<p>Alice holds the key.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->11-Nov-2009 6:01<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->11-Nov-2009 20:03<!-- #EndDate -->
</p>
<br clear="left">
<h4 id="descrip">Description</h4>
<p>This program generates cryptographic data files used by the NTPv4 authentication
- and identity schemes. It generates MD5 message digest keys used in symmetric
+ and identity schemes. It can generate message digest keys used in symmetric
key cryptography and, if the OpenSSL software library has been installed,
- it generates message digest keys for other algorithms, as well as host keys,
- sign keys, certificates and identity keys used in the Autokey public key
- cryptography. The symmetric keys file is generated in a format compatible
- with NTPv3. All other files are in PEM-encoded printable ASCII format so
- they can be embedded as MIME attachments in mail to other sites.</p>
-
-<p>When used to generate symmetric keys, the program produces a file containing
- ten pseudo-random printable ASCII strings, as well as ten random hex strings,
- both of `60 bits in length.
- If this is the only need, run <tt>ntp-keygen</tt> with
- the <tt>-M</tt> option
- and disregard the remainder of this page. The file can be edited later with
+ it can generate host keys, sign keys, certificates and identity keys used
+ by the Autokey public key cryptography. The message digest keys file is generated
+ in a format compatible with NTPv3. All other files are in PEM-encoded printable
+ ASCII format so they can be embedded as MIME attachments in mail to other
+ sites.</p>
+
+<p>When used to generate message digest keys, the program produces a file containing
+ ten pseudo-random printable ASCII strings suitable for the MD5 message digest
+ algorithm. If the OpenSSL library is installed, it produces an additional
+ ten hex-encoded random bit strings suitable for the SHA1 and other message
+ digest algorithms. All keys are 160
+ bits in length, but are truncated as necessary for the various message digest
+ algorithms.</p>
+<p> The file can be edited later with
purpose-chosen passwords for the <tt>ntpq</tt> and <tt>ntpdc</tt> programs.
Each line of the file contains three fields, first an integer between 1 and
65534, inclusive, representing the key identifier used in the <tt>server</tt> and <tt>peer</tt> configuration
- command. Next is the single character <tt>M</tt> to designate the key type for
- the MD5 message digest algorithhm. Finally is the key itself from 1 to 63
- characters chosen from the printable ASCII set with the exclusion of space
- and #. However, only the first 16 characters are significant. As is custom,
- # and the remaining characters on the line are ignored. Later, this file
- can be edited to include the passwords for the <tt>ntpq</tt> and <tt>ntpdc</tt> utilities.
+ commands. Next is the key type for the message digest algorithm,
+ which in the absence of the OpenSSL library should be the string <tt>MD5</tt> to
+ designate the MD5 message digest algorithm.
If the OpenSSL library is installed, the key type can be any message digest
algorithm supported by that library. However, if compatibility with FIPS
- 140-2 is required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>.</p>
-
+ 140-2 is required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>.Finally
+ is the key itself as a printable ASCII string excluding the space and # characters.
+ If not greater than 20 characters in length, the string is the key itself;
+ otherwise, it is interpreted as a hex-encoded bit string. As is
+ custom, # and the remaining characters on the line are ignored. Later, this
+ file can be edited to include the passwords for the <tt>ntpq</tt> and <tt>ntpdc</tt> utilities.
