
79       copies of the line specified by keyno.
80

FILES

82       /etc/ntp.keys
83           is a common location for the keys file
84
85       Reminder: You have to keep it secret.
86

SEE ALSO

88       ntp.conf(5), ntpd(8), ntpq(1), ntpkeygen(8), ntpdig(1).
89
90
91
92NTPsec                            2023-08-03                       NTP.KEYS(5)
Impressum