+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-
-<html>
-
- <head>
- <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
- <meta name="generator" content="HTML Tidy, see www.w3.org">
- <title>ntp-keygen - Generate Public and Private Keys Files</title>
- <link href="scripts/style.css" type="text/css" rel="stylesheet">
- </head>
-
- <body>
- <h3><tt>ntp-keygen</tt> - Generate Public and Private Keys Files</h3>
- <img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
- <p>Alice holds the key.</p>
- <p>Last update: <csobj format="ShortTime" h="25" locale="00000409" region="0" t="DateTime" w="61">02:27</csobj> UTC <csobj format="LongDate" h="25" locale="00000409" region="0" t="DateTime" w="252">Monday, March 03, 2008</csobj></p>
- <br clear="left">
- <h4>Related Links</h4>
- <script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
- <h4>Table of Contents</h4>
- <ul>
- <li class="inline"><a href="#intro">Introduction</a>
- <li class="inline"><a href="#host">Host and Sign Key Files</a>
- <li class="inline"><a href="#cert">Certificate Files</a>
- <li class="inline"><a href="#ident">Identity Scheme Files</a>
- <li class="inline"><a href="#key">Symmetric Keys Files</a>
- <li class="inline"><a href="#run">Running the Program</a>
- <li class="inline"><a href="#cmd">Command Line Options</a>
- <li class="inline"><a href="#fmt">File Formats</a>
- <li class="inline"><a href="#bug">Bugs</a>
- </ul>
- <hr>
- <h4 id="intro">Introduction</h4>
- <p>Note: In order to support the MV identity scheme and provide for a trusted-agent function, the <tt>-p</tt>, and <tt>-q</tt> options have been changed in minor ways from previous versions. See the command line options for details.</p>
- <p>This program generates cryptographic data files used by the NTPv4 authentication schemes. It generates MD5 key files used in symmetric key cryptography and, if the OpenSSL software library has been installed, generates files used in Autokey public key cryptography. All files are in printable ASCII format and can be embedded as attachments in mail to other sites and certificate authorities.</p>
- <p>File names begin with the prefix <tt>ntpkey_</tt> and end with the postfix <tt><i>_name.filestamp</i></tt>, where <tt><i>name</i></tt> is the host or group name and <tt><i>filestamp</i></tt> is the NTP decimal seconds when the file was generated. This both guarantees uniqueness and simplifies maintenance procedures.</p>
- <p>The host name for the host, sign and certificate files is specified by the <tt>-s</tt> option and must agree with the <tt>host</tt> option of the <tt>crypto</tt> configuration command. If this option is not specified, the string returned by the Unix <tt>gethostname()</tt> function is used. The group name for the identity files and certificate subject and issuer fields is specified by the <tt>-i</tt> option and must agree with the <tt>ident</tt> option of the <tt>crypto</tt> configuration command. If this option is not specified, the host name is used.</p>
- <p>Files containing private data are encrypted with DES-CBC and the password specified by the <tt>-p</tt> option and must agree with the <tt>pw</tt> option of the <tt>crypto</tt> configuration command. If the <tt>-p</tt> option is not specified, the string returned by the Unix <tt>gethostname()</tt> function is used. However, private data files can be encrypted with the password specified by the <tt>-q</tt> option and redirected via the standard output stream to a file or another program. In a similar way the public data files can be redirected using the <tt>-e</tt> option.</p>
- <p>All files are installed by default in the keys directory <tt>/usr/local/etc</tt>, which is normally in a shared filesystem in NFS-mounted networks. The actual location of the keys directory can be changed by the <tt>keysdir</tt> configuration command.</p>
- <h4 id="host">Host and Sign Key Files</h4>
- <p>With the <tt>-H</tt> option the <tt>ntp-keygen</tt> program generates a new private host key file <tt>ntpkey_RSAkey_<i>hostname.filestamp </i></tt> and link <tt>ntpkey_host_<i>hostname</i></tt>. With the <tt>-S</tt> option the program generates a new private sign key file <tt>ntpkey_<i>keyname</i>sign_<i>hostname.filestamp</i></tt> and soft link <tt>ntpkey_sign_<i>hostname</i></tt>, where <i><tt>keyname</tt></i> is the name of the digest/signature scheme specified by the <tt>-S</tt> option, either <tt>RSA</tt> or <tt>DSA</tt>. If this option is not specified, the host key is used as the sign key.</p>
- <h4 id="cert">Certificate Files</h4>
