From: Harlan Stenn Date: Tue, 24 Jul 2018 07:38:08 +0000 (+0000) Subject: Symmetric key range is 1-65535. Update docs. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bcfa7f0dc21685b473b754be9fdb09ba595da0f;p=thirdparty%2Fntp.git Symmetric key range is 1-65535. Update docs. bk: 5b56d7608x7_v5tbl2j_UxUsmMGo_Q --- diff --git a/ChangeLog b/ChangeLog index c98f1c014..e8d097183 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,7 @@ - applied patches by Christos Zoulas, including real bug fixes * html/authopt.html: cleanup, from * ntpd/ntpd.c: DROPROOT cleanup. +* Symmetric key range is 1-65535. Update docs. --- (4.2.8p11) 2018/02/27 Released by Harlan Stenn diff --git a/NEWS b/NEWS index b30f187cb..662315cca 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,5 @@ -- -NTP 4.2.8p11 (Harlan Stenn , 2018/02/27) +NTP 4.2.8p12 (Harlan Stenn , 2018/08/07) NOTE: this NEWS file will be undergoing more revisions. @@ -7,6 +7,71 @@ Focus: Security, Bug fixes, enhancements. Severity: MEDIUM +This release fixes a "hole" in the noepeer capability introduced to ntpd +in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by +ntpq and ntpdc. It also provides 25 other bugfixes, and 3 other improvements: + +* [Sec 3505] + +* [Sec 3012] + +* Bug Fixes: + [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() + - applied patch by Gerry Garvey + [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c + - applied patch by Gerry Garvey + [Bug 3484] ntpq response from ntpd is incorrect when REFID is null + - rework of ntpq 'nextvar()' key/value parsing + [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) + - applied patch by Gerry Garvey (with mods) + [Bug 3480] Refclock sample filter not cleared on clock STEP + - applied patch by Gerry Garvey + [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq + - applied patch by Gerry Garvey (with mods) + [Bug 3476]ctl_putstr() sends empty unquoted string [...] + - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though + [Bug 3475] modify prettydate() to suppress output of zero time + - applied patch by Gerry Garvey + [Bug 3474] Missing pmode in mode7 peer info response + - applied patch by Gerry Garvey + [Bug 3471] Check for openssl/[ch]mac.h. HStenn. + - add #define ENABLE_CMAC support in configure. HStenn. + [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL + [Bug 3469] Incomplete string compare [...] in is_refclk_addr + - patch by Stephen Friedl + [Bug 3467] Potential memory fault in ntpq [...] + - fixed IO redirection and CTRL-C handling in ntq and ntpdc + [Bug 3465] Default TTL values cannot be used + [Bug 3461] refclock_shm.c: clear error status on clock recovery + - initial patch by Hal Murray; also fixed refclock_report() trouble + [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. + [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer + - According to Brooks Davis, there was only one location + [Bug 3449] ntpq - display "loop" instead of refid [...] + - applied patch by Gerry Garvey + [Bug 3445] Symmetric peer won't sync on startup + - applied patch by Gerry Garvey + [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, + with modifications + New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. + [Bug 3434] ntpd clears STA_UNSYNC on start + - applied patch by Miroslav Lichvar + [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. + [Bug 3121] Drop root privileges for the forked DNS worker + - integrated patch by Reinhard Max + [Bug 2821] minor build issues + - applied patches by Christos Zoulas, including real bug fixes + html/authopt.html: cleanup, from + ntpd/ntpd.c: DROPROOT cleanup. + Symmetric key range is 1-65535. Update docs. + +-- +NTP 4.2.8p11 (Harlan Stenn , 2018/02/27) + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and provides 65 other non-security fixes and improvements: diff --git a/html/authopt.html b/html/authopt.html index 9e50fccd8..c9484ef9a 100644 --- a/html/authopt.html +++ b/html/authopt.html @@ -18,7 +18,7 @@ giffrom Alice's Adventures in Wonderland, Lewis Carroll

Our resident cryptographer; now you see him, now you don't.

Last update: - 25-May-2018 00:53 + 24-Jul-2018 07:27 UTC


Related Links

@@ -34,7 +34,7 @@
Specifies the key ID for the ntpq utility, which uses the standard protocol defined in RFC-1305. The keyid argument is the key ID for a trusted - key, where the value can be in the range 1 to 65534, + key, where the value can be in the range 1 to 65535, inclusive.
crypto [digest digest] [host name] [ident name] [pw password] [randfile file]
This command activates the Autokey public key cryptography @@ -75,7 +75,7 @@
Specifies the key ID for the ntpdc utility program, which uses a proprietary protocol specific to this implementation of ntpd. The keyid argument is a key ID for a trusted key, in the range 1 to - 65534, inclusive.
+ 65535, inclusive.
revoke [logsec]
Specifies the interval between re-randomization of certain cryptographic values used by the Autokey scheme, as a power of 2 in seconds, with default 17 (36 hr). See the Autokey Public-Key Authentication page for further information.
trustedkey [keyid | (lowid ... highid)] [...]
diff --git a/html/confopt.html b/html/confopt.html index b964d245b..f214f0f1f 100644 --- a/html/confopt.html +++ b/html/confopt.html @@ -13,7 +13,7 @@ Walt Kelly

The chicken is getting configuration advice.

Last update: - 10-Mar-2014 05:01 + 24-Jul-2018 07:27 UTC


Related Links

@@ -67,7 +67,7 @@ Walt Kelly
ident group
Specify the group name for the association. See the Autokey Public-Key Authentication page for further information.
key key
-
Send and receive packets authenticated by the symmetric key scheme described in the Authentication Support page. The key specifies the key identifier with values from 1 to 65534, inclusive. This option is mutually exclusive with the autokey option.
minpoll minpoll
+
Send and receive packets authenticated by the symmetric key scheme described in the Authentication Support page. The key specifies the key identifier with values from 1 to 65535, inclusive. This option is mutually exclusive with the autokey option.
minpoll minpoll
maxpoll maxpoll
These options specify the minimum and maximum poll intervals for NTP messages, in seconds as a power of two. The maximum poll interval defaults to 10 (1024 s), but can be increased by the maxpoll option to an upper limit of 17 (36 hr). The minimum poll interval defaults to 6 (64 s), but can be decreased by the minpoll option to a lower limit of 3 (8 s). Additional information about this option is on the Poll Program page.
mode option
diff --git a/html/keygen.html b/html/keygen.html index 4f10a28d2..51577e38b 100644 --- a/html/keygen.html +++ b/html/keygen.html @@ -11,7 +11,7 @@

giffrom Alice's Adventures in Wonderland, Lewis Carroll

Alice holds the key.

