From 0b1d2011b570bbc7519dff4bd4e6eb303c9995da Mon Sep 17 00:00:00 2001 From: Harlan Stenn Date: Tue, 25 Dec 2012 11:36:27 +0000 Subject: [PATCH] NTP_4_2_7P338 bk: 50d98fbbFzuZsg9CGWRmXsiEuEISTw --- ChangeLog | 1 + ntpd/invoke-ntp.conf.texi | 278 +++++----- ntpd/invoke-ntp.keys.texi | 18 +- ntpd/invoke-ntpd.texi | 12 +- ntpd/ntp.conf.5man | 4 +- ntpd/ntp.conf.5mdoc | 4 +- ntpd/ntp.conf.html | 2 +- ntpd/ntp.conf.man.in | 4 +- ntpd/ntp.conf.mdoc.in | 4 +- ntpd/ntp.keys.5man | 4 +- ntpd/ntp.keys.5mdoc | 4 +- ntpd/ntp.keys.html | 2 +- ntpd/ntp.keys.man.in | 4 +- ntpd/ntp.keys.mdoc.in | 4 +- ntpd/ntpd-opts.c | 8 +- ntpd/ntpd-opts.h | 6 +- ntpd/ntpd.1ntpdman | 4 +- ntpd/ntpd.1ntpdmdoc | 4 +- ntpd/ntpd.html | 2 +- ntpd/ntpd.man.in | 4 +- ntpd/ntpd.mdoc.in | 4 +- ntpdc/invoke-ntpdc.texi | 57 +- ntpdc/ntpdc-opts.c | 8 +- ntpdc/ntpdc-opts.h | 6 +- ntpdc/ntpdc.1ntpdcman | 4 +- ntpdc/ntpdc.1ntpdcmdoc | 4 +- ntpdc/ntpdc.html | 10 +- ntpdc/ntpdc.man.in | 4 +- ntpdc/ntpdc.mdoc.in | 4 +- ntpq/invoke-ntpq.texi | 14 +- ntpq/ntpq-opts.c | 8 +- ntpq/ntpq-opts.h | 6 +- ntpq/ntpq.1ntpqman | 4 +- ntpq/ntpq.1ntpqmdoc | 4 +- ntpq/ntpq.html | 912 +++++++++++++++++++++++++------- ntpq/ntpq.man.in | 4 +- ntpq/ntpq.mdoc.in | 4 +- ntpsnmpd/invoke-ntpsnmpd.texi | 4 +- ntpsnmpd/ntpsnmpd-opts.c | 8 +- ntpsnmpd/ntpsnmpd-opts.h | 6 +- ntpsnmpd/ntpsnmpd.1ntpsnmpdman | 4 +- ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc | 4 +- ntpsnmpd/ntpsnmpd.man.in | 4 +- ntpsnmpd/ntpsnmpd.mdoc.in | 4 +- packageinfo.sh | 2 +- scripts/invoke-ntp-wait.texi | 6 +- scripts/ntp-wait.1ntp-waitman | 4 +- scripts/ntp-wait.1ntp-waitmdoc | 4 +- scripts/ntp-wait.html | 6 +- scripts/ntp-wait.man.in | 4 +- scripts/ntp-wait.mdoc.in | 4 +- sntp/invoke-sntp.texi | 4 +- sntp/sntp-opts.c | 8 +- sntp/sntp-opts.h | 6 +- sntp/sntp.1sntpman | 4 +- sntp/sntp.1sntpmdoc | 4 +- sntp/sntp.html | 4 +- sntp/sntp.man.in | 4 +- sntp/sntp.mdoc.in | 4 +- util/invoke-ntp-keygen.texi | 4 +- util/ntp-keygen-opts.c | 8 +- util/ntp-keygen-opts.h | 6 +- util/ntp-keygen.1ntp-keygenman | 856 +----------------------------- util/ntp-keygen.1ntp-keygenmdoc | 844 +---------------------------- util/ntp-keygen.html | 440 ++++++++------- util/ntp-keygen.man.in | 856 +----------------------------- util/ntp-keygen.mdoc.in | 844 +---------------------------- 67 files changed, 1235 insertions(+), 4155 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7e6790512..2273d2cac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ +(4.2.7p338) 2012/12/25 Released by Harlan Stenn * mdoc2texi fixes: Handle_ArCmFlIc, Handle_Fn, HandleQ. * ntp-keygen autogen documentation updates. * ntpq autogen docs. diff --git a/ntpd/invoke-ntp.conf.texi b/ntpd/invoke-ntp.conf.texi index c388a36ae..52ad66a47 100644 --- a/ntpd/invoke-ntp.conf.texi +++ b/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:47:38 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:32:50 AM by AutoGen 5.16.2 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -44,12 +44,11 @@ and text strings. The rest of this page describes the configuration and control options. The -"NotesonConfiguringNTPandSettingupaNTPSubnet" +"Notes on Configuring NTP and Setting up a NTP Subnet" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}) -) contains an extended discussion of these options. In addition to the discussion of general @ref{Configuration}Configuration @@ -145,53 +144,51 @@ equivalent classes for that address family. @item Xo [@code{burst} ] [@code{iburst} ] -[@code{version} @code{Ar} @code{version} ] +[@code{version} @code{version} ] [@code{prefer} ] -[@code{minpoll} @code{Ar} @code{minpoll} ] -[@code{maxpoll} @code{Ar} @code{maxpoll} ] +[@code{minpoll} @code{minpoll} ] +[@code{maxpoll} @code{maxpoll} ] @item Xo -[@code{key} @code{Ar} @code{key}\&| @code{Cm} @code{autokey} ] +[@code{key} @code{key} @code{\&|} @code{Cm} @code{autokey} ] [@code{burst} ] [@code{iburst} ] -[@code{version} @code{Ar} @code{version} ] +[@code{version} @code{version} ] [@code{prefer} ] -[@code{minpoll} @code{Ar} @code{minpoll} ] -[@code{maxpoll} @code{Ar} @code{maxpoll} ] +[@code{minpoll} @code{minpoll} ] +[@code{maxpoll} @code{maxpoll} ] @item Xo -[@code{key} @code{Ar} @code{key}\&| @code{Cm} @code{autokey} ] -[@code{version} @code{Ar} @code{version} ] +[@code{key} @code{key} @code{\&|} @code{Cm} @code{autokey} ] +[@code{version} @code{version} ] [@code{prefer} ] -[@code{minpoll} @code{Ar} @code{minpoll} ] -[@code{maxpoll} @code{Ar} @code{maxpoll} ] +[@code{minpoll} @code{minpoll} ] +[@code{maxpoll} @code{maxpoll} ] @item Xo -[@code{key} @code{Ar} @code{key}\&| @code{Cm} @code{autokey} ] -[@code{version} @code{Ar} @code{version} ] +[@code{key} @code{key} @code{\&|} @code{Cm} @code{autokey} ] +[@code{version} @code{version} ] [@code{prefer} ] -[@code{minpoll} @code{Ar} @code{minpoll} ] -[@code{ttl} @code{Ar} @code{ttl} ] +[@code{minpoll} @code{minpoll} ] +[@code{ttl} @code{ttl} ] @item Xo -[@code{key} @code{Ar} @code{key}\&| @code{Cm} @code{autokey} ] -[@code{version} @code{Ar} @code{version} ] +[@code{key} @code{key} @code{\&|} @code{Cm} @code{autokey} ] +[@code{version} @code{version} ] [@code{prefer} ] -[@code{minpoll} @code{Ar} @code{minpoll} ] -[@code{maxpoll} @code{Ar} @code{maxpoll} ] -[@code{ttl} @code{Ar} @code{ttl} ] +[@code{minpoll} @code{minpoll} ] +[@code{maxpoll} @code{maxpoll} ] +[@code{ttl} @code{ttl} ] @end multitable These five commands specify the time server name or address to be used and the mode in which to operate. The -@kbd{address} can be +@code{address} can be either a DNS name or an IP address in dotted-quad notation. Additional information on association behavior can be found in the -"AssociationManagement" +"Association Management" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. @table @samp @item Ic For type s addresses, this command mobilizes a persistent @@ -233,7 +230,7 @@ broadcast messages go only to the interface associated with the subnet specified, but multicast messages go to all interfaces. In broadcast mode the local server sends periodic broadcast messages to a client population at the -@kbd{address} specified, which is usually the broadcast address on (one of) the +@code{address} specified, which is usually the broadcast address on (one of) the local network(s) or a multicast address assigned to NTP. The IANA has assigned the multicast group address IPv4 224.0.1.1 and @@ -266,7 +263,7 @@ discovered as the result of broadcast/multicast messages. The client broadcasts a request message to the group address associated with the specified -@kbd{address} and specifically enabled +@code{address} and specifically enabled servers respond to these messages. The client selects the servers providing the best time and continues as with the @@ -311,7 +308,7 @@ is started with the @item Cm All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified -@kbd{key} identifier with values from 1 to 65534, inclusive. +@code{key} identifier with values from 1 to 65534, inclusive. The default is to include no encryption field. @item Cm @@ -334,20 +331,19 @@ All other things being equal, this host will be chosen for synchronization among a set of correctly operating hosts. See the -"MitigationRulesandthepreferKeyword" +"Mitigation Rules and the prefer Keyword" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}) -) for further information. @item Cm This option is used only with broadcast server and manycast client modes. It specifies the time-to-live -@kbd{ttl} to +@code{ttl} to use on broadcast server and multicast server and the maximum -@kbd{ttl} for the expanding ring search with manycast +@code{ttl} for the expanding ring search with manycast client packets. Selection of the proper value, which defaults to 127, is something of a black art and should be coordinated with the @@ -561,7 +557,6 @@ Keys and related information are specified in a key file, usually called @file{ntp.keys}, -, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used @@ -842,20 +837,20 @@ Specifies the key identifier to use with the utility, which uses the standard protocol defined in RFC-1305. The -@kbd{key} argument is +@code{key} argument is the key identifier for a trusted key, where the value can be in the range 1 to 65,534, inclusive. @item Xo -[@code{cert} @code{Ar} @code{file} ] -[@code{leap} @code{Ar} @code{file} ] -[@code{randfile} @code{Ar} @code{file} ] -[@code{host} @code{Ar} @code{file} ] -[@code{sign} @code{Ar} @code{file} ] -[@code{gq} @code{Ar} @code{file} ] -[@code{gqpar} @code{Ar} @code{file} ] -[@code{iffpar} @code{Ar} @code{file} ] -[@code{mvpar} @code{Ar} @code{file} ] -[@code{pw} @code{Ar} @code{password} ] +[@code{cert} @code{file} ] +[@code{leap} @code{file} ] +[@code{randfile} @code{file} ] +[@code{host} @code{file} ] +[@code{sign} @code{file} ] +[@code{gq} @code{file} ] +[@code{gqpar} @code{file} ] +[@code{iffpar} @code{file} ] +[@code{mvpar} @code{file} ] +[@code{pw} @code{password} ] This command requires the OpenSSL library. It activates public key cryptography, selects the message digest and signature @@ -868,42 +863,29 @@ location of a file is relative to the keys directory specified in the @code{keysdir} command or default @file{/usr/local/etc}. -. Following are the subcommands: @table @samp @item Cm Specifies the location of the required host public certificate file. This overrides the link @file{ntpkey_cert_}NsArhostname -Ns -Ar -hostname in the keys directory. @item Cm Specifies the location of the optional GQ parameters file. This overrides the link @file{ntpkey_gq_}NsArhostname -Ns -Ar -hostname in the keys directory. @item Cm Specifies the location of the required host key file. This overrides the link @file{ntpkey_key_}NsArhostname -Ns -Ar -hostname in the keys directory. @item Cm Specifies the location of the optional IFF parameters file.This overrides the link @file{ntpkey_iff_}NsArhostname -Ns -Ar -hostname in the keys directory. @item Cm Specifies the location of the optional leapsecond file. @@ -915,9 +897,6 @@ Specifies the location of the optional MV parameters file. This overrides the link @file{ntpkey_mv_}NsArhostname -Ns -Ar -hostname in the keys directory. @item Cm Specifies the password to decrypt files containing private keys and @@ -933,9 +912,6 @@ Specifies the location of the optional sign key file. This overrides the link @file{ntpkey_sign_}NsArhostname -Ns -Ar -hostname in the keys directory. If this file is not found, the host key is also the sign key. @@ -964,7 +940,6 @@ This command specifies the default directory path for cryptographic keys, parameters and certificates. The default is @file{/usr/local/etc/}. -. .It Ic requestkey @@ -976,7 +951,7 @@ utility program, which uses a proprietary protocol specific to this implementation of @code{ntpd(1ntpdmdoc)}. The -@kbd{key} argument is a key identifier +@code{key} argument is a key identifier for the trusted key, where the value can be in the range 1 to 65,534, inclusive. .It @@ -1012,7 +987,7 @@ and remote servers share the same key and key identifier for this purpose, although different keys can be used with different servers. The -@kbd{key} arguments are 32-bit unsigned +@code{key} arguments are 32-bit unsigned integers with values from 1 to 65,534. @end multitable @@ -1025,51 +1000,51 @@ The following error codes are reported via the NTP control and monitoring protocol trap mechanism. @table @samp @item 101 -(badfieldformatorlength) +(bad field format or length) The packet has invalid version, length or format. @item 102 -(badtimestamp) +(bad timestamp) The packet timestamp is the same or older than the most recent received. This could be due to a replay or a server clock time step. @item 103 -(badfilestamp) +(bad filestamp) The packet filestamp is the same or older than the most recent received. This could be due to a replay or a key file generation error. @item 104 -(badormissingpublickey) +(bad or missing public key) The public key is missing, has incorrect format or is an unsupported type. @item 105 -(unsupporteddigesttype) +(unsupported digest type) The server requires an unsupported digest/signature scheme. @item 106 -(mismatcheddigesttypes) +(mismatched digest types) Not used. @item 107 -(badsignaturelength) +(bad signature length) The signature length does not match the current public key. @item 108 -(signaturenotverified) +(signature not verified) The message fails the signature check. It could be bogus or signed by a different private key. @item 109 -(certificatenotverified) +(certificate not verified) The certificate is invalid or signed with the wrong key. @item 110 -(certificatenotverified) +(certificate not verified) The certificate is not yet valid or has expired or the signature could not be verified. @item 111 -(badormissingcookie) +(bad or missing cookie) The cookie is missing, corrupted or bogus. @item 112 -(badormissingleapsecondstable) +(bad or missing leapseconds table) The leapseconds table is missing, corrupted or bogus. @item 113 -(badormissingcertificate) +(bad or missing certificate) The certificate is missing, corrupted or bogus. @item 114 -(badormissingidentity) +(bad or missing identity) The identity key is missing, corrupt or bogus. @end multitable @@ -1105,7 +1080,7 @@ Commands @item Ic Enables writing of statistics records. Currently, four kinds of -@kbd{name} statistics are supported. +@code{name} statistics are supported. @table @samp @item Cm Enables recording of clock driver statistics information. @@ -1264,8 +1239,8 @@ filegen Ar name Xo -[@code{file} @code{Ar} @code{filename} ] -[@code{type} @code{Ar} @code{typename} ] +[@code{file} @code{filename} ] +[@code{type} @code{typename} ] [@code{link} | @code{nolink} ] [@code{enable} | @code{disable} ] Configures setting of generation file set name. @@ -1296,35 +1271,35 @@ This is the type of the statistics records, as shown in the This is the file name for the statistics records. Filenames of set members are built from three concatenated elements -@kbd{Cm} @kbd{prefix}, @kbd{Cm} @kbd{filename} and -@kbd{Cm} @kbd{suffix}: @table @samp +@code{Cm} @code{prefix}, @code{Cm} @code{filename} and +@code{Cm} @code{suffix}: @table @samp @item Cm This is a constant filename path. It is not subject to modifications via the -@kbd{filegen} option. +@code{filegen} option. It is defined by the server, usually specified as a compile-time constant. It may, however, be configurable for individual file generation sets via other commands. For example, the prefix used with -@kbd{loopstats} and -@kbd{peerstats} generation can be configured using the -@kbd{statsdir} option explained above. +@code{loopstats} and +@code{peerstats} generation can be configured using the +@code{statsdir} option explained above. @item Cm This string is directly concatenated to the prefix mentioned above (no intervening -@quoteleft{}/).