1NTPKEYGEN(8) NTPsec NTPKEYGEN(8)
2
6 ntpkeygen - create and manage NTP host keys
7
9 ntpkeygen [-V]
10
12 This program generates a file containing keys that can be used in NTP’s
13 symmetric key cryptography.
14 The program produces a file containing ten pseudo-random printable
16 ASCII strings suitable for the MD5 message digest algorithm. It also
17 produces an additional ten hex-encoded random bit strings suitable for
18 the SHA-1 and other message digest algorithms.
19 The keys file must be distributed and stored using secure means beyond
21 the scope of NTP itself. The keys can also be used as passwords for the
22 ntpq <ntpq.html> utility program.
23
25 -V, --version
26 Print the version string and exit.
27
29 The simplest way to run the ntpkeygen program is logged in directly as
30 root. The recommended procedure is to change to the keys directory,
31 usually /etc/ntp/, then run the program. Then chown the output file to
32 ntp:ntp. It should be mode 400.
33 Warning
35 ntpkeygen uses the system randomness source. On a POSIX system,
36 this is usually /dev/urandom. Immediately after a reboot, on any
37 OS, there may not be sufficient entropy available for this program
38 to perform well. Do not run this program from any startup scripts.
39 Only run this program on an active host with a lot of available
40 entropy.
41
43 File names begin with the prefix ntpkey and end with the postfix
44 hostname.filestamp, where hostname is the owner name, usually the
45 string returned by the Unix gethostname() routine, and filestamp is the
46 NTP seconds when the file was generated, in decimal digits.
47 ntpkeygen also makes a soft link from ntp.keys to the generated file.
49 ntp.keys is the normal file used in ntp.conf.
50
52 All key generation schemes must have means to randomize the entropy
53 seed used to initialize the internal pseudo-random number generator
54 used by the library routines.
55 It is important to understand that entropy must be evolved for each
57 generation, for otherwise the random number sequence would be
58 predictable. Various means dependent on external events, such as
59 keystroke intervals can be used to do this and some systems have
60 built-in entropy sources.
61 This implementation uses Python’s random.SystemRandom class, which
63 relies on os.urandom(). The security of os.urandom() is improved in
64 Python 3.5+ <https://docs.python.org/library/os.html#os.urandom>.
65
67 Unlike NTP Classic, this implementation generates only AES keys, not
68 MD5 or SHA1.
69 Since the file contains private shared keys, it should be visible only
71 to root or ntp.
72 In order to use a shared key, the line to be used must also be setup on
74 the target server.
75 This file is also used to authenticate remote configuration commands
77 used by the ntpq(1) utility.
78 Comments may appear in the file and are preceded with the # character.
80 Following any headers the keys are entered one per line in the format:
82 ┌──────┬───────────────────────────┐
84 │ │ │
85 │Field │ Meaning │
86 ├──────┼───────────────────────────┤
87 │ │ │
88 │keyno │ Positive integer in the │
89 │ │ range 1-65,535 │
90 ├──────┼───────────────────────────┤
91 │ │ │
92 │type │ Type of key (MD5, SHA-1, │
93 │ │ AES-CMAC etc). This │
94 │ │ program generates only │
95 │ │ AES. │
96 ├──────┼───────────────────────────┤
97 │ │ │
98 │key │ the actual key, printable │
99 │ │ ASCII or hex │
100 └──────┴───────────────────────────┘
101
103 One of the following exit values will be returned:
104 0 (EXIT_SUCCESS)
106 Successful program execution.
107 1 (EXIT_FAILURE)
109 The operation failed or the command syntax was not valid.
110NTPsec 2023-08-03 NTPKEYGEN(8)