Last update: - 11-Jan-2018 11:55 + 24-Jul-2018 07:27 UTC


Related Links

@@ -313,7 +313,7 @@

Figure 1 shows a typical symmetric keys file used by the reference implementation. Each line of the file contains three or four fields, - first an integer between 1 and 65534, inclusive, representing the key + first an integer between 1 and 65535, inclusive, representing the key identifier used in the server and peer configuration commands. Second is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be MD5 to diff --git a/ntpd/complete.conf.in b/ntpd/complete.conf.in index 2747098d7..66fcbaa47 100644 --- a/ntpd/complete.conf.in +++ b/ntpd/complete.conf.in @@ -21,7 +21,7 @@ crypto digest md5 host myhostname ident wedent pw cryptopass randfile /.rnd revoke 10 keysdir "/etc/ntp/keys" keys "/etc/ntp.keys" -trustedkey 1 2 3 4 5 6 7 8 9 10 11 12 (14 ... 16) 18 (32768 ... 65534) +trustedkey 1 2 3 4 5 6 7 8 9 10 11 12 (14 ... 16) 18 (32768 ... 65535) controlkey 12 requestkey 12 enable auth ntp monitor stats diff --git a/ntpd/invoke-ntp.conf.texi b/ntpd/invoke-ntp.conf.texi index 7e8a4dc54..4c9cd4a52 100644 --- a/ntpd/invoke-ntp.conf.texi +++ b/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed February 27, 2018 at 05:14:34 PM by AutoGen 5.18.5 +# It has been AutoGen-ed July 24, 2018 at 07:23:47 AM by AutoGen 5.18.5 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -284,7 +284,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified @kbd{key} -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. @item @code{minpoll} @kbd{minpoll} diff --git a/ntpd/invoke-ntp.keys.texi b/ntpd/invoke-ntp.keys.texi index d729fc075..49f800242 100644 --- a/ntpd/invoke-ntp.keys.texi +++ b/ntpd/invoke-ntp.keys.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi) # -# It has been AutoGen-ed February 27, 2018 at 05:14:37 PM by AutoGen 5.18.5 +# It has been AutoGen-ed July 24, 2018 at 07:23:49 AM by AutoGen 5.18.5 # From the definitions ntp.keys.def # and the template file agtexi-file.tpl @end ignore @@ -29,7 +29,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. The key file uses the same comment conventions @@ -42,7 +42,7 @@ Key entries use a fixed format of the form where @kbd{keyno} -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), @kbd{type} is the message digest algorithm, @kbd{key} diff --git a/ntpd/ntp.conf.5man b/ntpd/ntp.conf.5man index 1a506336a..0a4b75cb1 100644 --- a/ntpd/ntp.conf.5man +++ b/ntpd/ntp.conf.5man @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5man "27 Feb 2018" "4.2.8p11" "File Formats" +.TH ntp.conf 5man "24 Jul 2018" "4.2.8p11" "File Formats" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP) +.\" EDIT THIS FILE WITH CAUTION (in-mem file) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:50 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -326,7 +326,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified \f\*[I-Font]key\f[] -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. .TP 7 diff --git a/ntpd/ntp.conf.5mdoc b/ntpd/ntp.conf.5mdoc index 7286c811c..78f29a36f 100644 --- a/ntpd/ntp.conf.5mdoc +++ b/ntpd/ntp.conf.5mdoc @@ -1,9 +1,9 @@ -.Dd February 27 2018 +.Dd July 24 2018 .Dt NTP_CONF 5mdoc File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:43 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -325,7 +325,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified .Ar key -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. .It Cm minpoll Ar minpoll diff --git a/ntpd/ntp.conf.def b/ntpd/ntp.conf.def index 4af774216..b780708e9 100644 --- a/ntpd/ntp.conf.def +++ b/ntpd/ntp.conf.def @@ -327,7 +327,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified .Ar key -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. .It Cm minpoll Ar minpoll diff --git a/ntpd/ntp.conf.html b/ntpd/ntp.conf.html index 2d477e2f3..a5345f175 100644 --- a/ntpd/ntp.conf.html +++ b/ntpd/ntp.conf.html @@ -329,7 +329,7 @@ option.

key key
All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified key -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field.
minpoll minpoll
maxpoll maxpoll
These options specify the minimum and maximum poll intervals diff --git a/ntpd/ntp.conf.man.in b/ntpd/ntp.conf.man.in index 0f2b21191..e4d46819e 100644 --- a/ntpd/ntp.conf.man.in +++ b/ntpd/ntp.conf.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5 "27 Feb 2018" "4.2.8p11" "File Formats" +.TH ntp.conf 5 "24 Jul 2018" "4.2.8p11" "File Formats" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP) +.\" EDIT THIS FILE WITH CAUTION (in-mem file) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:50 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -326,7 +326,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified \f\*[I-Font]key\f[] -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. .TP 7 diff --git a/ntpd/ntp.conf.mdoc.in b/ntpd/ntp.conf.mdoc.in index 321acc99d..639daec44 100644 --- a/ntpd/ntp.conf.mdoc.in +++ b/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd February 27 2018 +.Dd July 24 2018 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:43 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -325,7 +325,7 @@ option. All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified .Ar key -identifier with values from 1 to 65534, inclusive. +identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. .It Cm minpoll Ar minpoll diff --git a/ntpd/ntp.keys.5man b/ntpd/ntp.keys.5man index b107e02ea..84cf3a944 100644 --- a/ntpd/ntp.keys.5man +++ b/ntpd/ntp.keys.5man @@ -1,8 +1,8 @@ -.TH ntp.keys 5man "27 Feb 2018" "4.2.8p11" "File Formats" +.TH ntp.keys 5man "24 Jul 2018" "4.2.8p11" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:51 AM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .Sh NAME @@ -54,7 +54,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. .sp \n(Ppu .ne 2 @@ -73,7 +73,7 @@ Key entries use a fixed format of the form where \f\*[I-Font]keyno\f[] -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), \f\*[I-Font]type\f[] is the message digest algorithm, \f\*[I-Font]key\f[] diff --git a/ntpd/ntp.keys.5mdoc b/ntpd/ntp.keys.5mdoc index bec3980fc..70d908fdf 100644 --- a/ntpd/ntp.keys.5mdoc +++ b/ntpd/ntp.keys.5mdoc @@ -1,9 +1,9 @@ -.Dd February 27 2018 +.Dd July 24 2018 .Dt NTP_KEYS 5mdoc File Formats -.Os SunOS 5.10 +.Os Linux 3.2.0-4-686-pae .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:46 AM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME @@ -37,7 +37,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. .Pp The key file uses the same comment conventions @@ -48,7 +48,7 @@ Key entries use a fixed format of the form .Pp where .Ar keyno -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), .Ar type is the message digest algorithm, .Ar key diff --git a/ntpd/ntp.keys.def b/ntpd/ntp.keys.def index 88dd2aac3..e73ce4d06 100644 --- a/ntpd/ntp.keys.def +++ b/ntpd/ntp.keys.def @@ -36,7 +36,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. .Pp The key file uses the same comment conventions @@ -47,7 +47,7 @@ Key entries use a fixed format of the form .Pp where .Ar keyno -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), .Ar type is the message digest algorithm, .Ar key diff --git a/ntpd/ntp.keys.html b/ntpd/ntp.keys.html index 28a4076aa..66a6bc3f9 100644 --- a/ntpd/ntp.keys.html +++ b/ntpd/ntp.keys.html @@ -86,7 +86,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file.

The key file uses the same comment conventions @@ -97,7 +97,7 @@ Key entries use a fixed format of the form

where keyno -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), type is the message digest algorithm, key diff --git a/ntpd/ntp.keys.man.in b/ntpd/ntp.keys.man.in index 3712747d4..4919c40f8 100644 --- a/ntpd/ntp.keys.man.in +++ b/ntpd/ntp.keys.man.in @@ -1,8 +1,8 @@ -.TH ntp.keys 5 "27 Feb 2018" "4.2.8p11" "File Formats" +.TH ntp.keys 5 "24 Jul 2018" "4.2.8p11" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:51 AM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .Sh NAME @@ -54,7 +54,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. .sp \n(Ppu .ne 2 @@ -73,7 +73,7 @@ Key entries use a fixed format of the form where \f\*[I-Font]keyno\f[] -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), \f\*[I-Font]type\f[] is the message digest algorithm, \f\*[I-Font]key\f[] diff --git a/ntpd/ntp.keys.mdoc.in b/ntpd/ntp.keys.mdoc.in index 6dc4f88c4..8fa09d1f5 100644 --- a/ntpd/ntp.keys.mdoc.in +++ b/ntpd/ntp.keys.mdoc.in @@ -1,9 +1,9 @@ -.Dd February 27 2018 +.Dd July 24 2018 .Dt NTP_KEYS 5 File Formats -.Os SunOS 5.10 +.Os Linux 3.2.0-4-686-pae .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:46 AM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME @@ -37,7 +37,7 @@ statement in the configuration file. While key number 0 is fixed by the NTP standard (as 56 zero bits) and may not be changed, -one or more keys numbered between 1 and 65534 +one or more keys numbered between 1 and 65535 may be arbitrarily set in the keys file. .Pp The key file uses the same comment conventions @@ -48,7 +48,7 @@ Key entries use a fixed format of the form .Pp where .Ar keyno -is a positive integer (between 1 and 65534), +is a positive integer (between 1 and 65535), .Ar type is the message digest algorithm, .Ar key diff --git a/ntpq/ntpq.html b/ntpq/ntpq.html index 55aafc834..5519aa813 100644 --- a/ntpq/ntpq.html +++ b/ntpq/ntpq.html @@ -3,7 +3,7 @@ ntpq: Network Time Protocol Query User's Manual - + @@ -14,8 +14,9 @@ pre.smallformat { font-family:inherit; font-size:smaller } pre.smallexample { font-size:smaller } pre.smalllisp { font-size:smaller } - span.sc { font-variant:small-caps } - span.roman { font-family: serif; font-weight: normal; } + span.sc { font-variant:small-caps } + span.roman { font-family:serif; font-weight:normal; } + span.sansserif { font-family:sans-serif; font-weight:normal; } --> @@ -30,11 +31,12 @@

+

-Next: , +Next: , Previous: (dir), Up: (dir) -
+

ntpq: Network Time Protocol Query User Manual

@@ -59,11 +61,12 @@ and determine the performance of
+

-Next: , +Next: , Previous: Top, Up: Top -
+
@@ -86,9 +89,10 @@ The description on this page is for the NTPv4 variables.