- <p>The <tt>ntp-keygen</tt> program automatically generates a new self-signed X.509v3 public certificate <tt>ntpkey_<i>digest</i>cert_<i>hostname.filestamp</i></tt>, and soft link <tt>ntpkey_cert_<i>hostname</i></tt>, where <i><tt>digest</tt></i> is the name of the digest/signature scheme. All digest/signature schemes in the OpenSSL library are available; however, the scheme specified in the certificate must be compatible with the sign key.</p>
- <p>With the <tt>-P</tt> option the program generates a private certificate including an X509v3 Extended Key Usage extension field with value <tt>private</tt>. Certificates generated without this option do not contain this field and are by default public.</p>
- <p>With the <tt>-T</tt> option the program generates a trusted certificate including an X509v3 Extended Key Usage extension field with value <tt>trustRoot</tt>. Certificates generated without this option do not contain this field and are by default nontrusted.</p>
- <h4 id="ident">Identity Scheme Files</h4>
- <p>There are several optional identity schemes available with Autokey, including TC, PC, IFF, GQ and MV described on the <a href="http://www.eecis.udel.edu/~mills/ident.html">Autokey Identity Schemes</a> page. The IFF, GQ and MV schemes are based on a challenge-response exchange where the challenger uses public client parameters and the responder uses private server keys. For the IFF and GQ schemes the <tt>ntp-keygen</tt> program generates the server file <tt>ntpkey_<i>SCHEME</i>key_<i>groupname.filestamp</i></tt> and soft link <tt>ntpkey_<i>scheme</i>key_<i>groupname</i></tt>, where <tt><i>scheme</i></tt> is <tt>iff</tt> or <tt>gq</tt> with the <tt>-I </tt> or <tt>-G</tt> options, respectively. In these schemes the client file is not stored locally and must be redirected using the <tt>-e</tt> option.</p>
- <p>In the MV scheme the keys are generated by a trusted agent (TA) which for security purposes is neither a server nor a client. With the <tt>-V</tt> option the program generates the TA keys file <tt>ntpkey_MVta_<i>hostname.filestamp</i></tt> and soft link <tt>ntpkey_mvta_<i>hostname</i></tt>. In this scheme the server and client files are not stored locally and must be redirected using the <tt>-q</tt> and <tt>-e</tt> options, respectively.</p>
- <h4 id="key">Symmetric Keys Files</h4>
- <p>With the <tt>-M</tt> option the <tt>ntp-keygen</tt> program generates a symmetric keys file <tt>ntpkey_MD5key_<i>hostname.filestamp</i></tt> and soft link <tt>ntpkey_md5key_<i>hostname</i></tt>. The file contains a list of 16 printable, semi-random MD5 keys compatible with previous NTP versions. It is in plaini text format, so additional keys can be added by hand. Since it is not encrypted, it should be visible only to root and distributed by secure means to other hosts. While this file is not used with the Autokey Version 2 protocol, it is needed to authenticate some remote configuration commands used by the <a href="ntpdc.html"><tt>ntpq</tt></a> and <a href="ntpq.html"><tt>ntpdc</tt></a> utilities.</p>
- <p>While the key identifiers for MD5 keys must be in the range 1-65,535, inclusive, the <tt>ntp-keygen</tt> program uses only the identifiers from 1 to 16. The key identifier for each association is specified as the <tt>key</tt> option with the <tt>server</tt> or <tt>peer</tt> configuration command.</p>
- <h4 id="run">Running the Program</h4>
- <p>The safest way to run the <tt>ntp-keygen</tt> program is logged in directly as root. The recommended procedure is change to the keys directory, usually <tt>/ust/local/etc</tt>, then run the program. When run without options for the first time, or if all <tt>ntpkey</tt> files have been removed, the program generates an RSA host keys file and matching RSA-MD5 certificate file, which is all that is necessary in many cases. Additional information and examples are on the <a href="authopt.html">Authentication Options</a> page.</p>
- <p>If run again, the program uses the same host, sign and identity files, but generates a new certificate file and link using the fields of the original certificate, but updating the issue and expire dates.</p>
- <p>If the <tt>-M</tt> option is specified, all other options are ignored. The <tt>-I</tt>, <tt>-G</tt> and <tt>-V</tt> options work only with the <tt>-T</tt> option; a warning message is displayed otherwise. The <tt>-q</tt> and <tt>-e</tt> options work only if an identity scheme has been previously specified and in either case a new certificate is not generated. The recommended procedure is to specify all except these options in one invocation of the program and one of these options in a subsequent invocation.</p>
- <h4 id="cmd">Command Line Options</h4>
- <dl>
- <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt>
- <dd>Specify the certificate digest/signature scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. If not specified, the scheme is <tt>RSA-MD5</tt>.