@quoteright{} +@quoteleft{}/ ) .@quoteright{} This can be modified using the file argument to the -@kbd{filegen} statement. +@code{filegen} statement. No @file{..} elements are allowed in this component to prevent filenames referring to parts outside the filesystem hierarchy denoted by -@kbd{prefix}. @item Cm +@code{prefix}. @item Cm This part is reflects individual elements of a file set. It is generated according to the type of a file set. @@ -1352,8 +1327,8 @@ server incarnations. The set member filename is built by appending a @quoteleft{}\&.@quoteright{} to concatenated -@kbd{prefix} and -@kbd{filename} strings, and +@code{prefix} and +@code{filename} strings, and appending the decimal representation of the process ID of the @code{ntpd(1ntpdmdoc)} server process. @@ -1371,7 +1346,7 @@ the form @code{dd} is a two digit day number. Thus, all information written at 10 December 1992 would end up in a file named -@kbd{prefix} @kbd{filename} @kbd{Ns}.19921210. @item Cm +@code{prefix} @code{filename} @code{Ns} @code{.19921210}. @item Cm Any file set member contains data related to a certain week of a year. The term week is defined by computing day-of-year @@ -1462,13 +1437,11 @@ The list is searched in order with the last match found defining the restriction flags associated with the entry. Additional information and examples can be found in the -"NotesonConfiguringNTPandSettingupaNTPSubnet" +"Notes on Configuring NTP and Setting up a NTP Subnet" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. The restriction facility was implemented in conformance with the access policies for the original NSFnet backbone @@ -1542,9 +1515,9 @@ Control Commands @table @samp @item Xo -[@code{average} @code{Ar} @code{avg} ] -[@code{minimum} @code{Ar} @code{min} ] -[@code{monitor} @code{Ar} @code{prob} ] +[@code{average} @code{avg} ] +[@code{minimum} @code{min} ] +[@code{monitor} @code{prob} ] Set the parameters of the @code{limited} facility which protects the server from client abuse. @@ -1559,20 +1532,20 @@ minimum average and minimum are 5 and 2, respectively. The monitor subcommand specifies the probability of discard for packets that overflow the rate-control window. @item Xo -[@code{mask} @code{Ar} @code{mask} ] -[@kbd{flag}... ] +[@code{mask} @code{mask} ] +[@code{flag} @code{...} ] The -@kbd{address} argument expressed in +@code{address} argument expressed in dotted-quad form is the address of a host or network. Alternatively, the -@kbd{address} argument can be a valid host DNS name. +@code{address} argument can be a valid host DNS name. The -@kbd{mask} argument expressed in dotted-quad form defaults to -255.255.255.255, meaning that the -@kbd{address} is treated as the address of an individual host. +@code{mask} argument expressed in dotted-quad form defaults to +@code{255.255.255.255}, meaning that the +@code{address} is treated as the address of an individual host. A default entry (address -0.0.0.0, mask -0.0.0.0) is always included and is always the first entry in the list. +@code{0.0.0.0}, mask +@code{0.0.0.0}) is always included and is always the first entry in the list. Note that text string @code{default}, with no mask option, may be used to indicate the default entry. @@ -1980,7 +1953,7 @@ Options @table @samp @item Xo .Oo -@code{ceiling} @code{Ar} @code{ceiling} | @code{cohort}{ @code{0} | @code{1}} | @code{floor} @code{Ar} @code{floor} | @code{minclock} @code{Ar} @code{minclock} | @code{minsane} @code{Ar} @code{minsane} .Oc +@code{ceiling} @code{ceiling} | @code{cohort}{ @code{0} | @code{1}} | @code{floor} @code{floor} | @code{minclock} @code{minclock} | @code{minsane} @code{minsane} .Oc This command affects the clock selection and clustering algorithms. It can be used to select the quality and @@ -2055,45 +2028,37 @@ satellite and modem reference clocks plus a special pseudo-clock used for backup or when no other clock source is available. Detailed descriptions of individual device drivers and options can be found in the -"ReferenceClockDrivers" +"Reference Clock Drivers" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. Additional information can be found in the pages linked there, including the -"DebuggingHintsforReferenceClockDrivers" +"Debugging Hints for Reference Clock Drivers" and -"HowToWriteaReferenceClockDriver" +"How To Write a Reference Clock Driver" pages (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. In addition, support for a PPS signal is available as described in the -"Pulse-per-second(PPS)SignalInterfacing" +"Pulse-per-second (PPS) Signal Interfacing" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. Many drivers support special line discipline/streams modules which can significantly improve the accuracy using the driver. These are described in the -"LineDisciplinesandStreamsDrivers" +"Line Disciplines and Streams Drivers" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. A reference clock will generally (though not always) be a radio timecode receiver which is synchronized to a source of standard @@ -2133,9 +2098,9 @@ u .Sm on where -@kbd{t} is an integer +@code{t} is an integer denoting the clock type and -@kbd{u} indicates the unit +@code{u} indicates the unit number in the range 0-3. While it may seem overkill, it is in fact sometimes useful to configure multiple reference clocks of the same @@ -2144,7 +2109,7 @@ type, in which case the unit numbers must be unique. The @code{server} command is used to configure a reference clock, where the -@kbd{address} argument in that command +@code{address} argument in that command is the clock address. The @code{key}, @code{version} and @@ -2158,11 +2123,10 @@ persuade the server to cherish a reference clock with somewhat more enthusiasm than other reference clocks or peers. Further information on this option can be found in the -"MitigationRulesandthepreferKeyword" +"Mitigation Rules and the prefer Keyword" (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}) -) page. The @code{minpoll} and @@ -2177,7 +2141,7 @@ information for individual clock drivers and normally follows immediately after the @code{server} command. The -@kbd{address} argument specifies the clock address. +@code{address} argument specifies the clock address. The @code{refid} and @code{stratum} options can be used to @@ -2225,9 +2189,9 @@ u .Sm on [@code{prefer} ] -[@code{mode} @code{Ar} @code{int} ] -[@code{minpoll} @code{Ar} @code{int} ] -[@code{maxpoll} @code{Ar} @code{int} ] +[@code{mode} @code{int} ] +[@code{minpoll} @code{int} ] +[@code{maxpoll} @code{int} ] This command can be used to configure reference clocks in special ways. The options are interpreted as follows: @@ -2238,12 +2202,11 @@ All other things being equal, this host will be chosen for synchronization among a set of correctly operating hosts. See the -"MitigationRulesandthepreferKeyword" +"Mitigation Rules and the prefer Keyword" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}) -) for further information. @item Cm Specifies a mode number which is interpreted in a @@ -2281,15 +2244,15 @@ Ar u .Sm on -[@code{time1} @code{Ar} @code{sec} ] -[@code{time2} @code{Ar} @code{sec} ] -[@code{stratum} @code{Ar} @code{int} ] -[@code{refid} @code{Ar} @code{string} ] -[@code{mode} @code{Ar} @code{int} ] -[@code{flag1} @code{Cm} @code{0}\&| @code{Cm} @code{1} ] -[@code{flag2} @code{Cm} @code{0}\&| @code{Cm} @code{1} ] -[@code{flag3} @code{Cm} @code{0}\&| @code{Cm} @code{1} ] -[@code{flag4} @code{Cm} @code{0}\&| @code{Cm} @code{1} ] +[@code{time1} @code{sec} ] +[@code{time2} @code{sec} ] +[@code{stratum} @code{int} ] +[@code{refid} @code{string} ] +[@code{mode} @code{int} ] +[@code{flag1} @code{Cm} @code{0} @code{\&|} @code{Cm} @code{1} ] +[@code{flag2} @code{Cm} @code{0} @code{\&|} @code{Cm} @code{1} ] +[@code{flag3} @code{Cm} @code{0} @code{\&|} @code{Cm} @code{1} ] +[@code{flag4} @code{Cm} @code{0} @code{\&|} @code{Cm} @code{1} ] This command can be used to configure reference clocks in special ways. It must immediately follow the @@ -2325,25 +2288,21 @@ It takes the form of an argument to the @ref{Miscellaneous}Miscellaneous Options page and operates as described in the -"ReferenceClockDrivers" +"Reference Clock Drivers" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. @item Cm Specifies a fixed-point decimal number in seconds, which is interpreted in a driver-dependent way. See the descriptions of specific drivers in the -"ReferenceClockDrivers" +"Reference Clock Drivers" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. @item Cm Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2488,11 +2447,10 @@ this flag is Enables the pulse-per-second (PPS) signal when frequency and time is disciplined by the precision time kernel modifications. See the -"AKernelModelforPrecisionTimekeeping" +"A Kernel Model for Precision Timekeeping" (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}) -) page for further information. The default for this flag is @code{disable}. @item Cm @@ -2531,11 +2489,11 @@ facility or the alternate @code{logfile} log file. By default, all output is turned on. All -@kbd{configkeyword} keywords can be prefixed with -@quoteleft{}=,@quoteright{} +@code{configkeyword} keywords can be prefixed with +@quoteleft{}= ,@quoteright{} @quoteleft{}+@quoteright{} and -@quoteleft{}-,@quoteright{} +@quoteleft{}- ,@quoteright{} where @quoteleft{}=@quoteright{} sets the @@ -2667,7 +2625,7 @@ Xo Ic tinker .Oo -@code{allan} @code{Ar} @code{allan} | @code{dispersion} @code{Ar} @code{dispersion} | @code{freq} @code{Ar} @code{freq} | @code{huffpuff} @code{Ar} @code{huffpuff} | @code{panic} @code{Ar} @code{panic} | @code{step} @code{Ar} @code{srep} | @code{stepout} @code{Ar} @code{stepout} .Oc +@code{allan} @code{allan} | @code{dispersion} @code{dispersion} | @code{freq} @code{freq} | @code{huffpuff} @code{huffpuff} | @code{panic} @code{panic} | @code{step} @code{srep} | @code{stepout} @code{stepout} .Oc This command can be used to alter several system variables in very exceptional circumstances. It should occur in the @@ -2738,8 +2696,8 @@ Ic trap Ar host_address -[@code{port} @code{Ar} @code{port_number} ] -[@code{interface} @code{Ar} @code{interface_address} ] +[@code{port} @code{port_number} ] +[@code{interface} @code{interface_address} ] This command configures a trap receiver at the given host address and port number for sending messages with the specified local interface address. diff --git a/ntpd/invoke-ntp.keys.texi b/ntpd/invoke-ntp.keys.texi index a825b3400..fc29a84b0 100644 --- a/ntpd/invoke-ntp.keys.texi +++ b/ntpd/invoke-ntp.keys.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:52:41 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:34:16 AM by AutoGen 5.16.2 # From the definitions ntp.keys.def # and the template file agtexi-file.tpl @end ignore @@ -15,7 +15,7 @@ This document describes the format of an NTP symmetric key file. For a description of the use of this type of file, see the -"AuthenticationSupport" +"Authentication Support" section of the @code{ntp.conf(5)} page. @@ -41,17 +41,17 @@ type key where -@kbd{keyno} is a positive integer (between 1 and 65534), -@kbd{type} is the message digest algorithm, +@code{keyno} is a positive integer (between 1 and 65534), +@code{type} is the message digest algorithm, and -@kbd{key} is the key itself. +@code{key} is the key itself. The -@kbd{key} may be given in a format +@code{key} may be given in a format controlled by the -@kbd{type} field. +@code{type} field. The -@kbd{type} .Li +@code{type} .Li MD5 is always supported. If @@ -60,7 +60,7 @@ ntpd was built with the OpenSSL library then any digest library supported by that library may be specified. However, if compliance with FIPS 140-2 is required the -@kbd{type} must be either +@code{type} must be either .Li SHA or diff --git a/ntpd/invoke-ntpd.texi b/ntpd/invoke-ntpd.texi index 5fcd8094c..fd0734a18 100644 --- a/ntpd/invoke-ntpd.texi +++ b/ntpd/invoke-ntpd.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpd.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:52:48 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:34:26 AM by AutoGen 5.16.2 # From the definitions ntpd-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -140,7 +140,7 @@ with a status code of 0. @exampleindent 0 @example -ntpd - NTP daemon program - Ver. 4.2.7p337 +ntpd - NTP daemon program - Ver. 4.2.7p338 USAGE: ntpd [ - [] | --[@{=| @}] ]... \ [ ... ] Flg Arg Option-Name Description @@ -824,7 +824,7 @@ is to quickly correct the frequency and restore operation to the normal tracking mode. In the most extreme cases (the host -time.ien.it comes to mind), there may be occasional +@code{time.ien.it} comes to mind), there may be occasional step/slew corrections and subsequent frequency corrections. It helps in these cases to use the @@ -893,7 +893,6 @@ The behavior at startup depends on whether the frequency file, usually @file{ntp.drift}, -, exists. This file contains the latest estimate of clock frequency error. @@ -928,13 +927,11 @@ The utility can operate in any of several modes, including symmetric active/passive, client/server broadcast/multicast and manycast, as described in the -"AssociationManagement" +"Association Management" page (available as part of the HTML documentation provided in @file{/usr/share/doc/ntp}). -) -. It normally operates continuously while monitoring for small changes in frequency and trimming the clock for the ultimate precision. @@ -1129,7 +1126,6 @@ http://www.ntp.org/ . A snapshot of this documentation is available in HTML format in @file{/usr/share/doc/ntp}. -. .Rs .%A David diff --git a/ntpd/ntp.conf.5man b/ntpd/ntp.conf.5man index cfe60da40..7e34b5a1e 100644 --- a/ntpd/ntp.conf.5man +++ b/ntpd/ntp.conf.5man @@ -1,8 +1,8 @@ -.TH ntp.conf 5man "22 Dec 2012" "4.2.7p337" "File Formats" +.TH ntp.conf 5man "25 Dec 2012" "4.2.7p338" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:47:25 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:32:38 AM by AutoGen 5.16.2 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpd/ntp.conf.5mdoc b/ntpd/ntp.conf.5mdoc index 4a4ed734b..3a5bbdd54 100644 --- a/ntpd/ntp.conf.5mdoc +++ b/ntpd/ntp.conf.5mdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_CONF 5mdoc File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:52:50 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:34:28 AM by AutoGen 5.16.2 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/ntpd/ntp.conf.html b/ntpd/ntp.conf.html index 10c4b36a0..c37cc770d 100644 --- a/ntpd/ntp.conf.html +++ b/ntpd/ntp.conf.html @@ -33,7 +33,7 @@ Up: (dir)