+ If this is the only need, run <tt>ntp-keygen</tt> with the <tt>-M</tt> option
+ and disregard the remainder of this page. </p>
<p>The remaining generated files are compatible with other OpenSSL applications and other Public Key Infrastructure (PKI) resources. Certificates generated by this program should be compatible with extant industry practice, although some users might find the interpretation of X509v3 extension fields somewhat liberal. However, the identity keys are probably not compatible with anything other than Autokey.</p>
<p>Most files used by this program are encrypted using a private password. The <tt>-p</tt> option specifies the password for local files and the <tt>-q</tt> option the password for files sent to remote sites. If no local password is specified, the host name returned by the Unix <tt>gethostname()</tt> function, normally the DNS name of the host, is used. If no remote password is specified, the local password is used.</p>
<p>The <tt>pw</tt> option of the <tt>crypto</tt> configuration command specifies the read password for previously encrypted files. This must match the local password used by this program. If not specified, the host name is used. Thus, if files are generated by this program without password, they can be read back by <tt>ntpd</tt> without password, but only on the same host.</p>
-<p>All files and links are installed by default in the keys directory <tt>/usr/local/etc</tt>, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by clients. The location of the keys directory can be changed by the <tt>keysdir</tt> configuration command in such cases. Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page.</p>
+<p>All files and links are usually installed in the directory <tt>/usr/local/etc</tt>,
+ which is normally in a shared filesystem in NFS-mounted networks and cannot
+ be changed by shared clients. The location of the keys directory can be changed
+ by the <tt>keysdir</tt> configuration command in such cases. Normally, encrypted
+ files for each host are generated by that host and used only by that host,
+ although exceptions exist as noted later on this page.</p>
<p>This program directs commentary and error messages to the standard error stream <tt>stderr</tt> and remote files to the standard output stream <tt>stdout</tt> where they can be piped to other applications or redirected to a file. The names used for generated files and links all begin with the string <tt>ntpkey</tt> and include the file type, generating host and filestamp, as described in the <a href="#fmt">Cryptographic Data Files</a> section below</p>
<p>As described on the <a href="authopt.html">Authentication Options</a> page, there are five identity schemes, three of which - IFF, GQ and MV - require identity keys specific to each scheme. There are two types of files for each scheme, an encrypted keys file and a nonencrypted parameters file, which usually contains a subset of the keys file. In general, NTP secondary servers operating as certificate signing authorities (CSA) use the keys file and clients use the parameters file. Both files are generated by the TA operating as a certificate authority (CA) on behalf of all servers and clients in the group.</p>
-<p>The parameters files are public; they can be stored in a public place and sent in the clear. The keys files are encrypted with the local password. To retrieve the keys file, a host can send a mail request to the TA including its local password. The TA encrypts the keys file with this password and returns it as an attachment. The attachment is then copied intact to the keys directory with name given in the first line of the file, but all in lower case and with the filestamp deleted. Alternatively, the parameters file can be retrieved froom a secure web site.</p>
+<p>The parameters files are public; they can be stored in a public place and
+ sent in the clear. The keys files are encrypted with the local password. To
+ retrieve the keys file, a host can send a mail request to the TA including its
+ local password. The TA encrypts the keys file with this password and returns
+ it as an attachment. The attachment is then copied intact to the keys directory
+ with name given in the first line of the file, but all in lower case and with
+ the filestamp deleted. Alternatively, the parameters file can be retrieved from
+ a secure web site.</p>
<p>For example, the TA generates default host key, IFF keys and trusted certificate using the command</p>
<p><tt>ntp-keygen -p <i>local_passwd</i> -T -I -i<i>group_name</i></tt></p>
-<p>Each group host generates default host keys and nontrusted certificate usn the same command line but omitting the <tt>-i</tt> option. Once these media have been generated, the TA can then generate the public parameters using the command</p>
+<p>Each group host generates default host keys and nontrusted certificate use
+ the same command line but omitting the <tt>-i</tt> option. Once these media
+ have been generated, the TA can then generate the public parameters using the
+ command</p>
<p><tt>ntp-keygen -p local_passwd -e ><i>parameters_file</i></tt></p>
<dd>Select certificate and message digest/signature encryption scheme. Note that
RSA schemes must be used with a RSA sign key and DSA schemes must be used
with a DSA sign key. The default without this option is <tt>RSA-MD5</tt>. If
- compability with FIPS 140-2 is required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme
+ compatibility with FIPS 140-2 is required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme
must be used.</dd>
<dt><tt>-d</tt></dt>
projects / thirdparty / ntp.git / commitdiff