For examples and usage, see the NTP Debugging Techniques page.

-

-
+

+ +

Invoking ntpq

@@ -150,7 +154,7 @@ namespace, while a -6 qualifier forces resolution to the IPv6 namespace. For examples and usage, see the -NTP Debugging Techniques +“NTP Debugging Techniques” page.

Specifying a @@ -182,12 +186,12 @@ requests being sent to a server. These are described following.

? [command]
help [command]
A -? +‘?’ by itself will print a list of all the commands known to ntpq A -? +‘?’ followed by a command name will print function and usage information about the command.
addvars name[=value][,...]
rmvars name[,...]
clearvars
showvars
The arguments to this command consist of a list of @@ -248,7 +252,7 @@ Variables which ntpq could not decode completely are marked with a trailing -?. +‘?’.
debug [more|less|off]
With no argument, displays the current debug level. Otherwise, the debugging level is changed as indicated.
delay [milliseconds]
Specify a time interval to be added to timestamps included in @@ -364,7 +368,7 @@ commands, which iterate over a range of associations.
apeers
Display a list of peers in the form: 
          [tally]remote refid assid st t when pool reach delay offset jitter
-
+

where the output is just like the peers command except that the @@ -372,7 +376,7 @@ command except that the is displayed in hex format and the association number is also displayed.

associations
Display a list of mobilized associations in the form: 
          ind assid status conf reach auth condition last_event cnt
-
+
Sy Variable Ta Sy Description
ind Ta index on this list
assid Ta association id
status Ta peer status word
conf Ta yes: No persistent, no: No ephemeral
reach Ta yes: No reachable, no: No unreachable
auth Ta ok, yes, bad No and none
condition Ta selection status (see the select No field of the peer status word)
last_event Ta event report (see the event No field of the peer status word)
cnt Ta event count (see the count No field of the peer status word)

authinfo
Display the authentication statistics counters: @@ -469,7 +473,7 @@ and may be count, lstint, or any of those preceded by -- +‘-’ to reverse the sort order. The output columns are:
@@ -508,7 +512,7 @@ command, except that it uses previously stored data rather than making a new query.
peers
Display a list of peers in the form: 
          [tally]remote refid st t when pool reach delay offset jitter
-
+
Variable
Description
[tally]
single-character code indicating current value of the @@ -544,7 +548,7 @@ broadcast server, multicast server
when
time in seconds, minutes, hours, or days since the last packet was received, or -- +‘-’ if a packet has never been received
poll
poll interval (s)
reach
reach shift register (octal) @@ -613,8 +617,8 @@ can use date(1) format specifiers to substitute the current date and time, for example, - 
          saveconfig ntp-%Y%m%d-%H%M%S.conf.
-
+ 
          saveconfig ntp-%Y%m%d-%H%M%S.conf.
+

The filename used is stored in system variable savedconfig. Authentication is required. @@ -821,7 +825,7 @@ using the agtexi-cmd template and the option descriptions for the < This software is released under the NTP license, <http://ntp.org/license>.

    -
  • ntpq usage: ntpq help/usage (--help) +
  • ntpq usage: ntpq help/usage (--help)
  • ntpq ipv4: ipv4 option (-4)
  • ntpq ipv6: ipv6 option (-6)
  • ntpq command: command option (-c) @@ -836,26 +840,27 @@ This software is released under the NTP license, <http://ntp.org/license>.
+

-Next: , +Next: , Up: ntpq Invocation -
+
-

ntpq help/usage (--help)

+

ntpq help/usage (--help)

This is the automatically generated usage text for ntpq.

The text printed is the same whether selected with the help option -(--help) or the more-help option (--more-help). more-help will print +(--help) or the more-help option (--more-help). more-help will print the usage text by passing it through a pager program. more-help is disabled on platforms without a working fork(2) function. The PAGER environment variable is -used to select the program, defaulting to more. Both will exit +used to select the program, defaulting to more. Both will exit with a status code of 0. -

ntpq - standard NTP query program - Ver. 4.2.8p10
+
ntpq - standard NTP query program - Ver. 4.2.8p11
 Usage:  ntpq [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 name resolution
@@ -901,11 +906,12 @@ The valid "refid" option keywords are:
 Please send bug reports to:  <http://bugs.ntp.org, bugs@ntp.org>
 

   

+
 

-Next: ,
+Next: ,
 Previous: ntpq usage,
 Up: ntpq Invocation
-

+
 

 
 
ipv4 option (-4)

@@ -922,11 +928,12 @@ ipv6.
   
Force resolution of following host names on the command line
 to the IPv4 namespace. 
 

+
 

-Next: ,
+Next: ,
 Previous: ntpq ipv4,
 Up: ntpq Invocation
-

+
 

 
 
ipv6 option (-6)

@@ -943,18 +950,19 @@ ipv4.
   
Force resolution of following host names on the command line
 to the IPv6 namespace. 
 

+
 

-Next: ,
+Next: ,
 Previous: ntpq ipv6,
 Up: ntpq Invocation
-

+
 

 
 
command option (-c)

 
 

 This is the “run a command and exit” option. 
-This option takes a string argument cmd.
+This option takes a string argument cmd.
 
 
This option has some usage constraints.  It:
      
    
@@ -965,11 +973,12 @@ This option takes a string argument cmd.
 and is added to the list of commands to be executed on the specified
 host(s). 
 
    
+
 
    
-Next: ,
+Next: ,
 Previous: ntpq command,
 Up: ntpq Invocation
-
    
+
 
    
 
 
    interactive option (-i)
    
@@ -987,11 +996,12 @@ command, peers.
 Prompts will be written to the standard output and
 commands read from the standard input. 
 
    
+
 
    
-Next: ,
+Next: ,
 Previous: ntpq interactive,
 Up: ntpq Invocation
-
    
+
 
    
 
 
    numeric option (-n)
    
@@ -1001,11 +1011,13 @@ This is the “numeric host addresses” option.
 Output all host addresses in dotted-quad numeric format rather than
 converting to the canonical host names. 
 
    
+
+
 
    
-Next: ,
+Next: ,
 Previous: ntpq numeric,
 Up: ntpq Invocation
-
    
+
 
    
 
 
    old-rv option
    
@@ -1022,11 +1034,12 @@ Using an environment variable to
 preset this option in a script will enable both older and
 newer ntpq to behave identically in this regard. 
 
    
+
 
    
-Next: ,
+Next: ,
 Previous: ntpq old-rv,
 Up: ntpq Invocation
-
    
+
 
    
 
 
    peers option (-p)
    
@@ -1043,11 +1056,12 @@ interactive.
   
    Print a list of the peers known to the server as well as a summary
 of their state. This is equivalent to the 'peers' interactive command. 
 
    
+
 
    
-Next: ,
+Next: ,
 Previous: ntpq peers,
 Up: ntpq Invocation
-
    
+
 
    
 
 
    refid option (-r)
    
@@ -1062,16 +1076,17 @@ This option takes a keyword argument.
 The argument sets an enumeration value that can be tested by comparing the option value macro (OPT_VALUE_REFID). 
 The available keywords are:
      
                 hash ipv4
-    
    
+

or their numeric equivalent.

Set the default display format for S2+ refids.

+

-Next: , +Next: , Previous: ntpq refid, Up: ntpq Invocation -
+

wide option (-w)

@@ -1083,11 +1098,12 @@ more than 15 characters, display the full value, emit a newline, and continue the data display properly indented on the next line.
+

-Next: , +Next: , Previous: ntpq wide, Up: ntpq Invocation -
+

presetting/configuring ntpq

@@ -1105,9 +1121,9 @@ values are treated like option arguments.
  • $PWD The environment variables HOME, and PWD -are expanded and replaced when ntpq runs. +are expanded and replaced when ntpq runs. For any of these that are plain files, they are simply processed. -For any that are directories, then a file named .ntprc is searched for +For any that are directories, then a file named .ntprc is searched for within that directory and processed.