This document describes the configuration file for the NTP Project's ntpd program. -

This document applies to version 4.2.7p337 of ntp.conf. +

This document applies to version 4.2.7p338 of ntp.conf.

  • ntp.conf Description diff --git a/ntpd/ntp.conf.man.in b/ntpd/ntp.conf.man.in index 527e2703b..bd0a09f01 100644 --- a/ntpd/ntp.conf.man.in +++ b/ntpd/ntp.conf.man.in @@ -1,8 +1,8 @@ -.TH ntp.conf 5 "22 Dec 2012" "4.2.7p337" "File Formats" +.TH ntp.conf 5 "25 Dec 2012" "4.2.7p338" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:47:25 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:32:38 AM by AutoGen 5.16.2 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpd/ntp.conf.mdoc.in b/ntpd/ntp.conf.mdoc.in index 616af13ed..29c6db52c 100644 --- a/ntpd/ntp.conf.mdoc.in +++ b/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_CONF 5 File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:52:50 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:34:28 AM by AutoGen 5.16.2 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/ntpd/ntp.keys.5man b/ntpd/ntp.keys.5man index 1af2a0a9e..9424447c1 100644 --- a/ntpd/ntp.keys.5man +++ b/ntpd/ntp.keys.5man @@ -1,8 +1,8 @@ -.TH ntp.keys 5man "22 Dec 2012" "4.2.7p337" "File Formats" +.TH ntp.keys 5man "25 Dec 2012" "4.2.7p338" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:47:29 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:32:41 AM by AutoGen 5.16.2 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .\" diff --git a/ntpd/ntp.keys.5mdoc b/ntpd/ntp.keys.5mdoc index 76bc85ef7..e178a4c42 100644 --- a/ntpd/ntp.keys.5mdoc +++ b/ntpd/ntp.keys.5mdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_KEYS 5mdoc File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:52:52 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:34:30 AM by AutoGen 5.16.2 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME diff --git a/ntpd/ntp.keys.html b/ntpd/ntp.keys.html index f22c0c107..b3b74ceb0 100644 --- a/ntpd/ntp.keys.html +++ b/ntpd/ntp.keys.html @@ -33,7 +33,7 @@ Up: (dir)

    This document describes the symmetric key file for the NTP Project's ntpd program. -

    This document applies to version 4.2.7p337 of ntp.keys. +

    This document applies to version 4.2.7p338 of ntp.keys.

    Short Contents

    diff --git a/ntpd/ntp.keys.man.in b/ntpd/ntp.keys.man.in index 8fc782667..0d5da7097 100644 --- a/ntpd/ntp.keys.man.in +++ b/ntpd/ntp.keys.man.in @@ -1,8 +1,8 @@ -.TH ntp.keys 5 "22 Dec 2012" "4.2.7p337" "File Formats" +.TH ntp.keys 5 "25 Dec 2012" "4.2.7p338" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:47:29 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:32:41 AM by AutoGen 5.16.2 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .\" diff --git a/ntpd/ntp.keys.mdoc.in b/ntpd/ntp.keys.mdoc.in index 2bc529243..2c17ffb06 100644 --- a/ntpd/ntp.keys.mdoc.in +++ b/ntpd/ntp.keys.mdoc.in @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_KEYS 5 File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:52:52 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:34:30 AM by AutoGen 5.16.2 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME diff --git a/ntpd/ntpd-opts.c b/ntpd/ntpd-opts.c index 3aeea8f42..a1b6337a1 100644 --- a/ntpd/ntpd-opts.c +++ b/ntpd/ntpd-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpd-opts.c) * - * It has been AutoGen-ed December 22, 2012 at 11:46:28 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:31:45 AM by AutoGen 5.16.2 * From the definitions ntpd-opts.def * and the template file options * @@ -78,7 +78,7 @@ extern FILE * option_usage_fp; * ntpd option static const strings */ static char const ntpd_opt_strs[2987] = -/* 0 */ "ntpd 4.2.7p337\n" +/* 0 */ "ntpd 4.2.7p338\n" "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -204,12 +204,12 @@ static char const ntpd_opt_strs[2987] = /* 2753 */ "Output version information and exit\0" /* 2789 */ "version\0" /* 2797 */ "NTPD\0" -/* 2802 */ "ntpd - NTP daemon program - Ver. 4.2.7p337\n" +/* 2802 */ "ntpd - NTP daemon program - Ver. 4.2.7p338\n" "USAGE: %s [ - [] | --[{=| }] ]... \\\n" "\t\t[ ... ]\n\0" /* 2935 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 2969 */ "\n\n\0" -/* 2972 */ "ntpd 4.2.7p337"; +/* 2972 */ "ntpd 4.2.7p338"; /* * ipv4 option description with diff --git a/ntpd/ntpd-opts.h b/ntpd/ntpd-opts.h index 691449880..fecb0cf9f 100644 --- a/ntpd/ntpd-opts.h +++ b/ntpd/ntpd-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpd-opts.h) * - * It has been AutoGen-ed December 22, 2012 at 11:46:27 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:31:44 AM by AutoGen 5.16.2 * From the definitions ntpd-opts.def * and the template file options * @@ -104,8 +104,8 @@ typedef enum { } teOptIndex; #define OPTION_CT 37 -#define NTPD_VERSION "4.2.7p337" -#define NTPD_FULL_VERSION "ntpd 4.2.7p337" +#define NTPD_VERSION "4.2.7p338" +#define NTPD_FULL_VERSION "ntpd 4.2.7p338" /* * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/ntpd/ntpd.1ntpdman b/ntpd/ntpd.1ntpdman index 00431f161..bc1df36b0 100644 --- a/ntpd/ntpd.1ntpdman +++ b/ntpd/ntpd.1ntpdman @@ -1,8 +1,8 @@ -.TH ntpd 1ntpdman "22 Dec 2012" "4.2.7p337" "User Commands" +.TH ntpd 1ntpdman "25 Dec 2012" "4.2.7p338" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntpd-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:47:32 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:32:45 AM by AutoGen 5.16.2 .\" From the definitions ntpd-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpd/ntpd.1ntpdmdoc b/ntpd/ntpd.1ntpdmdoc index 320107f97..7ecbfa1e4 100644 --- a/ntpd/ntpd.1ntpdmdoc +++ b/ntpd/ntpd.1ntpdmdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTPD 1ntpdmdoc User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:52:54 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:34:32 AM by AutoGen 5.16.2 .\" From the definitions ntpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/ntpd/ntpd.html b/ntpd/ntpd.html index 99501ac0f..ed9de2174 100644 --- a/ntpd/ntpd.html +++ b/ntpd/ntpd.html @@ -218,7 +218,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to more. Both will exit with a status code of 0. -
    ntpd - NTP daemon program - Ver. 4.2.7p336
+
    ntpd - NTP daemon program - Ver. 4.2.7p337
 USAGE:  ntpd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
                 [ <server1> ... <serverN> ]
   Flg Arg Option-Name    Description
diff --git a/ntpd/ntpd.man.in b/ntpd/ntpd.man.in
index 27e74b26f..18ba1600f 100644
--- a/ntpd/ntpd.man.in
+++ b/ntpd/ntpd.man.in
@@ -1,8 +1,8 @@
-.TH ntpd @NTPD_MS@ "22 Dec 2012" "4.2.7p337" "User Commands"
+.TH ntpd @NTPD_MS@ "25 Dec 2012" "4.2.7p338" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntpd-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:47:32 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:32:45 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpd-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
diff --git a/ntpd/ntpd.mdoc.in b/ntpd/ntpd.mdoc.in
index d70991a3f..8795e397f 100644
--- a/ntpd/ntpd.mdoc.in
+++ b/ntpd/ntpd.mdoc.in
@@ -1,9 +1,9 @@
-.Dd December 22 2012
+.Dd December 25 2012
 .Dt NTPD @NTPD_MS@ User Commands
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntpd-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:52:54 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:34:32 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpd-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/ntpdc/invoke-ntpdc.texi b/ntpdc/invoke-ntpdc.texi
index 26a24d986..842b05af0 100644
--- a/ntpdc/invoke-ntpdc.texi
+++ b/ntpdc/invoke-ntpdc.texi
@@ -6,7 +6,7 @@
 # 
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpdc.texi)
 # 
-# It has been AutoGen-ed  December 22, 2012 at 11:53:15 AM by AutoGen 5.16.2
+# It has been AutoGen-ed  December 25, 2012 at 11:34:55 AM by AutoGen 5.16.2
 # From the definitions    ntpdc-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -69,7 +69,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p337
+ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p338
 USAGE:  ntpdc [ - [] | --[@{=| @}] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
@@ -412,7 +412,7 @@ uniquely identify the command need be typed.
 The output of a
 command is normally sent to the standard output, but optionally the
 output of individual commands may be sent to a file by appending a
-@quoteleft{}\&>,@quoteright{}
+@quoteleft{}\&> ,@quoteright{}
 followed by a file name, to the command line.
 