- <dt><tt>-d</tt>
- <dd>Enable debugging. This option displays cryptographic data produced in eye-friendly billboards.
- <dt><tt>-e</tt>
- <dd>Redirect the public client parameters to the standard output stream.<dt><tt>-G</tt>
- <dd>Generate a new private server keys file for the GQ identity scheme.<dt><tt>-H</tt>
- <dd>Generate a new private RSA host keys file.<dt><tt>-I</tt>
- <dd>Generate a new private server keys file for the IFF identity scheme.<dt><tt>-i <i>name</i></tt>
- <dd>Specify the group name for the identity file and certificate subject and issuer fields. If not specified, the host name is used as the group name.<dt><tt>-m <i>mod</i></tt>
- <dd>Set the modulus for cryptographic keys to <tt><i>mod</i></tt> in the range 256-2048. If not specified, the modulus is 512. Caution: some schemes may not work with values other than 512 and some with larger values may produce unacceptably large network packets and may require unacceptably long times to compute.
- <dt><tt>-M</tt>
- <dd>Generate a new public keys file containing 16 MD5 semi-random keys.<dt><tt>-P</tt>
- <dd>Generate a new private certificate file. If not specified, the program generates a public certificate file.<dt><tt>-p <i>password</i></tt>
- <dd>Specify the read and write password for locally generated files to <tt><i>password</i></tt>. If not specified the host name is used as the password.<dt><tt>-q <i>password</i></tt>
- <dd>Redirect the server keys file to the standard output stream encrypted using <tt><i>password</i></tt>.
- <dt><tt>-S [ RSA | DSA ]</tt>
- <dd>Generate a new sign keys file of the designated type. If not specified, the host key is used as the sign key.<dt><tt>-s <i>name</i></tt>
- <dd>Specify the host name for the host, sign and certificate files. If not specified, the host name is the string returned by the Unix <tt>gethostname()</tt> function.
- <dt><tt>-T</tt>
- <dd>Generate a new trusted certificate file. By default, the program generates a nontrusted certificate file.<dt><tt>-V <i>nkeys</i></tt>
- <dd>Generate a new private trusted-agent file for the Mu-Varadharajan (MV) identity scheme containing <tt><i>nkeys</i></tt> activation keys.
- </dl>
- <h4 id="fmt">File Formats</h4>
- <p>All file formats begin with two lines. The first contains the file name, including the host/group name and filestamp, while the second contains the datestamp in conventional Unix <tt>date</tt> format. Empty lines and lines beginning with <tt>#</tt> are ignored. For all except the symmetric keys file, the cryptographic values are encoded first using ASN.1 encoding rules and then in PEM-encoded printable ASCII format preceded and followed by MIME content identifier lines.</p>
- <p>Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. Certificates or certificate requests derived from them should be compatible with extant industry practice, although some users might find the interpretation of X509v3 extension fields somewhat liberal. However, the identity files, although encoded as the other files, are probably not compatible with anything other than Autokey.</p>
- <p>The format of the symmetric keys file is different than the other files for backward compatibility with the NTPv3 format and can be further customized using an ordinary text editor. The lines following the header contain 16 MD5 keys, one key per line. Since DES-CBC is deprecated in NTPv4, the only key format of interest is MD5 alphanumeric strings. Keys are entered one per line in the format</p>
- <p><i><tt>keyno </tt></i><tt>MD5</tt><i><tt> key</tt></i></p>
- <p>where <i><tt>keyno</tt></i> is an integer in the range 1-65,535 and <i><tt>key</tt></i> is the key itself, which is a string containing 16 characters or less. Each character is chosen from the 93 printable ASCII characters in the range 0x21 through 0x7f excluding space and the '#' character.</p>
- <p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs are checked against passwords requested by the program and entered by hand, so it is generally appropriate to specify these keys in human readable ASCII format.</p>
- <h4 id="bug">Bugs</h4>
- <p>It can take quite a while to generate some cryptographic values, from one to several minutes with modern architectures such as UltraSPARC and up to tens of minutes to an hour with older architectures such as SPARC IPC.</p>
- <hr>
- <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
- </body>
-
-</html>
\ No newline at end of file
projects / thirdparty / ntp.git / commitdiff