    Configuration files may be in a wide variety of formats. @@ -1149,35 +1165,37 @@ detail to provide. The default is to print just the version. The licensing inf Only the first letter of the argument is examined:

    -
    version
    Only print the version. This is the default. -
    copyright
    Name the copyright usage licensing terms. -
    verbose
    Print the full copyright usage licensing terms. +
    version
    Only print the version. This is the default. +
    copyright
    Name the copyright usage licensing terms. +
    verbose
    Print the full copyright usage licensing terms.
    +

    -Previous: ntpq config, +Previous: ntpq config, Up: ntpq Invocation -
    +

    ntpq exit status

    One of the following exit values will be returned:

    -
    0 (EXIT_SUCCESS)
    Successful program execution. -
    1 (EXIT_FAILURE)
    The operation failed or the command syntax was not valid. -
    66 (EX_NOINPUT)
    A specified configuration file could not be loaded. -
    70 (EX_SOFTWARE)
    libopts had an internal operational error. Please report +
    0 (EXIT_SUCCESS)
    Successful program execution. +
    1 (EXIT_FAILURE)
    The operation failed or the command syntax was not valid. +
    66 (EX_NOINPUT)
    A specified configuration file could not be loaded. +
    70 (EX_SOFTWARE)
    libopts had an internal operational error. Please report it to autogen-users@lists.sourceforge.net. Thank you.
    +

    -Next: , +Next: , Previous: ntpq Description, Up: Top -
    +
    @@ -1219,11 +1237,12 @@ Up: Top
    +

    -Next: , +Next: , Previous: Usage, Up: Top -
    +
    @@ -1232,9 +1251,9 @@ Up: Top

    Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a >, followed by a file name, to the command line. A number of interactive format commands are executed entirely within the ntpq program itself and do not result in NTP mode-6 requests being sent to a server. These are described following.

    -
    ? [command_keyword]
    help [command_keyword]
    A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command. +
    ? [command_keyword]
    help [command_keyword]
    A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command. -
    >addvars name [ = value] [...]
    rmvars name [...]
    clearvars</dt>
    The arguments to these commands consist of a list of items of the form +
    >addvars name [ = value] [...]
    rmvars name [...]
    clearvars</dt>
    The arguments to these commands consist of a list of items of the form name = value, where the = value is ignored, and can be omitted in read requests. ntpq maintains an internal list in which data to be included @@ -1248,43 +1267,43 @@ The rmvars command can be used to remove individual variables from the list, while the clearlist command removes all variables from the list. -
    cooked
    Display server messages in prettyprint format. +
    cooked
    Display server messages in prettyprint format. -
    debug more | less | off
    Turns internal query program debugging on and off. +
    debug more | less | off
    Turns internal query program debugging on and off. -
    delay milliseconds
    Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +
    delay milliseconds
    Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. -
    host name
    Set the host to which future queries will be sent. +
    host name
    Set the host to which future queries will be sent. The name may be either a DNS name or a numeric address. -
    hostnames [yes | no]
    If yes is specified, host names are printed in information displays. +
    hostnames [yes | no]
    If yes is specified, host names are printed in information displays. If no is specified, numeric addresses are printed instead. The default is yes, unless modified using the command line -n switch. -
    keyid keyid
    This command specifies the key number to be used +
    keyid keyid
    This command specifies the key number to be used to authenticate configuration requests. This must correspond to a key ID configured in ntp.conf for this purpose. -
    keytype
    Specify the digest algorithm to use for authenticated requests, +
    keytype
    Specify the digest algorithm to use for authenticated requests, with default MD5. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: AES128CMAC, MD2, MD4, MD5, MDC2, RIPEMD160, SHA and SHA1. -
    ntpversion 1 | 2 | 3 | 4
    Sets the NTP version number which ntpq claims in packets. +
    ntpversion 1 | 2 | 3 | 4
    Sets the NTP version number which ntpq claims in packets. Defaults to 2. Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1. -
    passwd
    This command prompts for a password to authenticate requests. +
    passwd
    This command prompts for a password to authenticate requests. The password must correspond to the key ID configured in ntp.conf for this purpose. -
    quit
    Exit ntpq. +
    quit
    Exit ntpq. -
    raw
    Display server messages as received and without reformatting. +
    raw
    Display server messages as received and without reformatting. -
    timeout millseconds
    Specify a timeout period for responses to server queries. +
    timeout milliseconds
    Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since ntpq retries each query once after a timeout the total waiting time for a timeout will be twice the timeout value set. @@ -1292,11 +1311,12 @@ the total waiting time for a timeout will be twice the timeout value set.
    +

    -Next: , +Next: , Previous: Internal Commands, Up: Top -
    +
    @@ -1349,35 +1369,35 @@ event count (see the count field of the
    -
    clockvar assocID [name [ = value [...]] [...]]
    cv assocID [name [ = value [...] ][...]]
    Display a list of clock variables for those associations supporting a reference clock. +
    clockvar assocID [name [ = value [...]] [...]]
    cv assocID [name [ = value [...] ][...]]
    Display a list of clock variables for those associations supporting a reference clock. -
    :config [...]
    Send the remainder of the command line, including whitespace, to the server +
    :config [...]
    Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -
    config-from-file filename
    Send the each line of filename to the server as +
    config-from-file filename
    Send the each line of filename to the server as run-time configuration commands in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is required. -
    ifstats
    Display statistics for each local network address. +
    ifstats
    Display statistics for each local network address. Authentication is required. -
    iostats
    Display network and reference clock I/O statistics. +
    iostats
    Display network and reference clock I/O statistics. -
    kerninfo
    Display kernel loop and PPS statistics. +
    kerninfo
    Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. -
    lassociations
    Perform the same function as the associations command, +
    lassociations
    Perform the same function as the associations command, except display mobilized and unmobilized associations. -
    monstats
    Display monitor facility statistics. +
    monstats
    Display monitor facility statistics. -
    mrulist [limited | kod | mincount=count | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask]
    Obtain and print traffic counts collected and maintained by +
    mrulist [limited | kod | mincount=count | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask]
    Obtain and print traffic counts collected and maintained by the monitor facility. With the exception of sort=sortorder, the options filter the list returned by ntpd. @@ -1443,15 +1463,15 @@ could not be verified in parentheses.
    -
    mreadvar assocID assocID [ variable_name [ = value[ ... ]
    mrv assocID assocID [ variable_name [ = value[ ... ]
    Perform the same function as the readvar command, +
    mreadvar assocID assocID [ variable_name [ = value[ ... ]
    mrv assocID assocID [ variable_name [ = value[ ... ]
    Perform the same function as the readvar command, except for a range of association IDs. This range is determined from the association list cached by the most recent associations command. -
    passociations
    Perform the same function as the associations command, except that +
    passociations
    Perform the same function as the associations command, except that it uses previously stored data rather than making a new query. -
    peers
    Display a list of peers in the form: +
    peers
    Display a list of peers in the form:
    [tally]remote refid st t when pool reach delay offset jitter @@ -1509,7 +1529,7 @@ jitter
    -
    readvar assocID name [ = value ] [,...]
    rv assocID [ name ] [,...]
    Display the specified variables. +
    readvar assocID name [ = value ] [,...]
    rv assocID [ name ] [,...]
    Display the specified variables. If assocID is zero, the variables are from the system variables name space, otherwise they are from the peer variables name space. @@ -1524,7 +1544,7 @@ Some NTP timestamps are represented in the format YYYYMMDDTTTT, where YYYY is the year, MM the month of year, DD the day of month and TTTT the time of day. -
    saveconfig filename
    Write the current configuration, including any runtime modifications +
    saveconfig filename
    Write the current configuration, including any runtime modifications given with :config or config-from-file, to the ntpd host's file filename. This command will be rejected by the server unless @@ -1536,25 +1556,26 @@ to substitute the current date and time, for example, The filename used is stored in system variable savedconfig. Authentication is required. -
    writevar assocID name = value [,...]
    Write the specified variables. +
    writevar assocID name = value [,...]
    Write the specified variables. If the assocID is zero, the variables are from the system variables name space, otherwise they are from the peer variables name space. The assocID is required, as the same name can occur in both spaces. -
    sysinfo
    Display operational summary. +
    sysinfo
    Display operational summary. -
    sysstats
    Print statistics counters maintained in the protocol module. +
    sysstats
    Print statistics counters maintained in the protocol module.
    • +

    -Next: , +Next: , Previous: Control Message Commands, Up: Top -
    +
    @@ -1579,11 +1600,12 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards.
    +

    -Next: , +Next: , Previous: Status Words and Kiss Codes, Up: Top -
    +
    @@ -1730,11 +1752,12 @@ NTP seconds when the certificate expires
    +