 A number of interactive format commands are executed entirely
@@ -426,12 +426,12 @@ following.
 @item Ic
 @item Ic
 A
-@quoteleft{}Ic\&?@quoteright{}
+@quoteleft{}Ic \&?@quoteright{}
 will print a list of all the command
 keywords known to this incarnation of
 @code{ntpdc}.
 A
-@quoteleft{}Ic\&?@quoteright{}
+@quoteleft{}Ic \&?@quoteright{}
 followed by a command keyword will print function and usage
 information about the command.
 This command is probably a better
@@ -541,11 +541,7 @@ The contents of the host field may be one of four forms.
 It may
 be a host name, an IP address, a reference clock implementation
 name with its parameter or
-.Fn
-REFCLK
-"implementation_number"
-"parameter"
-.
+@code{REFCLK}(@emph{implementation_number}@code{, }@emph{parameter}).
 On
 @code{hostnames} @code{no} only IP-addresses
 will be displayed.
@@ -604,7 +600,7 @@ controls the stiffness of the
 phase-lock loop and thus the speed at which it can adapt to
 oscillator drift.
 The
-@quoteleft{}watchdogtimer@quoteright{}
+@quoteleft{}watchdog timer@quoteright{}
 value is the number
 of seconds which have elapsed since the last sample offset was
 given to the loop filter.
@@ -621,7 +617,7 @@ All except the last four lines are described
 in the NTP Version 3 specification, RFC-1305.
 
 The
-@quoteleft{}systemflags@quoteright{}
+@quoteleft{}system flags@quoteright{}
 show various system flags, some of
 which can be set and cleared by the
 @code{enable} and
@@ -753,8 +749,8 @@ adequate level of security.
 The following commands all make authenticated requests.
 @table @samp
 @item Xo
-[@kbd{keyid} ]
-[@kbd{version} ]
+[@code{keyid} ]
+[@code{version} ]
 [@code{prefer} ]
 Add a configured peer association at the given address and
 operating in symmetric active mode.
@@ -763,13 +759,13 @@ association with the same peer may be deleted when this command is
 executed, or may simply be converted to conform to the new
 configuration, as appropriate.
 If the optional
-@kbd{keyid} is a
+@code{keyid} is a
 nonzero integer, all outgoing packets to the remote server will
 have an authentication field attached encrypted with this key.
 If
 the value is 0 (or not given) no authentication will be done.
 The
-@kbd{version} can be 1, 2 or 3 and defaults to 3.
+@code{version} can be 1, 2 or 3 and defaults to 3.
 The
 @code{prefer} keyword indicates a preferred peer (and thus will
 be used primarily for clock synchronisation if possible).
@@ -778,21 +774,21 @@ preferred peer also determines the validity of the PPS signal - if
 the preferred peer is suitable for synchronisation so is the PPS
 signal.
 @item Xo
-[@kbd{keyid} ]
-[@kbd{version} ]
+[@code{keyid} ]
+[@code{version} ]
 [@code{prefer} ]
 Identical to the addpeer command, except that the operating
 mode is client.
 @item Xo
-[@kbd{keyid} ]
-[@kbd{version} ]
+[@code{keyid} ]
+[@code{version} ]
 [@code{prefer} ]
 Identical to the addpeer command, except that the operating
 mode is broadcast.
 In this case a valid key identifier and key are
 required.
 The
-@kbd{peer_address} parameter can be the broadcast
+@code{peer_address} parameter can be the broadcast
 address of the local network or a multicast group address assigned
 to NTP.
 If a multicast address, a multicast-capable kernel is
@@ -808,8 +804,8 @@ is willing to continue on in this fashion.
 @item Xo
 [@code{time1} ]
 [@code{time2} ]
-[@kbd{stratum} ]
-[@kbd{refid} ]
+[@code{stratum} ]
+[@code{refid} ]
 This command provides a way to set certain data for a reference
 clock.
 See the source listing for further information.
@@ -855,11 +851,10 @@ The default for this flag is enable.
 Enables the pulse-per-second (PPS) signal when frequency
 and time is disciplined by the precision time kernel modifications.
 See the
-"AKernelModelforPrecisionTimekeeping"
+"A Kernel Model for Precision Timekeeping"
 (available as part of the HTML documentation
 provided in
 @file{/usr/share/doc/ntp})
-)
 page for further information.
 The default for this flag is disable.
 @item Cm
@@ -881,7 +876,7 @@ Ar
 address
 Ar
 mask
-@kbd{flag} @kbd{Oo} @kbd{Ar}... @kbd{Oc} This command operates in the same way as the
+@code{flag} @code{Oo} @code{...} @code{Oc} This command operates in the same way as the
 @code{restrict} configuration file commands of
 @code{ntpd(8)}.
 .It
@@ -892,7 +887,7 @@ Ar
 address
 Ar
 mask
-@kbd{flag} @kbd{Oo} @kbd{Ar}... @kbd{Oc} Unrestrict the matching entry from the restrict list.
+@code{flag} @code{Oo} @code{...} @code{Oc} Unrestrict the matching entry from the restrict list.
 .It
 Xo
 Ic
@@ -955,8 +950,8 @@ Ic
 addtrap
 Ar
 address
-[@kbd{port} ]
-[@kbd{interface} ]
+[@code{port} ]
+[@code{interface} ]
 Set a trap for asynchronous messages.
 See the source listing
 for further information.
@@ -966,8 +961,8 @@ Ic
 clrtrap
 Ar
 address
-[@kbd{port} ]
-[@kbd{interface} ]
+[@code{port} ]
+[@code{interface} ]
 Clear a trap for asynchronous messages.
 See the source listing
 for further information.
diff --git a/ntpdc/ntpdc-opts.c b/ntpdc/ntpdc-opts.c
index 3a09f5bc2..a0ac0db69 100644
--- a/ntpdc/ntpdc-opts.c
+++ b/ntpdc/ntpdc-opts.c
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.c)
  *  
- *  It has been AutoGen-ed  December 22, 2012 at 11:53:05 AM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:34:45 AM by AutoGen 5.16.2
  *  From the definitions    ntpdc-opts.def
  *  and the template file   options
  *
@@ -72,7 +72,7 @@ extern FILE * option_usage_fp;
  *  ntpdc option static const strings
  */
 static char const ntpdc_opt_strs[1862] =
-/*     0 */ "ntpdc 4.2.7p337\n"
+/*     0 */ "ntpdc 4.2.7p338\n"
             "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
@@ -130,14 +130,14 @@ static char const ntpdc_opt_strs[1862] =
 /*  1640 */ "no-load-opts\0"
 /*  1653 */ "no\0"
 /*  1656 */ "NTPDC\0"
-/*  1662 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p337\n"
+/*  1662 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p338\n"
             "USAGE:  %s [ - [] | --[{=| }] ]... [ host ...]\n\0"
 /*  1794 */ "$HOME\0"
 /*  1800 */ ".\0"
 /*  1802 */ ".ntprc\0"
 /*  1809 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  1843 */ "\n\n\0"
-/*  1846 */ "ntpdc 4.2.7p337";
+/*  1846 */ "ntpdc 4.2.7p338";
 
 /*
  *  ipv4 option description with
diff --git a/ntpdc/ntpdc-opts.h b/ntpdc/ntpdc-opts.h
index bebf39f43..8f7925c1d 100644
--- a/ntpdc/ntpdc-opts.h
+++ b/ntpdc/ntpdc-opts.h
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.h)
  *  
- *  It has been AutoGen-ed  December 22, 2012 at 11:53:04 AM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:34:45 AM by AutoGen 5.16.2
  *  From the definitions    ntpdc-opts.def
  *  and the template file   options
  *
@@ -82,8 +82,8 @@ typedef enum {
 } teOptIndex;
 
 #define OPTION_CT    15
-#define NTPDC_VERSION       "4.2.7p337"
-#define NTPDC_FULL_VERSION  "ntpdc 4.2.7p337"
+#define NTPDC_VERSION       "4.2.7p338"
+#define NTPDC_FULL_VERSION  "ntpdc 4.2.7p338"
 
 /*
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/ntpdc/ntpdc.1ntpdcman b/ntpdc/ntpdc.1ntpdcman
index 8f72c73b7..8866b78bd 100644
--- a/ntpdc/ntpdc.1ntpdcman
+++ b/ntpdc/ntpdc.1ntpdcman
@@ -1,8 +1,8 @@
-.TH ntpdc 1ntpdcman "22 Dec 2012" "4.2.7p337" "User Commands"
+.TH ntpdc 1ntpdcman "25 Dec 2012" "4.2.7p338" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:11 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:34:51 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
diff --git a/ntpdc/ntpdc.1ntpdcmdoc b/ntpdc/ntpdc.1ntpdcmdoc
index 1fd5f6a41..7662b23c0 100644
--- a/ntpdc/ntpdc.1ntpdcmdoc
+++ b/ntpdc/ntpdc.1ntpdcmdoc
@@ -1,9 +1,9 @@
-.Dd December 22 2012
+.Dd December 25 2012
 .Dt NTPDC 1ntpdcmdoc User Commands
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:17 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:34:57 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/ntpdc/ntpdc.html b/ntpdc/ntpdc.html
index 25732f730..b19cf2758 100644
--- a/ntpdc/ntpdc.html
+++ b/ntpdc/ntpdc.html
@@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server
 clock.  Run as root, it can correct the system clock to this offset as
 well.  It can be run as an interactive command or from a cron job.
 
-  
    This document applies to version 4.2.7p337 of ntpdc.
+  
    This document applies to version 4.2.7p338 of ntpdc.
 
   
    The program implements the SNTP protocol as defined by RFC 5905, the NTPv4
 IETF specification.
@@ -138,7 +138,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to more.  Both will exit
 with a status code of 0.
 
-
    ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p337
+
    ntpdc - vendor-specific NTPD control program - Ver. 4.2.7p338
 USAGE:  ntpdc [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
@@ -528,7 +528,7 @@ uniquely identify the command need be typed.
 The output of a
 command is normally sent to the standard output, but optionally the
 output of individual commands may be sent to a file by appending a
-\&>,
+\&> ,
 followed by a file name, to the command line.
 
   
    A number of interactive format commands are executed entirely
@@ -540,12 +540,12 @@ These are described
 following.
      
    
 
    Ic
    Ic
    A
-Ic\&? 
+Ic \&? 
 will print a list of all the command
 keywords known to this incarnation of
 ntpdc. 
 A
-Ic\&? 
+Ic \&? 
 followed by a command keyword will print function and usage
 information about the command. 
 This command is probably a better
diff --git a/ntpdc/ntpdc.man.in b/ntpdc/ntpdc.man.in
index a3bc2ae8c..f2e19e694 100644
--- a/ntpdc/ntpdc.man.in
+++ b/ntpdc/ntpdc.man.in
@@ -1,8 +1,8 @@
-.TH ntpdc @NTPDC_MS@ "22 Dec 2012" "4.2.7p337" "User Commands"
+.TH ntpdc @NTPDC_MS@ "25 Dec 2012" "4.2.7p338" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:11 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:34:51 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
diff --git a/ntpdc/ntpdc.mdoc.in b/ntpdc/ntpdc.mdoc.in
index b158fb164..e49f82582 100644
--- a/ntpdc/ntpdc.mdoc.in
+++ b/ntpdc/ntpdc.mdoc.in
@@ -1,9 +1,9 @@
-.Dd December 22 2012
+.Dd December 25 2012
 .Dt NTPDC @NTPDC_MS@ User Commands
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntpdc-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:17 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:34:57 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpdc-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/ntpq/invoke-ntpq.texi b/ntpq/invoke-ntpq.texi
index 84528d967..710d49576 100644
--- a/ntpq/invoke-ntpq.texi
+++ b/ntpq/invoke-ntpq.texi
@@ -6,7 +6,7 @@
 # 
 # EDIT THIS FILE WITH CAUTION  (invoke-ntpq.texi)
 # 
-# It has been AutoGen-ed  December 24, 2012 at 08:22:53 AM by AutoGen 5.16.2
+# It has been AutoGen-ed  December 25, 2012 at 11:35:11 AM by AutoGen 5.16.2
 # From the definitions    ntpq-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -108,11 +108,11 @@ source of information about
 than this manual
 page.
 @item Ic
-... @item Ic
+@code{...} @item Ic
 @item Ic
 The data carried by NTP mode 6 messages consists of a list of
 items of the form
-@quoteleft{}variable_name=value,@quoteright{}
+@quoteleft{}variable_name=value ,@quoteright{}
 where the
 @quoteleft{}=value@quoteright{}
 is ignored, and can be omitted,
@@ -139,7 +139,7 @@ Normally
 does not authenticate requests unless
 they are write requests.
 The command
-@quoteleft{}authenticateyes@quoteright{}
+@quoteleft{}authenticate yes@quoteright{}
 causes
 @code{ntpq}
 to send authentication with all requests it
@@ -165,7 +165,7 @@ Variables which
 @code{ntpq}
 thinks should have a decodable value but didn't are
 marked with a trailing
-@quoteleft{}\&?.@quoteright{}
+@quoteleft{}\&? .@quoteright{}
 @item Xo
 @code{debug} .Oo
 @code{more} | @code{less} | @code{off} .Oc
@@ -182,7 +182,7 @@ server does not now require timestamps in authenticated requests,
 so this command may be obsolete.
 @item Ic
 Set the host to which future queries will be sent.
-@kbd{hostname} may be either a host name or a numeric address.
+@code{hostname} may be either a host name or a numeric address.
 @item Ic
 If
 @code{yes} is specified, host names are printed in
@@ -272,7 +272,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntpq - standard NTP query program - Ver. 4.2.7p337
+ntpq - standard NTP query program - Ver. 4.2.7p338
 USAGE:  ntpq [ - [] | --[@{=| @}] ]... [ host ...]
   Flg Arg Option-Name    Description
    -4 no  ipv4           Force IPv4 DNS name resolution
diff --git a/ntpq/ntpq-opts.c b/ntpq/ntpq-opts.c
index 03620fd0c..3c0931481 100644
--- a/ntpq/ntpq-opts.c
+++ b/ntpq/ntpq-opts.c
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntpq-opts.c)
  *  
- *  It has been AutoGen-ed  December 22, 2012 at 11:53:20 AM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:35:01 AM by AutoGen 5.16.2
  *  From the definitions    ntpq-opts.def
  *  and the template file   options
  *
@@ -72,7 +72,7 @@ extern FILE * option_usage_fp;
  *  ntpq option static const strings
  */
 static char const ntpq_opt_strs[1833] =
-/*     0 */ "ntpq 4.2.7p337\n"
+/*     0 */ "ntpq 4.2.7p338\n"
             "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
@@ -128,13 +128,13 @@ static char const ntpq_opt_strs[1833] =
 /*  1627 */ "no-load-opts\0"
 /*  1640 */ "no\0"
 /*  1643 */ "NTPQ\0"
-/*  1648 */ "ntpq - standard NTP query program - Ver. 4.2.7p337\n"
+/*  1648 */ "ntpq - standard NTP query program - Ver. 4.2.7p338\n"
             "USAGE:  %s [ - [] | --[{=| }] ]... [ host ...]\n\0"
 /*  1769 */ "$HOME\0"
 /*  1775 */ ".\0"
 /*  1777 */ ".ntprc\0"
 /*  1784 */ "http://bugs.ntp.org, bugs@ntp.org\0"
-/*  1818 */ "ntpq 4.2.7p337";
+/*  1818 */ "ntpq 4.2.7p338";
 
 /*
  *  ipv4 option description with
diff --git a/ntpq/ntpq-opts.h b/ntpq/ntpq-opts.h
index b9528189b..53b8bc3bc 100644
--- a/ntpq/ntpq-opts.h
+++ b/ntpq/ntpq-opts.h
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntpq-opts.h)
  *  
- *  It has been AutoGen-ed  December 22, 2012 at 11:53:20 AM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:35:00 AM by AutoGen 5.16.2
  *  From the definitions    ntpq-opts.def
  *  and the template file   options
  *
@@ -81,8 +81,8 @@ typedef enum {
 } teOptIndex;
 
 #define OPTION_CT    14
-#define NTPQ_VERSION       "4.2.7p337"
-#define NTPQ_FULL_VERSION  "ntpq 4.2.7p337"
+#define NTPQ_VERSION       "4.2.7p338"
+#define NTPQ_FULL_VERSION  "ntpq 4.2.7p338"
 
 /*
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/ntpq/ntpq.1ntpqman b/ntpq/ntpq.1ntpqman
index 392b0bf08..04c48fb29 100644
--- a/ntpq/ntpq.1ntpqman
+++ b/ntpq/ntpq.1ntpqman
@@ -1,8 +1,8 @@
-.TH ntpq 1ntpqman "22 Dec 2012" "4.2.7p337" "User Commands"
+.TH ntpq 1ntpqman "25 Dec 2012" "4.2.7p338" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntpq-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:27 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:07 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpq-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
diff --git a/ntpq/ntpq.1ntpqmdoc b/ntpq/ntpq.1ntpqmdoc
index 89da4f22c..0df9d896d 100644
--- a/ntpq/ntpq.1ntpqmdoc
+++ b/ntpq/ntpq.1ntpqmdoc
@@ -1,9 +1,9 @@
-.Dd December 22 2012
+.Dd December 25 2012
 .Dt NTPQ 1ntpqmdoc User Commands
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntpq-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:53:32 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:13 AM by AutoGen 5.16.2
 .\"  From the definitions    ntpq-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/ntpq/ntpq.html b/ntpq/ntpq.html
index 3570dac42..cc4be2a16 100644
--- a/ntpq/ntpq.html
+++ b/ntpq/ntpq.html
@@ -3,7 +3,7 @@
 ntpq: Network Time Protocol Query User's Manual
 
 
-
+
 
 
 
@@ -14,14 +14,13 @@
   pre.smallformat  { font-family:inherit; font-size:smaller }
   pre.smallexample { font-size:smaller }
   pre.smalllisp    { font-size:smaller }
-  span.sc    { font-variant:small-caps }
-  span.roman { font-family:serif; font-weight:normal; } 
-  span.sansserif { font-family:sans-serif; font-weight:normal; } 
+  span.sc { font-variant:small-caps }
+  span.roman { font-family: serif; font-weight: normal; } 
 -->
 
 
 
    ntpq: Network Time Protocol Query User's Manual
    
-  
    
+       
    
 
    Short Contents
    
 
 
 
    
-
 
    
-Next: ,
+Next: ,
 Previous: (dir),
 Up: (dir)
-
+
    
 
    
 
 
    ntpq: Network Time Protocol Query User Manual
    
@@ -75,12 +72,11 @@ operations and determine performance.  It uses the standard NTP mode 6 control
-

-Next: , +Next: , Previous: Top, Up: Top - +
@@ -103,18 +99,549 @@ The description on this page is for the NTPv4 variables.

For examples and usage, see the NTP Debugging Techniques page.

-

-Next: , + +
+
+ +

Invoking ntpq

+ +

+ +

The +ntpq +utility program is used to query NTP servers which +implement the standard NTP mode 6 control message formats defined +in Appendix B of the NTPv3 specification RFC1305, requesting +information about current state and/or changes in that state. +The same formats are used in NTPv4, although some of the +variables have changed and new ones added. The description on this +page is for the NTPv4 variables. +The program may be run either in interactive mode or controlled using +command line arguments. +Requests to read and write arbitrary +variables can be assembled, with raw and pretty-printed output +options being available. +The +ntpq +utility can also obtain and print a +list of peers in a common format by sending multiple queries to the +server. + +

If one or more request options is included on the command line +when +ntpq +is executed, each of the requests will be sent +to the NTP servers running on each of the hosts given as command +line arguments, or on localhost by default. +If no request options +are given, +ntpq +will attempt to read commands from the +standard input and execute these on the NTP server running on the +first host given on the command line, again defaulting to localhost +when no other host is specified. +The +ntpq +utility will prompt for +commands if the standard input is a terminal device. + +

ntpq +uses NTP mode 6 packets to communicate with the +NTP server, and hence can be used to query any compatible server on +the network which permits it. +Note that since NTP is a UDP protocol +this communication will be somewhat unreliable, especially over +large distances in terms of network topology. +The +ntpq +utility makes +one attempt to retransmit requests, and will time requests out if +the remote host is not heard from within a suitable timeout +time. + +

Specifying a +command line option other than +-i or +-n will +cause the specified query (queries) to be sent to the indicated +host(s) immediately. +Otherwise, +ntpq +will attempt to read +interactive format commands from the standard input. +

+

+ +
+
+ +

Internal Commands

+ +

Internal Commands +Interactive format commands consist of a keyword followed by zero +to four arguments. +Only enough characters of the full keyword to +uniquely identify the command need be typed. + +

A +number of interactive format commands are executed entirely within +the +ntpq +utility itself and do not result in NTP mode 6 +requests being sent to a server. +These are described following. +

+
Ic
Ic
A +\&? +by itself will print a list of all the command +keywords known to this incarnation of +ntpq. +A +\&? +followed by a command keyword will print function and usage +information about the command. +This command is probably a better +source of information about +ntpq +than this manual +page. +
Ic
...
Ic
Ic
The data carried by NTP mode 6 messages consists of a list of +items of the form +variable_name=value, +where the +=value +is ignored, and can be omitted, +in requests to the server to read variables. +The +ntpq +utility maintains an internal list in which data to be included in control +messages can be assembled, and sent using the +readlist and +writelist commands described below. +The +addvars command allows variables and their optional values to be added to +the list. +If more than one variable is to be added, the list should +be comma-separated and not contain white space. +The +rmvars command can be used to remove individual variables from the list, +while the +clearlist command removes all variables from the +list. +
Ic
Normally +ntpq +does not authenticate requests unless +they are write requests. +The command +authenticateyes +causes +ntpq +to send authentication with all requests it +makes. +Authenticated requests causes some servers to handle +requests slightly differently, and can occasionally melt the CPU in +fuzzballs if you turn authentication on before doing a +peer display. +The command +authenticate +causes +ntpq +to display whether or not +ntpq +is currently autheinticating requests. +
Ic
Causes output from query commands to be "cooked", so that +variables which are recognized by +ntpq +will have their +values reformatted for human consumption. +Variables which +ntpq +thinks should have a decodable value but didn't are +marked with a trailing +\&?. +
Xo
debug .Oo +more | less | off .Oc +With no argument, displays the current debug level. +Otherwise, the debug level is changed to the indicated level. +
Ic
Specify a time interval to be added to timestamps included in +requests which require authentication. +This is used to enable +(unreliable) server reconfiguration over long delay network paths +or between machines whose clocks are unsynchronized. +Actually the +server does not now require timestamps in authenticated requests, +so this command may be obsolete. +
Ic
Set the host to which future queries will be sent. +hostname may be either a host name or a numeric address. +
Ic
If +yes is specified, host names are printed in +information displays. +If +no is specified, numeric +addresses are printed instead. +The default is +yes, unless +modified using the command line +-n switch. +
Ic
This command allows the specification of a key number to be +used to authenticate configuration requests. +This must correspond +to a key number the server has been configured to use for this +purpose. +
Ic
1 | 2 | 3 | 4 .Oc +Sets the NTP version number which +ntpq +claims in +packets. +Defaults to 3, and note that mode 6 control messages (and +modes, for that matter) didn't exist in NTP version 1. +There appear +to be no servers left which demand version 1. +With no argument, displays the current NTP version that will be used +when communicating with servers. +
Ic
Exit +ntpq +
Ic
This command prompts you to type in a password (which will not +be echoed) which will be used to authenticate configuration +requests. +The password must correspond to the key configured for +use by the NTP server for this purpose if such requests are to be +successful. +
Ic
Causes all output from query commands is printed as received +from the remote server. +The only formating/interpretation done on +the data is to transform nonascii data into a printable (but barely +understandable) form. +
Ic
Specify a timeout period for responses to server queries. +The +default is about 5000 milliseconds. +Note that since +ntpq +retries each query once after a timeout, the total waiting time for +a timeout will be twice the timeout value set. + +

This section was generated by AutoGen, +using the agtexi-cmd template and the option descriptions for the ntpq program. +This software is released under the NTP license, <http://ntp.org/license>. + +

+ +
+

+Next: , +Up: Internal Commands +
+
+ +

ntpq help/usage (--help)