    -Next: , +Next: , Previous: System Variables, Up: Top -
    +
    @@ -1895,10 +1918,11 @@ Autokey signature timestamp
    +

    -Previous: Peer Variables, +Previous: Peer Variables, Up: Top -
    +
    diff --git a/util/invoke-ntp-keygen.texi b/util/invoke-ntp-keygen.texi index 2a8d401d1..a830a15b4 100644 --- a/util/invoke-ntp-keygen.texi +++ b/util/invoke-ntp-keygen.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp-keygen.texi) # -# It has been AutoGen-ed February 27, 2018 at 05:15:57 PM by AutoGen 5.18.5 +# It has been AutoGen-ed July 24, 2018 at 07:24:01 AM by AutoGen 5.18.5 # From the definitions ntp-keygen-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -948,7 +948,7 @@ Following the header the keys are entered one per line in the format @end example where @kbd{keyno} -is a positive integer in the range 1-65534; +is a positive integer in the range 1-65535; @kbd{type} is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be @@ -1056,14 +1056,17 @@ with a status code of 0. @exampleindent 0 @example -ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p245 -USAGE: ntp-keygen [ - [] | --[@{=| @}] ]... +ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11 +Usage: ntp-keygen [ - [] | --[@{=| @}] ]... Flg Arg Option-Name Description + -b Num imbits identity modulus bits + - it must be in the range: + 256 to 2048 -c Str certificate certificate scheme -C Str cipher privatekey cipher -d no debug-level Increase debug verbosity level - may appear multiple times - -D Str set-debug-level Set the debug verbosity level + -D Num set-debug-level Set the debug verbosity level - may appear multiple times -e no id-key Write IFF or GQ identity keys -G no gq-params Generate GQ parameters and keys @@ -1071,37 +1074,36 @@ USAGE: ntp-keygen [ - [] | --[@{=| @}] ]... -I no iffkey generate IFF parameters -i Str ident set Autokey group name -l Num lifetime set certificate lifetime - -M no md5key generate MD5 keys - -m Num modulus modulus - - It must be in the range: + -m Num modulus prime modulus + - it must be in the range: 256 to 2048 + -M no md5key generate symmetric keys -P no pvt-cert generate PC private certificate - -p Str pvt-passwd output private password - -q Str get-pvt-passwd input private password - -S Str sign-key generate sign key (RSA or DSA) + -p Str password local private password + -q Str export-passwd export IFF or GQ group keys with password -s Str subject-name set host and optionally group name + -S Str sign-key generate sign key (RSA or DSA) -T no trusted-cert trusted certificate (TC scheme) -V Num mv-params generate MV parameters -v Num mv-keys update MV keys - opt version Output version information and exit - -? no help Display extended usage information and exit - -! no more-help Extended usage information passed thru pager - -> opt save-opts Save the option state to a config file - -< Str load-opts Load options from a config file - - disabled as --no-load-opts + opt version output version information and exit + -? no help display extended usage information and exit + -! no more-help extended usage information passed thru pager + -> opt save-opts save the option state to a config file + -< Str load-opts load options from a config file + - disabled as '--no-load-opts' - may appear multiple times Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. - The following option preset mechanisms are supported: - reading file $HOME/.ntprc - reading file ./.ntprc - examining environment variables named NTP_KEYGEN_* -please send bug reports to: http://bugs.ntp.org, bugs@@ntp.org +Please send bug reports to: @end example @exampleindent 4 diff --git a/util/ntp-keygen-opts.c b/util/ntp-keygen-opts.c index 6c07f973d..c8ca2c036 100644 --- a/util/ntp-keygen-opts.c +++ b/util/ntp-keygen-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.c) * - * It has been AutoGen-ed February 27, 2018 at 05:15:44 PM by AutoGen 5.18.5 + * It has been AutoGen-ed July 24, 2018 at 07:23:54 AM by AutoGen 5.18.5 * From the definitions ntp-keygen-opts.def * and the template file options * diff --git a/util/ntp-keygen-opts.def b/util/ntp-keygen-opts.def index f8c39c48d..f89ee3344 100644 --- a/util/ntp-keygen-opts.def +++ b/util/ntp-keygen-opts.def @@ -1210,7 +1210,7 @@ Following the header the keys are entered one per line in the format .D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1-65534; +is a positive integer in the range 1-65535; .Ar type is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be diff --git a/util/ntp-keygen-opts.h b/util/ntp-keygen-opts.h index ab9e8ca36..77543065d 100644 --- a/util/ntp-keygen-opts.h +++ b/util/ntp-keygen-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.h) * - * It has been AutoGen-ed February 27, 2018 at 05:15:43 PM by AutoGen 5.18.5 + * It has been AutoGen-ed July 24, 2018 at 07:23:53 AM by AutoGen 5.18.5 * From the definitions ntp-keygen-opts.def * and the template file options * diff --git a/util/ntp-keygen.1ntp-keygenman b/util/ntp-keygen.1ntp-keygenman index 5b942d89a..dff23f84c 100644 --- a/util/ntp-keygen.1ntp-keygenman +++ b/util/ntp-keygen.1ntp-keygenman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp-keygen 1ntp-keygenman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" +.TH ntp-keygen 1ntp-keygenman "24 Jul 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V) +.\" EDIT THIS FILE WITH CAUTION (in-mem file) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:24:02 AM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -1054,7 +1054,7 @@ Following the header the keys are entered one per line in the format .in -4 where \f\*[I-Font]keyno\f[] -is a positive integer in the range 1-65534; +is a positive integer in the range 1-65535; \f\*[I-Font]type\f[] is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be diff --git a/util/ntp-keygen.1ntp-keygenmdoc b/util/ntp-keygen.1ntp-keygenmdoc index ba2108764..a60d994fc 100644 --- a/util/ntp-keygen.1ntp-keygenmdoc +++ b/util/ntp-keygen.1ntp-keygenmdoc @@ -1,9 +1,9 @@ -.Dd February 27 2018 +.Dd July 24 2018 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc) .\" -.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed July 24, 2018 at 07:23:59 AM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -943,7 +943,7 @@ Following the header the keys are entered one per line in the format .D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1\-65534; +is a positive integer in the range 1\-65535; .Ar type is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be diff --git a/util/ntp-keygen.html b/util/ntp-keygen.html index 854d055ca..0f9bc7d5d 100644 --- a/util/ntp-keygen.html +++ b/util/ntp-keygen.html @@ -3,7 +3,7 @@ Ntp-keygen User's Manual - + @@ -14,8 +14,9 @@ pre.smallformat { font-family:inherit; font-size:smaller } pre.smallexample { font-size:smaller } pre.smalllisp { font-size:smaller } - span.sc { font-variant:small-caps } - span.roman { font-family: serif; font-weight: normal; } + span.sc { font-variant:small-caps } + span.roman { font-family:serif; font-weight:normal; } + span.sansserif { font-family:sans-serif; font-weight:normal; } --> @@ -31,9 +32,10 @@
    +

    -Up: (dir) -
    +Up: (dir) +

    Top

    @@ -47,11 +49,12 @@
    +

    -Next: , +Next: , Previous: (dir), Up: (dir) -
    +

    NTP Key Generation Program User Manual

    @@ -73,11 +76,12 @@ mail to other sites.

    This document applies to version 4.2.8p11 of ntp-keygen.

    +

    -Next: , +Next: , Previous: Top, Up: Top -
    +
    @@ -150,11 +154,12 @@ generating host and filestamp, as described in the Cryptographic Data Files section below.
    +

    -Next: , +Next: , Previous: Description, Up: Top -
    +
    @@ -206,9 +211,11 @@ certificate should be re-generated. Autokey Public-Key Authentication page.
    -

    + -
    +

    + +

    Invoking ntp-keygen

    @@ -294,16 +301,16 @@ these files can be read by that host with no explicit password. used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -ntp.keys, +ntp.keys, is usually installed in -/etc. +/etc. Other files and links are usually installed in -/usr/local/etc, +/usr/local/etc, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. In these cases, NFS clients can specify the files in another directory such as -/etc +/etc using the keysdir ntpd(1ntpdmdoc) @@ -311,13 +318,13 @@ configuration file command.

    This program directs commentary and error messages to the standard error stream -stderr +stderr and remote files to the standard output stream -stdout +stdout where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -ntpkey* +ntpkey* and include the file type, generating host and filestamp, as described in the Cryptographic Data Files @@ -331,16 +338,16 @@ program is logged in directly as root. The recommended procedure is change to the keys directory, usually -/usr/local/etc, +/usr/local/etc, then run the program.