+ +

+This is the automatically generated usage text for ntpq. + +

The text printed is the same whether selected with the help option +(--help) or the more-help option (--more-help). more-help will print +the usage text by passing it through a pager program. +more-help is disabled on platforms without a working +fork(2) function. The PAGER environment variable is +used to select the program, defaulting to more. Both will exit +with a status code of 0. + + 

     ntpq - standard NTP query program - Ver. 4.2.7p337
+     USAGE:  ntpq [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]
+       Flg Arg Option-Name    Description
+        -4 no  ipv4           Force IPv4 DNS name resolution
+                                     - prohibits these options:
+                                     ipv6
+        -6 no  ipv6           Force IPv6 DNS name resolution
+                                     - prohibits these options:
+                                     ipv4
+        -c Str command        run a command and exit
+                                     - may appear multiple times
+        -d no  debug-level    Increase debug verbosity level
+                                     - may appear multiple times
+        -D Num set-debug-level Set the debug verbosity level
+                                     - may appear multiple times
+        -p no  peers          Print a list of the peers
+                                     - prohibits these options:
+                                     interactive
+        -i no  interactive    Force ntpq to operate in interactive mode
+                                     - prohibits these options:
+                                     command
+                                     peers
+        -n no  numeric        numeric host addresses
+           no  old-rv         Always output status line with readvar
+           opt version        Output version information and exit
+        -? no  help           Display extended usage information and exit
+        -! no  more-help      Extended usage information passed thru pager
+        -> opt save-opts      Save the option state to a config file
+        -< Str load-opts      Load options from a config file
+                                     - disabled as --no-load-opts
+                                     - may appear multiple times
+     
+     Options are specified by doubled hyphens and their name or by a single
+     hyphen and the flag character.
+     
+     The following option preset mechanisms are supported:
+      - reading file $HOME/.ntprc
+      - reading file ./.ntprc
+      - examining environment variables named NTPQ_*
+     
+     please send bug reports to:  http://bugs.ntp.org, bugs@ntp.org
+
+
+

+Next: , +Previous: ntpq usage, +Up: Internal Commands +
+
+ +

ipv4 option (-4)

+ +

+This is the “force ipv4 dns name resolution” option. + +

This option has some usage constraints. It: +

    +
  • must not appear in combination with any of the following options: +ipv6. +
+ +

Force DNS resolution of following host names on the command line +to the IPv4 namespace. +

+

+Next: , +Previous: ntpq ipv4, +Up: Internal Commands +
+
+ +

ipv6 option (-6)

+ +

+This is the “force ipv6 dns name resolution” option. + +

This option has some usage constraints. It: +

    +
  • must not appear in combination with any of the following options: +ipv4. +
+ +

Force DNS resolution of following host names on the command line +to the IPv6 namespace. +

+

+Next: , +Previous: ntpq ipv6, +Up: Internal Commands +
+
+ +

command option (-c)

+ +

+This is the “run a command and exit” option. +This option takes an argument string cmd. + +

This option has some usage constraints. It: +

    +
  • may appear an unlimited number of times. +
+ +

The following argument is interpreted as an interactive format command +and is added to the list of commands to be executed on the specified +host(s). +

+

+Next: , +Previous: ntpq command, +Up: Internal Commands +
+
+ +

peers option (-p)

+ +

+This is the “print a list of the peers” option. + +

This option has some usage constraints. It: +

    +
  • must not appear in combination with any of the following options: +interactive. +
+ +

Print a list of the peers known to the server as well as a summary +of their state. This is equivalent to the 'peers' interactive command. +

+

+Next: , +Previous: ntpq peers, +Up: Internal Commands +
+
+ +

interactive option (-i)

+ +

+This is the “force ntpq to operate in interactive mode” option. + +

This option has some usage constraints. It: +

    +
  • must not appear in combination with any of the following options: +command, peers. +
+ +

Force ntpq to operate in interactive mode. Prompts will be written +to the standard output and commands read from the standard input. +

+

+Next: , +Previous: ntpq interactive, +Up: Internal Commands +
+
+ +

numeric option (-n)

+ +

+This is the “numeric host addresses” option. +Output all host addresses in dotted-quad numeric format rather than +converting to the canonical host names. +

+

+Next: , +Previous: ntpq numeric, +Up: Internal Commands +
+
+ +

old-rv option

+ +

+This is the “always output status line with readvar” option. +By default, ntpq now suppresses the associd=... line that +precedes the output of "readvar" (alias "rv") when a single +variable is requested, such as ntpq -c "rv 0 offset". This +option causes ntpq to include both lines of output for a +single-variable readvar. Using an environment variable to +preset this option in a script will enable both older and +newer ntpq to behave identically in this regard. + +

+

+Next: , +Previous: ntpq old-rv, +Up: Internal Commands +
+
+ +

presetting/configuring ntpq

+ +

Any option that is not marked as not presettable may be preset by +loading values from configuration ("rc" or "ini") files, and values from environment variables named NTPQ and NTPQ_<OPTION_NAME>. <OPTION_NAME> must be one of +the options listed above in upper case and segmented with underscores. +The NTPQ variable will be tokenized and parsed like +the command line. The remaining variables are tested for existence and their +values are treated like option arguments. + +

libopts will search in 2 places for configuration files: +

    +
  • $HOME +
  • $PWD +
+ The environment variables HOME, and PWD +are expanded and replaced when ntpq runs. +For any of these that are plain files, they are simply processed. +For any that are directories, then a file named .ntprc is searched for +within that directory and processed. + +

Configuration files may be in a wide variety of formats. +The basic format is an option name followed by a value (argument) on the +same line. Values may be separated from the option name with a colon, +equal sign or simply white space. Values may be continued across multiple +lines by escaping the newline with a backslash. + +

Multiple programs may also share the same initialization file. +Common options are collected at the top, followed by program specific +segments. The segments are separated by lines like: + 

         [NTPQ]
+
+

or by + 

         <?program ntpq>
+
+

Do not mix these styles within one configuration file. + +

Compound values and carefully constructed string values may also be +specified using XML syntax: + 

         <option-name>
+            <sub-opt>...&lt;...&gt;...</sub-opt>
+         </option-name>
+
+

yielding an option-name.sub-opt string value of + 

         "...<...>..."
+
+

AutoOpts does not track suboptions. You simply note that it is a +hierarchicly valued option. AutoOpts does provide a means for searching +the associated name/value pair list (see: optionFindValue). + +

The command line options relating to configuration and/or usage help are: + +

version (-)
+ +

Print the program version to standard out, optionally with licensing +information, then exit 0. The optional argument specifies how much licensing +detail to provide. The default is to print just the version. The licensing infomation may be selected with an option argument. Only the +first letter of the argument is examined: + +

+
version
Only print the version. This is the default. +
copyright
Name the copyright usage licensing terms. +
verbose
Print the full copyright usage licensing terms. +
+ +
+

+Previous: ntpq config, +Up: Internal Commands +
+
+ +

ntpq exit status

+ +

One of the following exit values will be returned: +

+
0 (EXIT_SUCCESS)
Successful program execution. +
1 (EXIT_FAILURE)
The operation failed or the command syntax was not valid. +
66 (EX_NOINPUT)
A specified configuration file could not be loaded. +
70 (EX_SOFTWARE)
libopts had an internal operational error. Please report +it to autogen-users@lists.sourceforge.net. Thank you. +
+ +
+

+Next: , Previous: ntpq Description, Up: Top - +
- +

Usage

-

What Default Flag Option +

What Default Flag Option
configuration file /etc/ntp.conf -c @@ -149,23 +676,22 @@ Up: Top keysdir
-

-Next: , +Next: , Previous: Usage, Up: Top - +
- +

Internal Commands

-

Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a >, followed by a file name, to the command line. A number of interactive format commands are executed entirely within the ntpq program itself and do not result in NTP mode-6 requests being sent to a server. These are described following. +

Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a >, followed by a file name, to the command line. A number of interactive format commands are executed entirely within the ntpq program itself and do not result in NTP mode-6 requests being sent to a server. These are described following. -

-
? [command_keyword
help [command_keyword]
A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command. +
+
? [command_keyword
help [command_keyword]
A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command. -
>addvars name [ = value] [...]
rmvars name [...]
clearvars</dt>
The arguments to these commands consist of a list of items of the form +
>addvars name [ = value] [...]
rmvars name [...]
clearvars</dt>
The arguments to these commands consist of a list of items of the form name = value, where the = value is ignored, and can be omitted in read requests. ntpq maintains an internal list in which data to be included @@ -179,61 +705,60 @@ The rmvars command can be used to remove individual variables from the list, while the clearlist command removes all variables from the list. -
cooked
Display server messages in prettyprint format. +
cooked
Display server messages in prettyprint format. -
debug more | less | off
Turns internal query program debugging on and off. +
debug more | less | off
Turns internal query program debugging on and off. -
delay milliseconds
Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +
delay milliseconds
Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. -
host name
Set the host to which future queries will be sent. +
host name
Set the host to which future queries will be sent. The name may be either a DNS name or a numeric address. -
hostnames [yes | no]
If yes is specified, host names are printed in information displays. +
hostnames [yes | no]
If yes is specified, host names are printed in information displays. If no is specified, numeric addresses are printed instead. The default is yes, unless modified using the command line -n switch. -
keyid keyid
This command specifies the key number to be used +
keyid keyid
This command specifies the key number to be used to authenticate configuration requests. This must correspond to a key ID configured in ntp.conf for this purpose. -
keytype
Specify the digest algorithm to use for authenticated requests, +
keytype
Specify the digest algorithm to use for authenticated requests, with default MD5. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: MD2, MD4, MD5, MDC2, RIPEMD160, SHA and SHA1. -
ntpversion 1 | 2 | 3 | 4
Sets the NTP version number which ntpq claims in packets. +
ntpversion 1 | 2 | 3 | 4
Sets the NTP version number which ntpq claims in packets. Defaults to 2. Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1. -
passwd
This command prompts for a password to authenticate requests. +
passwd
This command prompts for a password to authenticate requests. The password must correspond to the key ID configured in ntp.conf for this purpose. -
quit
Exit ntpq. +
quit
Exit ntpq. -
raw
Display server messages as received and without reformatting. +
raw
Display server messages as received and without reformatting. -
timeout millseconds
Specify a timeout period for responses to server queries. +
timeout millseconds
Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since ntpq retries each query once after a timeout the total waiting time for a timeout will be twice the timeout value set. -
-

- +
+

-Next: , +Next: , Previous: Internal Commands, Up: Top - +
- +

Control Message Commands

-

Association IDs are used to identify system, peer and clock variables. +

Association IDs are used to identify system, peer and clock variables. System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. Most control commands send a single mode-6 message to the server @@ -243,81 +768,81 @@ which sends a series of messages, and the mreadlist and mreadvar commands, which iterate over a range of associations. -

-

+

+

associations
Display a list of mobilized associations in the form:
ind assid status conf reach auth condition last_event cnt
-


Variable Description +


Variable Description -


ind +


ind index on this list -


assid +


assid association ID -


status +


status peer status word -


conf +


conf yes: persistent, no: ephemeral -


reach +


reach yes: reachable, no: unreachable -


auth +


auth ok, yes, bad and none -


condition +


condition selection status (see the select field of the peer status word) -


last_event +


last_event event report (see the event field of the peer status word) -


cnt +


cnt event count (see the count field of the peer status word) -
+

-

clockvar assocID [name [ = value [...]] [...]] +

clockvar assocID [name [ = value [...]] [...]] cv assocID [name [ = value [...] ][...]] Display a list of See clock variables for those associations supporting a reference clock. -

:config [...] +

:config [...] Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -

config-from-file filename +

config-from-file filename Send the each line of filename to the server as run-time configuration commands in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is required. -

ifstats +

ifstats Display statistics for each local network address. Authentication is required. -

iostats +

iostats Display network and reference clock I/O statistics. -

kerninfo +

kerninfo Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. -

lassociations +

lassociations Perform the same function as the associations command, except display mobilized and unmobilized associations. -

monstats +

monstats Display monitor facility statistics. -

mrulist [limited | kod | mincount=count | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask] +

mrulist [limited | kod | mincount=count | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask] Obtain and print traffic counts collected and maintained by the monitor facility. With the exception of sort=sortorder, @@ -338,87 +863,87 @@ The sortorder defaults to lstint and may be any of any of those preceded by a minus sign (hyphen) to reverse the sort order. The output columns are: -

Column Description +

Column Description -


lstint +


lstint Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by ntpq -


avgint +


avgint Average interval in s between packets from this address. -


rstr +


rstr Restriction flags associated with this address. Most are copied unchanged from the matching restrict command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. -


r +


r Rate control indicator, either a period, L or K for no rate control response, rate limiting by discarding, or rate limiting with a KoD response, respectively. -


m +


m Packet mode.
v Packet version number. -


count +


count Packets received from this address. -


rport +


rport Source port of last packet from this address. -


remote address +


remote address DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. -
+

-

mreadvar assocID assocID [ variable_name [ = value[ ... ] - mrv assocID assocID [ variable_name [ = value[ ... ] +

mreadvar assocID assocID [ variable_name [ = value[ ... ] + mrv assocID assocID [ variable_name [ = value[ ... ] Perform the same function as the readvar command, except for a range of association IDs. This range is determined from the association list cached by the most recent associations command. -

passociations +

passociations Perform the same function as the associations command, except that it uses previously stored data rather than making a new query. -

peers +

peers Display a list of peers in the form:
[tally]remote refid st t when pool reach delay offset jitter -