    To test and gain experience with Autokey concepts, log in as root and change to the keys directory, usually -/usr/local/etc. +/usr/local/etc. When run for the first time, or if all files with names beginning with -ntpkey* +ntpkey* have been removed, use the ntp-keygen command without arguments to generate a default @@ -400,22 +407,22 @@ as the other files, are probably not compatible with anything other than Autokey command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -.rnd +.rnd in the user home directory. However, there should be only one -.rnd, +.rnd, most conveniently in the root directory, so it is convenient to define the .Ev RANDFILE environment variable used by the OpenSSL library as the path to -.rnd. +.rnd.

    Installing the keys as root might not work in NFS-mounted shared file systems, as NFS clients may not be able to write to the shared keys directory, even as root. In this case, NFS clients can specify the files in another directory such as -/etc +/etc using the keysdir ntpd(1ntpdmdoc) @@ -435,7 +442,7 @@ The owner name is also used for the host and sign key files, while the trusted name is used for the identity files.

    All files are installed by default in the keys directory -/usr/local/etc, +/usr/local/etc, which is normally in a shared filesystem in NFS-mounted networks. The actual location of the keys directory @@ -529,13 +536,13 @@ After that and when the host is synchronized to a proventic source, the certificate should be re-generated.

    Additional information on trusted groups and identity schemes is on the -Autokey Public-Key Authentication +“Autokey Public-Key Authentication” page.

    File names begin with the prefix -ntpkey_ +ntpkey_ and end with the suffix -_hostname. filestamp, +_hostname. filestamp, where hostname is the owner name, usually the string returned @@ -547,10 +554,10 @@ is the NTP seconds when the file was generated, in decimal digits. This both guarantees uniqueness and simplifies maintenance procedures, since all files can be quickly removed by a -rm ntpkey* +rm ntpkey* command or all files generated at a specific time can be removed by a -rm *filestamp +rm *filestamp command. To further reduce the risk of misconfiguration, the first two lines of a file contain the file name @@ -589,7 +596,7 @@ section of

    On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -ntpkey +ntpkey files. Then run ntp-keygen @@ -681,18 +688,18 @@ On trusted host alice run -P -p password to generate the host key file -ntpkey_ RSA key_alice. filestamp +ntpkey_ RSA key_alice. filestamp and trusted private certificate file -ntpkey_ RSA-MD5 _ cert_alice. filestamp, +ntpkey_ RSA-MD5 _ cert_alice. filestamp, and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. On each host bob install a soft link from the generic name -ntpkey_host_bob +ntpkey_host_bob to the host key file and soft link -ntpkey_cert_bob +ntpkey_cert_bob to the private certificate file. Note the generic links are on bob, but point to files generated by trusted host alice. @@ -715,11 +722,11 @@ On trusted host alice run -I -p password to produce her parameter file -ntpkey_IFFpar_alice.filestamp, +ntpkey_IFFpar_alice.filestamp, which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -ntpkey_iff_alice +ntpkey_iff_alice to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. @@ -738,7 +745,7 @@ After generating the parameter file, on alice run and pipe the output to a file or email program. Copy or email this file to all restricted clients. On these clients install a soft link from the generic -ntpkey_iff_alice +ntpkey_iff_alice to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. @@ -758,17 +765,17 @@ On trusted host alice run -G -p password to produce her parameter file -ntpkey_GQpar_alice.filestamp, +ntpkey_GQpar_alice.filestamp, which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -ntpkey_gq_alice +ntpkey_gq_alice to this file. In addition, on each host bob install a soft link from generic -ntpkey_gq_bob +ntpkey_gq_bob to this file. As the GQ @@ -793,9 +800,9 @@ where n is the number of revokable keys (typically 5) to produce the parameter file -ntpkeys_MVpar_trish.filestamp +ntpkeys_MVpar_trish.filestamp and client key files -ntpkeys_MVkeyd _ trish. filestamp +ntpkeys_MVkeyd _ trish. filestamp where d is the key number (0 < @@ -804,7 +811,7 @@ is the key number (0 < n). Copy the parameter file to alice and install a soft link from the generic -ntpkey_mv_alice +ntpkey_mv_alice to this file. Copy one of the client key files to alice for later distribution to her clients. @@ -812,7 +819,7 @@ It does not matter which client key file goes to alice, since they all work the same way. Alice copies the client key file to all of her clients. On client bob install a soft link from generic -ntpkey_mvkey_bob +ntpkey_mvkey_bob to the client key file. As the MV @@ -871,7 +878,7 @@ public parameters from the IFFkey or GQkey client keys file previously specified as unencrypted data to the standard output stream -stdout. +stdout. This is intended for automatic key distribution by email.

    -G --gq-params
    Generate a new encrypted GQ @@ -905,7 +912,7 @@ The group name, if specified using or -s following an -@ +‘@’ character, is also used in certificate subject and issuer names in the form host @ group and should match the group specified via @@ -947,7 +954,7 @@ Note: the PC identity scheme is not recommended for new installations.
    -q --export-passwd= passwd
    Set the password for writing encrypted IFF, GQ and MV identity files redirected to -stdout +stdout to passwd. In effect, these files are decrypted with the @@ -1022,7 +1029,7 @@ but are outside the scope of this page.

    The entropy seed used by the OpenSSL library is contained in a file, usually called -.rnd, +.rnd, which must be available when starting the NTP daemon or the ntp-keygen @@ -1045,16 +1052,16 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -.rnd +.rnd file in the user home directory. Since both the ntp-keygen program and ntpd(1ntpdmdoc) daemon must run as root, the logical place to put this file is in -/.rnd +/.rnd or -/root/.rnd. +/root/.rnd. If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. @@ -1064,7 +1071,7 @@ exits with a suitable error message.

    All file formats begin with two nonencrypted lines. The first line contains the file name, including the generated host name and filestamp, in the format -ntpkey_key _ name. filestamp, +ntpkey_key _ name. filestamp, where key is the key or parameter type, @@ -1080,10 +1087,10 @@ characters, while names in generated link names include only lower case characters. The filestamp is not used in generated link names. The second line contains the datestamp in conventional Unix -date +date format. Lines beginning with -# +‘#’ are considered comments and ignored by the ntp-keygen program and @@ -1095,12 +1102,11 @@ rules, then encrypted if necessary, and finally written in PEM-encoded printable ASCII text, preceded and followed by MIME content identifier lines.

    The format of the symmetric keys file, ordinarily named -ntp.keys, +ntp.keys, is somewhat different than the other files in the interest of backward compatibility. Ordinarily, the file is generated by this program, but it can be constructed and edited using an ordinary text editor. -

    -# ntpkey_MD5key_bk.ntp.org.3595864945
+
    # ntpkey_MD5key_bk.ntp.org.3595864945
 # Thu Dec 12 19:22:25 2013
 
 1  MD5 L";Nw<\`.I<f4U0)247"i  # MD5 key
@@ -1133,7 +1139,7 @@ Following the header the keys are entered one per line in the format
 
    
   
    where
 keyno
-is a positive integer in the range 1-65534;
+is a positive integer in the range 1-65535;
 type
 is the key type for the message digest algorithm, which in the absence of the
 OpenSSL library must be
@@ -1151,13 +1157,13 @@ is the key itself,
 which is a printable ASCII string 20 characters or less in length:
 each character is chosen from the 93 printable characters
 in the range 0x21 through 0x7e (
-! 
+‘’! 
 through
-~
+‘~’
 ) excluding space and the
-#
+‘#’
 character, and terminated by whitespace or a
-#
+‘#’
 character. 
 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
 is truncated as necessary.
@@ -1174,12 +1180,12 @@ in human readable ASCII format.
   
    The
 ntp-keygen
 program generates a symmetric keys file
-ntpkey_MD5key_hostname. filestamp. 
+ntpkey_MD5key_hostname. filestamp. 
 Since the file contains private shared keys,
 it should be visible only to root and distributed by secure means
 to other subnet hosts. 
 The NTP daemon loads the file
-ntp.keys,
+ntp.keys,
 so
 ntp-keygen
 installs a soft link from this name to the generated file. 
@@ -1198,7 +1204,7 @@ using the agtexi-cmd template and the option descriptions for the <
 This software is released under the NTP license, <http://ntp.org/license>.
 
 
    
 
 
    
+
+
 
    
-Next: ,
+Next: ,
 Up: ntp-keygen Invocation
-
    
+
 
    
 
-
    ntp-keygen help/usage (--help)
    
+
    ntp-keygen help/usage (--help)
    
 
 
    
 This is the automatically generated usage text for ntp-keygen.
 
   
    The text printed is the same whether selected with the help option
-(--help) or the more-help option (--more-help).  more-help will print
+(--help) or the more-help option (--more-help).  more-help will print
 the usage text by passing it through a pager program. 
 more-help is disabled on platforms without a working
 fork(2) function.  The PAGER environment variable is
-used to select the program, defaulting to more.  Both will exit
+used to select the program, defaulting to more.  Both will exit
 with a status code of 0.
 
-
    ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10
+
    ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11
 Usage:  ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
   Flg Arg Option-Name    Description
    -b Num imbits         identity modulus bits
@@ -1295,18 +1303,20 @@ The following option preset mechanisms are supported:
 Please send bug reports to:  <http://bugs.ntp.org, bugs@ntp.org>
 
    
   
    
+
+
 
    
-Next: ,
+Next: ,
 Previous: ntp-keygen usage,
 Up: ntp-keygen Invocation
-
    
+
 
    
 
 
    imbits option (-b)
    
 
 
    
 This is the “identity modulus bits” option. 
-This option takes a number argument imbits.
+This option takes a number argument imbits.
 
 
    This option has some usage constraints.  It:
      
      
@@ -1315,18 +1325,20 @@ This option takes a number argument imbits.
 
   
      The number of bits in the identity modulus.  The default is 256. 
 
      
+
+
 
      
-Next: ,
+Next: ,
 Previous: ntp-keygen imbits,
 Up: ntp-keygen Invocation
-
      
+
 
      
 
 
      certificate option (-c)
      
 
 
      
 This is the “certificate scheme” option. 
-This option takes a string argument scheme.
+This option takes a string argument scheme.
 
 
      This option has some usage constraints.  It:
      
        
@@ -1342,18 +1354,20 @@ Note that RSA schemes must be used with a RSA sign key and DSA
 schemes must be used with a DSA sign key.  The default without
 this option is RSA-MD5. 
 
        
+
+
 
        
-Next: ,
+Next: ,
 Previous: ntp-keygen certificate,
 Up: ntp-keygen Invocation
-
        
+
 
        
 
 
        cipher option (-C)
        
 
 
        
 This is the “privatekey cipher” option. 
-This option takes a string argument cipher.
+This option takes a string argument cipher.
 
 
        This option has some usage constraints.  It:
      
          
@@ -1365,11 +1379,13 @@ private keys.  The default is three-key triple DES in CBC mode,
 equivalent to "-C des-ede3-cbc".  The openssl tool lists ciphers
 available in "openssl -h" output. 
 
          
+
+
 
          
-Next: ,
+Next: ,
 Previous: ntp-keygen cipher,
 Up: ntp-keygen Invocation
-
          
+
 
          
 
 
          id-key option (-e)
          
@@ -1386,11 +1402,13 @@ This is the “write iff or gq identity keys” option.
 the standard output. 
 This is intended for automatic key distribution by email. 
 
          
+
+
 
          
-Next: ,
+Next: ,
 Previous: ntp-keygen id-key,
 Up: ntp-keygen Invocation
-
          
+
 
          
 
 
          gq-params option (-G)
          
@@ -1406,11 +1424,13 @@ This is the “generate gq parameters and keys” option.
   
          Generate parameters and keys for the GQ identification scheme,
 obsoleting any that may exist. 
 
          
+
+
 
          
-Next: ,
+Next: ,
 Previous: ntp-keygen gq-params,
 Up: ntp-keygen Invocation
-
          
+
 
          
 
 
          host-key option (-H)
          
@@ -1425,11 +1445,13 @@ This is the “generate rsa host key” option.
 
   
          Generate new host keys, obsoleting any that may exist. 
 
          
+
+
 
          
-Next: ,
+Next: ,
 Previous: ntp-keygen host-key,
 Up: ntp-keygen Invocation
-
          
+
 
          
 
 
          iffkey option (-I)
          
@@ -1445,18 +1467,20 @@ This is the “generate iff parameters” option.
   
          Generate parameters for the IFF identification scheme, obsoleting
 any that may exist. 
 
          
+
+
 
          
-Next: ,
+Next: ,
 Previous: ntp-keygen iffkey,
 Up: ntp-keygen Invocation
-
          
+
 
          
 
 
          ident option (-i)
          
 
 
          
 This is the “set autokey group name” option. 
-This option takes a string argument group.
+This option takes a string argument group.
 
 
          This option has some usage constraints.  It:
      
            
@@ -1473,18 +1497,20 @@ issuer names in the form host@group and should match the
 'crypto ident' or 'server ident' configuration in the
 ntpd configuration file. 
 
            
+
+
 
            
-Next: ,
+Next: ,
 Previous: ntp-keygen ident,
 Up: ntp-keygen Invocation
-
            
+
 
            
 
 
            lifetime option (-l)
            
 
 
            
 This is the “set certificate lifetime” option. 
-This option takes a number argument lifetime.
+This option takes a number argument lifetime.
 
 
            This option has some usage constraints.  It:
      
              
@@ -1493,18 +1519,20 @@ This option takes a number argument lifetime.
 
   
              Set the certificate expiration to lifetime days from now. 
 
              
+
+
 
              
-Next: ,
+Next: ,
 Previous: ntp-keygen lifetime,
 Up: ntp-keygen Invocation
-
              
+
 
              
 
 
              modulus option (-m)
              
 
 
              
 This is the “prime modulus” option. 
-This option takes a number argument modulus.
+This option takes a number argument modulus.
 
 
              This option has some usage constraints.  It:
      
                
@@ -1513,11 +1541,13 @@ This option takes a number argument modulus.
 
   
                The number of bits in the prime modulus.  The default is 512. 
 
                
+
+
 
                
-Next: ,
+Next: ,
 Previous: ntp-keygen modulus,
 Up: ntp-keygen Invocation
-
                
+
 
                
 
 
                md5key option (-M)
                
@@ -1526,11 +1556,13 @@ Up: ntp-keygen
 This is the “generate symmetric keys” option. 
 Generate symmetric keys, obsoleting any that may exist. 
 
                
+
+
 
                
-Next: ,
+Next: ,
 Previous: ntp-keygen md5key,
 Up: ntp-keygen Invocation
-
                
+
 
                
 
 
                pvt-cert option (-P)
                
@@ -1546,18 +1578,20 @@ This is the “generate pc private certificate” option.
   
                Generate a private certificate.  By default, the program generates
 public certificates. 
 
                
+
+
 
                
-Next: ,
+Next: ,
 Previous: ntp-keygen pvt-cert,
 Up: ntp-keygen Invocation
-
                
+
 
                
 
 
                password option (-p)
                
 
 
                
 This is the “local private password” option. 
-This option takes a string argument passwd.
+This option takes a string argument passwd.
 
 
                This option has some usage constraints.  It:
      
                  
@@ -1570,18 +1604,20 @@ must be specified to the local ntpd via the "crypto pw password"
 configuration command.  The default password is the local
 hostname. 
 
                  
+
+
 
                  
-Next: ,
+Next: ,
 Previous: ntp-keygen password,
 Up: ntp-keygen Invocation
-
                  
+
 
                  
 
 
                  export-passwd option (-q)
                  
 
 
                  
 This is the “export iff or gq group keys with password” option. 
-This option takes a string argument passwd.
+This option takes a string argument passwd.
 
 
                  This option has some usage constraints.  It:
      
                    
@@ -1594,18 +1630,20 @@ The same password must be specified to the remote ntpd via the
 "crypto pw password" configuration command.  See also the option
 –id-key (-e) for unencrypted exports. 
 
                    
+
+
 
                    
-Next: ,
+Next: ,
 Previous: ntp-keygen export-passwd,
 Up: ntp-keygen Invocation
-
                    
+
 
                    
 
 
                    subject-name option (-s)
                    
 
 
                    
 This is the “set host and optionally group name” option. 
-This option takes a string argument host@group.
+This option takes a string argument host@group.
 
 
                    This option has some usage constraints.  It:
      
                      
@@ -1623,18 +1661,20 @@ subject and issuer fields, as with -i group.  The group name, or
 if not provided, the host name are also used in the file names
 of IFF, GQ, and MV client parameter files. 
 