Variable Description +

Variable Description
[tally] single-character code indicating current value of the select field of the peer status word. -


remote +


remote host name (or IP number) of peer -


refid +


refid association ID or kiss code. -


st +


st stratum -


t +


t u: unicast or manycast client, b: broadcast or multicast client, @@ -428,33 +953,33 @@ stratum B: broadcast server, M: multicast server. -


when +


when sec/min/hr since last received packet -


poll +


poll poll interval (log(2) s) -


reach +


reach reach shift register (octal) -


delay +


delay roundtrip delay -


offset +


offset offset of server relative to this host -


jitter +


jitter jitter -
+

-

readvar assocID name [ = value ] [,...] +

readvar assocID name [ = value ] [,...] rv assocID [ name ] [,...] Display the specified variables. If assocID is zero, @@ -471,7 +996,7 @@ Some NTP timestamps are represented in the format YYYYMMDDTTTT, where YYYY is the year, MM the month of year, DD the day of month and TTTT the time of day. -

saveconfig filename +

saveconfig filename Write the current configuration, including any runtime modifications given with :config or config-from-file, to the ntpd host's file filename. @@ -484,7 +1009,7 @@ to substitute the current date and time, for example, The filename used is stored in system variable savedconfig. Authentication is required. -

writevar assocID name = value [,...] +

writevar assocID name = value [,...] Write the specified variables. If the assocID is zero, the variables are from the system variables name space, otherwise they are from the @@ -492,12 +1017,12 @@ If the assocID is zero, the variables are from the The assocID is required, as the same name can occur in both spaces. -

System Variables, Control Message Commands, Top +

System Variables, Control Message Commands, Top

Status Words and Kiss Codes

-

The current state of the operating program is shown +

The current state of the operating program is shown in a set of status words maintained by the system and each association separately. These words are displayed in the rv and as commands @@ -507,7 +1032,7 @@ The codes, tips and short explanations are on the The page also includes a list of system and peer messages, the code for the latest of which is included in the status word. -

Information resulting from protocol machine state transitions +

Information resulting from protocol machine state transitions is displayed using an informal set of ASCII strings called kiss codes. The original purpose was for kiss-o'-death (KoD) packets sent @@ -516,337 +1041,334 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards.

-

-Next: , +Next: , Previous: Status Words and Kiss Codes, Up: Top - +
- +

System Variables

-

The following system variables appear in the rv billboard. +

The following system variables appear in the rv billboard. Not all variables are displayed in some configurations. -

Variable Description +

Variable Description -


status +


status system status word -


version +


version NTP software version and build time -


processor +


processor hardware platform and version -


system +


system operating system and version -


leap +


leap leap warning indicator (0-3) -


stratum +


stratum stratum (1-15) -


precision +


precision precision (log(2) s) -


rootdelay +


rootdelay total roundtrip delay to the primary reference clock -


rootdisp +


rootdisp total dispersion to the primary reference clock -


peer +


peer system peer association ID -


tc +


tc time constant and poll exponent (log(2) s) (3-17) -


mintc +


mintc minimum time constant (log(2) s) (3-10) -


clock +


clock date and time of day -


refid +


refid reference ID or kiss code -


reftime +


reftime reference time -


offset +


offset combined offset of server relative to this host -


sys_jitter +


sys_jitter combined system jitter -


frequency +


frequency frequency offset (PPM) relative to hardware clock -


clk_wander +


clk_wander clock frequency wander (PPM) -


clk_jitter +


clk_jitter clock jitter -


tai +


tai TAI-UTC offset (s) -


leapsec +


leapsec NTP seconds when the next leap second is/was inserted -


expire +


expire NTP seconds when the NIST leapseconds file expires -
+

-

The jitter and wander statistics are exponentially-weighted RMS averages. +

The jitter and wander statistics are exponentially-weighted RMS averages. The system jitter is defined in the NTPv4 specification; the clock jitter statistic is computed by the clock discipline module. -

When the NTPv4 daemon is compiled with the OpenSSL software library, +

When the NTPv4 daemon is compiled with the OpenSSL software library, additional system variables are displayed, including some or all of the following, depending on the particular Autokey dance: -

Variable Description +

Variable Description -


host +


host Autokey host name for this host -


ident +


ident Autokey group name for this host -


flags +


flags host flags (see Autokey specification) -


digest +


digest OpenSSL message digest algorithm -


signature +


signature OpenSSL digest/signature scheme -


update +


update NTP seconds at last signature update -


cert +


cert certificate subject, issuer and certificate flags -


until +


until NTP seconds when the certificate expires -
+

-

-Next: , +Next: , Previous: System Variables, Up: Top - +
- +

Peer Variables

-

The following peer variables appear in the rv billboard +

The following peer variables appear in the rv billboard for each association. Not all variables are displayed in some configurations. -

Variable Description +

Variable Description -


associd +


associd association ID -


status +


status peer status word -


srcadr +


srcadr
srcport source (remote) IP address and port -


dstadr +


dstadr
dstport destination (local) IP address and port -


leap +


leap leap indicator (0-3) -


stratum +


stratum stratum (0-15) -


precision +


precision precision (log(2) s) -


rootdelay +


rootdelay total roundtrip delay to the primary reference clock -


rootdisp +


rootdisp total root dispersion to the primary reference clock -


refid +


refid reference ID or kiss code -


reftime +


reftime reference time -


reach +


reach reach register (octal) -


unreach +


unreach unreach counter -


hmode +


hmode host mode (1-6) -


pmode +


pmode peer mode (1-5) -


hpoll +


hpoll host poll exponent (log(2) s) (3-17)
ppoll peer poll exponent (log(2) s) (3-17) -


headway +


headway headway (see Rate Management and the Kiss-o'-Death Packet) -


flash +


flash flash status word -


offset +


offset filter offset -


delay +


delay filter delay -


dispersion +


dispersion filter dispersion -


jitter +


jitter filter jitter -


ident +


ident Autokey group name for this association -


bias +


bias unicast/broadcast bias -


xleave +


xleave interleave delay (see NTP Interleaved Modes) -
+

-

The bias variable is calculated when the first broadcast packet is received +

The bias variable is calculated when the first broadcast packet is received after the calibration volley. It represents the offset of the broadcast subgraph relative to the unicast subgraph. The xleave variable appears only the interleaved symmetric and interleaved modes. It represents the internal queuing, buffering and transmission delays for the preceding packet. -

When the NTPv4 daemon is compiled with the OpenSSL software library, +

When the NTPv4 daemon is compiled with the OpenSSL software library, additional peer variables are displayed, including the following: -

Variable Description +

Variable Description -


flags +


flags peer flags (see Autokey specification) -


host +


host Autokey server name -


flags +


flags peer flags (see Autokey specification) -


signature +


signature OpenSSL digest/signature scheme -


initsequence +


initsequence initial key ID -


initkey +


initkey initial key index -


timestamp +


timestamp Autokey signature timestamp -
+

-

-Previous: Peer Variables, +Previous: Peer Variables, Up: Top - +
- +

Clock Variables

-

The following clock variables appear in the cv billboard for each association with a reference clock. Not all variables are displayed in some configurations. +

The following clock variables appear in the cv billboard for each association with a reference clock. Not all variables are displayed in some configurations. -

Variable Description +

Variable Description
associd association ID
status @@ -873,14 +1395,14 @@ Up: Top driver reference ID
flags driver flags -
+

-

=== +

=== -

<h4>Synopsis</h4> +

<h4>Synopsis</h4> ntpq [-inp] [-c command] [host] [...] -

<p>Command line options are described following. Specifying a command line option other than -i or -n will cause the specified query (queries) to be sent to the indicated host(s) immediately. Otherwise, ntpq will attempt to read interactive format commands from the standard input.</p> +

<p>Command line options are described following. Specifying a command line option other than -i or -n will cause the specified query (queries) to be sent to the indicated host(s) immediately. Otherwise, ntpq will attempt to read interactive format commands from the standard input.</p> <dl> <dt>-4</dt> <dd>Force DNS resolution of following host names on the command line to the IPv4 namespace.</dd> diff --git a/ntpq/ntpq.man.in b/ntpq/ntpq.man.in index 8ab4f0994..f85491d79 100644 --- a/ntpq/ntpq.man.in +++ b/ntpq/ntpq.man.in @@ -1,8 +1,8 @@ -.TH ntpq @NTPQ_MS@ "22 Dec 2012" "4.2.7p337" "User Commands" +.TH ntpq @NTPQ_MS@ "25 Dec 2012" "4.2.7p338" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntpq-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:27 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:07 AM by AutoGen 5.16.2 .\" From the definitions ntpq-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpq/ntpq.mdoc.in b/ntpq/ntpq.mdoc.in index 3928bd098..706dea40a 100644 --- a/ntpq/ntpq.mdoc.in +++ b/ntpq/ntpq.mdoc.in @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTPQ @NTPQ_MS@ User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:32 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:13 AM by AutoGen 5.16.2 .\" From the definitions ntpq-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/ntpsnmpd/invoke-ntpsnmpd.texi b/ntpsnmpd/invoke-ntpsnmpd.texi index b66234126..b13869da0 100644 --- a/ntpsnmpd/invoke-ntpsnmpd.texi +++ b/ntpsnmpd/invoke-ntpsnmpd.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpsnmpd.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:53:47 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:35:26 AM by AutoGen 5.16.2 # From the definitions ntpsnmpd-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -43,7 +43,7 @@ with a status code of 0. @exampleindent 0 @example -ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.7p337 +ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.7p338 USAGE: ntpsnmpd [ - [] | --[@{=| @}] ]... Flg Arg Option-Name Description -n no nofork Do not fork diff --git a/ntpsnmpd/ntpsnmpd-opts.c b/ntpsnmpd/ntpsnmpd-opts.c index d0c6a29ee..9bca28b67 100644 --- a/ntpsnmpd/ntpsnmpd-opts.c +++ b/ntpsnmpd/ntpsnmpd-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.c) * - * It has been AutoGen-ed December 22, 2012 at 11:53:35 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:35:16 AM by AutoGen 5.16.2 * From the definitions ntpsnmpd-opts.def * and the template file options * @@ -64,7 +64,7 @@ extern FILE * option_usage_fp; * ntpsnmpd option static const strings */ static char const ntpsnmpd_opt_strs[1561] = -/* 0 */ "ntpsnmpd 4.2.7p337\n" +/* 0 */ "ntpsnmpd 4.2.7p338\n" "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -103,14 +103,14 @@ static char const ntpsnmpd_opt_strs[1561] = /* 1360 */ "no-load-opts\0" /* 1373 */ "no\0" /* 1376 */ "NTPSNMPD\0" -/* 1385 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.7p337\n" +/* 1385 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.7p338\n" "USAGE: %s [ - [] | --[{=| }] ]...\n\0" /* 1490 */ "$HOME\0" /* 1496 */ ".\0" /* 1498 */ ".ntprc\0" /* 1505 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 1539 */ "\n\n\0" -/* 1542 */ "ntpsnmpd 4.2.7p337"; +/* 1542 */ "ntpsnmpd 4.2.7p338"; /* * nofork option description: diff --git a/ntpsnmpd/ntpsnmpd-opts.h b/ntpsnmpd/ntpsnmpd-opts.h index a2cbcbd50..d21865c5d 100644 --- a/ntpsnmpd/ntpsnmpd-opts.h +++ b/ntpsnmpd/ntpsnmpd-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.h) * - * It has been AutoGen-ed December 22, 2012 at 11:53:35 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:35:16 AM by AutoGen 5.16.2 * From the definitions ntpsnmpd-opts.def * and the template file options * @@ -75,8 +75,8 @@ typedef enum { } teOptIndex; #define OPTION_CT 8 -#define NTPSNMPD_VERSION "4.2.7p337" -#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.7p337" +#define NTPSNMPD_VERSION "4.2.7p338" +#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.7p338" /* * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/ntpsnmpd/ntpsnmpd.1ntpsnmpdman b/ntpsnmpd/ntpsnmpd.1ntpsnmpdman index 09f09a6f7..d2bbfc24b 100644 --- a/ntpsnmpd/ntpsnmpd.1ntpsnmpdman +++ b/ntpsnmpd/ntpsnmpd.1ntpsnmpdman @@ -1,8 +1,8 @@ -.TH ntpsnmpd 1ntpsnmpdman "22 Dec 2012" "4.2.7p337" "User Commands" +.TH ntpsnmpd 1ntpsnmpdman "25 Dec 2012" "4.2.7p338" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:44 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:22 AM by AutoGen 5.16.2 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc b/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc index 6245452e0..bd2d51a31 100644 --- a/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc +++ b/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTPSNMPD 1ntpsnmpdmdoc User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:49 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:28 AM by AutoGen 5.16.2 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/ntpsnmpd/ntpsnmpd.man.in b/ntpsnmpd/ntpsnmpd.man.in index 6270d33ab..0b45ce058 100644 --- a/ntpsnmpd/ntpsnmpd.man.in +++ b/ntpsnmpd/ntpsnmpd.man.in @@ -1,8 +1,8 @@ -.TH ntpsnmpd @NTPSNMPD_MS@ "22 Dec 2012" "4.2.7p337" "User Commands" +.TH ntpsnmpd @NTPSNMPD_MS@ "25 Dec 2012" "4.2.7p338" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:44 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:22 AM by AutoGen 5.16.2 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/ntpsnmpd/ntpsnmpd.mdoc.in b/ntpsnmpd/ntpsnmpd.mdoc.in index 8e9079d56..28ef87e5b 100644 --- a/ntpsnmpd/ntpsnmpd.mdoc.in +++ b/ntpsnmpd/ntpsnmpd.mdoc.in @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTPSNMPD @NTPSNMPD_MS@ User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:53:49 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:35:28 AM by AutoGen 5.16.2 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/packageinfo.sh b/packageinfo.sh index 7c9eeff25..d5e0b6db1 100644 --- a/packageinfo.sh +++ b/packageinfo.sh @@ -70,7 +70,7 @@ CLTAG=NTP_4_2_0 # - Numeric values increment # - empty 'increments' to 1 # - NEW 'increments' to empty -point=337 +point=338 ### betapoint is normally modified by script. # ntp-stable Beta number (betapoint) diff --git a/scripts/invoke-ntp-wait.texi b/scripts/invoke-ntp-wait.texi index 641633db1..f5a2588af 100644 --- a/scripts/invoke-ntp-wait.texi +++ b/scripts/invoke-ntp-wait.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp-wait.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:45:37 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:30:28 AM by AutoGen 5.16.2 # From the definitions ntp-wait-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -15,10 +15,10 @@ @code{ntp-wait} will send at most -@kbd{num-tries} queries to +@code{num-tries} queries to @code{ntpd(8)}, sleeping for -@kbd{secs-between-tries} after each status return that says +@code{secs-between-tries} after each status return that says @code{ntpd(8)} has not yet produced a synchronized and stable system clock. diff --git a/scripts/ntp-wait.1ntp-waitman b/scripts/ntp-wait.1ntp-waitman index b4224ea87..6af2f6aef 100644 --- a/scripts/ntp-wait.1ntp-waitman +++ b/scripts/ntp-wait.1ntp-waitman @@ -1,8 +1,8 @@ -.TH ntp-wait 1ntp-waitman "22 Dec 2012" "ntp (4.2.7p337)" "User Commands" +.TH ntp-wait 1ntp-waitman "25 Dec 2012" "ntp (4.2.7p338)" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:45:34 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:30:24 AM by AutoGen 5.16.2 .\" From the definitions ntp-wait-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/scripts/ntp-wait.1ntp-waitmdoc b/scripts/ntp-wait.1ntp-waitmdoc index cb63c989d..ce16f6f1b 100644 --- a/scripts/ntp-wait.1ntp-waitmdoc +++ b/scripts/ntp-wait.1ntp-waitmdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_WAIT 1ntp-waitmdoc User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:45:40 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:30:30 AM by AutoGen 5.16.2 .\" From the definitions ntp-wait-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/scripts/ntp-wait.html b/scripts/ntp-wait.html index e40340bf2..7f446172e 100644 --- a/scripts/ntp-wait.html +++ b/scripts/ntp-wait.html @@ -41,7 +41,7 @@ until the system's time has stabilized and synchronized, and only then start any applicaitons (like database servers) that require accurate and stable time. -