                      
+
+
 
                      
-Next: ,
+Next: ,
 Previous: ntp-keygen subject-name,
 Up: ntp-keygen Invocation
-
                      
+
 
                      
 
 
                      sign-key option (-S)
                      
 
 
                      
 This is the “generate sign key (rsa or dsa)” option. 
-This option takes a string argument sign.
+This option takes a string argument sign.
 
 
                      This option has some usage constraints.  It:
      
                        
@@ -1645,11 +1685,13 @@ This option takes a string argument sign.
 that may exist.  By default, the program uses the host key as the
 sign key. 
 
                        
+
+
 
                        
-Next: ,
+Next: ,
 Previous: ntp-keygen sign-key,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        trusted-cert option (-T)
                        
@@ -1665,18 +1707,20 @@ This is the “trusted certificate (tc scheme)” option.
   
                        Generate a trusted certificate.  By default, the program generates
 a non-trusted certificate. 
 
                        
+
+
 
                        
-Next: ,
+Next: ,
 Previous: ntp-keygen trusted-cert,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        mv-params option (-V)
                        
 
 
                        
 This is the “generate <num> mv parameters” option. 
-This option takes a number argument num.
+This option takes a number argument num.
 
 
                        This option has some usage constraints.  It:
      
                          
@@ -1686,32 +1730,36 @@ This option takes a number argument num.
   
                          Generate parameters and keys for the Mu-Varadharajan (MV)
 identification scheme. 
 
                          
+
+
 
                          
-Next: ,
+Next: ,
 Previous: ntp-keygen mv-params,
 Up: ntp-keygen Invocation
-
                          
+
 
                          
 
 
                          mv-keys option (-v)
                          
 
 
                          
 This is the “update <num> mv keys” option. 
-This option takes a number argument num.
+This option takes a number argument num.
 
 
                          This option has some usage constraints.  It:
      
                            
 
                          • must be compiled in by defining AUTOKEY during the compilation. 
 
                          
 
-  
                          This option has no doc documentation.
+  
                          This option has no ‘doc’ documentation.
 
 
                          
+
+
 
                          
-Next: ,
+Next: ,
 Previous: ntp-keygen mv-keys,
 Up: ntp-keygen Invocation
-
                          
+
 
                          
 
 
                          presetting/configuring ntp-keygen
                          
@@ -1729,9 +1777,9 @@ values are treated like option arguments.
 
                        • $PWD
 
                        
   The environment variables HOME, and PWD
-are expanded and replaced when ntp-keygen runs. 
+are expanded and replaced when ntp-keygen runs. 
 For any of these that are plain files, they are simply processed. 
-For any that are directories, then a file named .ntprc is searched for
+For any that are directories, then a file named .ntprc is searched for
 within that directory and processed.
 
   
                        Configuration files may be in a wide variety of formats. 
@@ -1773,64 +1821,73 @@ detail to provide.  The default is to print just the version.  The licensing inf
 Only the first letter of the argument is examined:
 
      
                        
-
                        version
                        Only print the version.  This is the default. 
-
                        copyright
                        Name the copyright usage licensing terms. 
-
                        verbose
                        Print the full copyright usage licensing terms. 
+
                        version
                        Only print the version.  This is the default. 
+
                        copyright
                        Name the copyright usage licensing terms. 
+
                        verbose
                        Print the full copyright usage licensing terms. 
 
                        
 
 
                        
+
+
 
                        
-Next: ,
+Next: ,
 Previous: ntp-keygen config,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        ntp-keygen exit status
                        
 
 
                        One of the following exit values will be returned:
      
                        
-
                        0 (EXIT_SUCCESS)
                        Successful program execution. 
-
                        1 (EXIT_FAILURE)
                        The operation failed or the command syntax was not valid. 
-
                        66 (EX_NOINPUT)
                        A specified configuration file could not be loaded. 
-
                        70 (EX_SOFTWARE)
                        libopts had an internal operational error.  Please report
+
                        0 (EXIT_SUCCESS)
                        Successful program execution. 
+
                        1 (EXIT_FAILURE)
                        The operation failed or the command syntax was not valid. 
+
                        66 (EX_NOINPUT)
                        A specified configuration file could not be loaded. 
+
                        70 (EX_SOFTWARE)
                        libopts had an internal operational error.  Please report
 it to autogen-users@lists.sourceforge.net.  Thank you. 
 
                        
   
                        
+
+
 
                        
-Next: ,
+Next: ,
 Previous: ntp-keygen exit status,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        ntp-keygen Usage
                        
 
 
                        
+
+
 
                        
-Next: ,
+Next: ,
 Previous: ntp-keygen Usage,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        ntp-keygen Notes
                        
 
 
                        
+
+
 
                        
-Previous: ntp-keygen Notes,
+Previous: ntp-keygen Notes,
 Up: ntp-keygen Invocation
-
                        
+
 
                        
 
 
                        ntp-keygen Bugs
                        
 
 
                        
+
 
                        
-Next: ,
+Next: ,
 Previous: Running the Program,
 Up: Top
-
                        
+
 
                        
 
 
@@ -1858,10 +1915,11 @@ If the file is not available or cannot be written, the program exits
 with a message to the system log.
 
 
                        
+
 
                        
-Previous: Random Seed File,
+Previous: Random Seed File,
 Up: Top
-
                        
+
 
                        
 
 
@@ -1929,7 +1987,7 @@ it can be constructed and edited using an ordinary text editor.
   
                        Figure 1 shows a typical symmetric keys file used by the reference
 implementation. 
 Each line of the file contains three fields, first an
-integer between 1 and 65534, inclusive, representing the key identifier
+integer between 1 and 65535, inclusive, representing the key identifier
 used in the server and peer configuration commands. 
 Next is the key type for the message digest algorithm,
 which in the absence of the
diff --git a/util/ntp-keygen.man.in b/util/ntp-keygen.man.in
index 71dcaa5ad..2ee4b8ddb 100644
--- a/util/ntp-keygen.man.in
+++ b/util/ntp-keygen.man.in
@@ -10,11 +10,11 @@
 .ds B-Font B
 .ds I-Font I
 .ds R-Font R
-.TH ntp-keygen @NTP_KEYGEN_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
+.TH ntp-keygen @NTP_KEYGEN_MS@ "24 Jul 2018" "ntp (4.2.8p11)" "User Commands"
 .\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V)
+.\" EDIT THIS FILE WITH CAUTION (in-mem file)
 .\"
-.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed July 24, 2018 at 07:24:02 AM by AutoGen 5.18.5
 .\" From the definitions ntp-keygen-opts.def
 .\" and the template file agman-cmd.tpl
 .SH NAME
@@ -1054,7 +1054,7 @@ Following the header the keys are entered one per line in the format
 .in -4
 where
 \f\*[I-Font]keyno\f[]
-is a positive integer in the range 1-65534;
+is a positive integer in the range 1-65535;
 \f\*[I-Font]type\f[]
 is the key type for the message digest algorithm, which in the absence of the
 OpenSSL library must be
diff --git a/util/ntp-keygen.mdoc.in b/util/ntp-keygen.mdoc.in
index 8ed42c024..028696cb5 100644
--- a/util/ntp-keygen.mdoc.in
+++ b/util/ntp-keygen.mdoc.in
@@ -1,9 +1,9 @@
-.Dd February 27 2018
+.Dd July 24 2018
 .Dt NTP_KEYGEN @NTP_KEYGEN_MS@ User Commands
 .Os
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.mdoc)
 .\"
-.\"  It has been AutoGen-ed  February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5
+.\"  It has been AutoGen-ed  July 24, 2018 at 07:23:59 AM by AutoGen 5.18.5
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -943,7 +943,7 @@ Following the header the keys are entered one per line in the format
 .D1 Ar keyno Ar type Ar key
 where
 .Ar keyno
-is a positive integer in the range 1\-65534;
+is a positive integer in the range 1\-65535;
 .Ar type
 is the key type for the message digest algorithm, which in the absence of the
 OpenSSL library must be
diff --git a/util/ntp-keygen.texi b/util/ntp-keygen.texi
index 92cec485a..34e6aaa9e 100644
--- a/util/ntp-keygen.texi
+++ b/util/ntp-keygen.texi
@@ -267,7 +267,7 @@ it can be constructed and edited using an ordinary text editor.
 Figure 1 shows a typical symmetric keys file used by the reference
 implementation.
 Each line of the file contains three fields, first an
-integer between 1 and 65534, inclusive, representing the key identifier
+integer between 1 and 65535, inclusive, representing the key identifier
 used in the server and peer configuration commands.
 Next is the key type for the message digest algorithm,
 which in the absence of the