This document applies to version 4.2.7p337 of ntp-wait. +

This document applies to version 4.2.7p338 of ntp-wait.

Short Contents

@@ -80,10 +80,10 @@ This can be useful at boot time, to delay the boot sequence until after

ntp-wait will send at most -num-tries queries to +num-tries queries to ntpd(8), sleeping for -secs-between-tries after each status return that says +secs-between-tries after each status return that says ntpd(8) has not yet produced a synchronized and stable system clock. diff --git a/scripts/ntp-wait.man.in b/scripts/ntp-wait.man.in index 9018187c9..dc28e0b36 100644 --- a/scripts/ntp-wait.man.in +++ b/scripts/ntp-wait.man.in @@ -1,8 +1,8 @@ -.TH ntp-wait @NTP_WAIT_MS@ "22 Dec 2012" "ntp (4.2.7p337)" "User Commands" +.TH ntp-wait @NTP_WAIT_MS@ "25 Dec 2012" "ntp (4.2.7p338)" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:45:34 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:30:24 AM by AutoGen 5.16.2 .\" From the definitions ntp-wait-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/scripts/ntp-wait.mdoc.in b/scripts/ntp-wait.mdoc.in index 1630297aa..312a1a06b 100644 --- a/scripts/ntp-wait.mdoc.in +++ b/scripts/ntp-wait.mdoc.in @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt NTP_WAIT @NTP_WAIT_MS@ User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:45:40 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:30:30 AM by AutoGen 5.16.2 .\" From the definitions ntp-wait-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/sntp/invoke-sntp.texi b/sntp/invoke-sntp.texi index 4c4d1dab1..9f89c1b0b 100644 --- a/sntp/invoke-sntp.texi +++ b/sntp/invoke-sntp.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-sntp.texi) # -# It has been AutoGen-ed December 22, 2012 at 11:54:27 AM by AutoGen 5.16.2 +# It has been AutoGen-ed December 25, 2012 at 11:36:08 AM by AutoGen 5.16.2 # From the definitions sntp-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -95,7 +95,7 @@ with a status code of 0. @exampleindent 0 @example -sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p337 +sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p338 USAGE: sntp [ - [] | --[@{=| @}] ]... \ [ hostname-or-IP ...] Flg Arg Option-Name Description diff --git a/sntp/sntp-opts.c b/sntp/sntp-opts.c index 558939723..e518cc723 100644 --- a/sntp/sntp-opts.c +++ b/sntp/sntp-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (sntp-opts.c) * - * It has been AutoGen-ed December 22, 2012 at 11:42:53 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:26:58 AM by AutoGen 5.16.2 * From the definitions sntp-opts.def * and the template file options * @@ -73,7 +73,7 @@ extern FILE * option_usage_fp; * sntp option static const strings */ static char const sntp_opt_strs[2500] = -/* 0 */ "sntp 4.2.7p337\n" +/* 0 */ "sntp 4.2.7p338\n" "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -157,7 +157,7 @@ static char const sntp_opt_strs[2500] = /* 2244 */ "LOAD_OPTS\0" /* 2254 */ "no-load-opts\0" /* 2267 */ "SNTP\0" -/* 2272 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p337\n" +/* 2272 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p338\n" "USAGE: %s [ - [] | --[{=| }] ]... \\\n" "\t\t[ hostname-or-IP ...]\n\0" /* 2433 */ "$HOME\0" @@ -165,7 +165,7 @@ static char const sntp_opt_strs[2500] = /* 2441 */ ".ntprc\0" /* 2448 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 2482 */ "\n\n\0" -/* 2485 */ "sntp 4.2.7p337"; +/* 2485 */ "sntp 4.2.7p338"; /* * ipv4 option description with diff --git a/sntp/sntp-opts.h b/sntp/sntp-opts.h index 096d74b0a..41aa1f943 100644 --- a/sntp/sntp-opts.h +++ b/sntp/sntp-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (sntp-opts.h) * - * It has been AutoGen-ed December 22, 2012 at 11:42:52 AM by AutoGen 5.16.2 + * It has been AutoGen-ed December 25, 2012 at 11:26:57 AM by AutoGen 5.16.2 * From the definitions sntp-opts.def * and the template file options * @@ -90,8 +90,8 @@ typedef enum { } teOptIndex; #define OPTION_CT 23 -#define SNTP_VERSION "4.2.7p337" -#define SNTP_FULL_VERSION "sntp 4.2.7p337" +#define SNTP_VERSION "4.2.7p338" +#define SNTP_FULL_VERSION "sntp 4.2.7p338" /* * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/sntp/sntp.1sntpman b/sntp/sntp.1sntpman index 528d30739..bb9ac5278 100644 --- a/sntp/sntp.1sntpman +++ b/sntp/sntp.1sntpman @@ -1,8 +1,8 @@ -.TH sntp 1sntpman "22 Dec 2012" "4.2.7p337" "User Commands" +.TH sntp 1sntpman "25 Dec 2012" "4.2.7p338" "User Commands" .\" .\" EDIT THIS FILE WITH CAUTION (sntp-opts.man) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:54:23 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:36:03 AM by AutoGen 5.16.2 .\" From the definitions sntp-opts.def .\" and the template file agman-cmd.tpl .\" diff --git a/sntp/sntp.1sntpmdoc b/sntp/sntp.1sntpmdoc index f1a17b9d1..feb1636e4 100644 --- a/sntp/sntp.1sntpmdoc +++ b/sntp/sntp.1sntpmdoc @@ -1,9 +1,9 @@ -.Dd December 22 2012 +.Dd December 25 2012 .Dt SNTP 1sntpmdoc User Commands .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc) .\" -.\" It has been AutoGen-ed December 22, 2012 at 11:54:29 AM by AutoGen 5.16.2 +.\" It has been AutoGen-ed December 25, 2012 at 11:36:10 AM by AutoGen 5.16.2 .\" From the definitions sntp-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/sntp/sntp.html b/sntp/sntp.html index be914bb0b..78a13e3b1 100644 --- a/sntp/sntp.html +++ b/sntp/sntp.html @@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server clock. Run as root, it can correct the system clock to this offset as well. It can be run as an interactive command or from a cron job. -

This document applies to version 4.2.7p337 of sntp. +

This document applies to version 4.2.7p338 of sntp.

The program implements the SNTP protocol as defined by RFC 5905, the NTPv4 IETF specification. @@ -170,7 +170,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to more. Both will exit with a status code of 0. -

sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p337
+
sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p338
 USAGE:  sntp [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \
                 [ hostname-or-IP ...]
   Flg Arg Option-Name    Description
diff --git a/sntp/sntp.man.in b/sntp/sntp.man.in
index 5475d319a..3301dfecf 100644
--- a/sntp/sntp.man.in
+++ b/sntp/sntp.man.in
@@ -1,8 +1,8 @@
-.TH sntp @SNTP_MS@ "22 Dec 2012" "4.2.7p337" "User Commands"
+.TH sntp @SNTP_MS@ "25 Dec 2012" "4.2.7p338" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (sntp-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:54:23 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:36:03 AM by AutoGen 5.16.2
 .\"  From the definitions    sntp-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
diff --git a/sntp/sntp.mdoc.in b/sntp/sntp.mdoc.in
index a91fbacfa..9a20317e8 100644
--- a/sntp/sntp.mdoc.in
+++ b/sntp/sntp.mdoc.in
@@ -1,9 +1,9 @@
-.Dd December 22 2012
+.Dd December 25 2012
 .Dt SNTP @SNTP_MS@ User Commands
 .Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (sntp-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 22, 2012 at 11:54:29 AM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:36:10 AM by AutoGen 5.16.2
 .\"  From the definitions    sntp-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
diff --git a/util/invoke-ntp-keygen.texi b/util/invoke-ntp-keygen.texi
index ffa02df90..f8341db3f 100644
--- a/util/invoke-ntp-keygen.texi
+++ b/util/invoke-ntp-keygen.texi
@@ -6,7 +6,7 @@
 # 
 # EDIT THIS FILE WITH CAUTION  (invoke-ntp-keygen.texi)
 # 
-# It has been AutoGen-ed  December 25, 2012 at 01:50:28 AM by AutoGen 5.16.2
+# It has been AutoGen-ed  December 25, 2012 at 11:35:45 AM by AutoGen 5.16.2
 # From the definitions    ntp-keygen-opts.def
 # and the template file   agtexi-cmd.tpl
 @end ignore
@@ -874,7 +874,7 @@ with a status code of 0.
 
 @exampleindent 0
 @example
-ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p337
+ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p338
 USAGE:  ntp-keygen [ - [] | --[@{=| @}] ]...
   Flg Arg Option-Name    Description
    -b Num imbits         identity modulus bits
diff --git a/util/ntp-keygen-opts.c b/util/ntp-keygen-opts.c
index eba97cb38..9369f9c46 100644
--- a/util/ntp-keygen-opts.c
+++ b/util/ntp-keygen-opts.c
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.c)
  *  
- *  It has been AutoGen-ed  December 24, 2012 at 12:08:08 PM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:35:32 AM by AutoGen 5.16.2
  *  From the definitions    ntp-keygen-opts.def
  *  and the template file   options
  *
@@ -75,7 +75,7 @@ extern FILE * option_usage_fp;
  *  ntp-keygen option static const strings
  */
 static char const ntp_keygen_opt_strs[2358] =
-/*     0 */ "ntp-keygen (ntp) 4.2.7p337\n"
+/*     0 */ "ntp-keygen (ntp) 4.2.7p338\n"
             "Copyright (C) 1970-2012 The University of Delaware, all rights reserved.\n"
             "This is free software. It is licensed for use, modification and\n"
             "redistribution under the terms of the NTP License, copies of which\n"
@@ -166,14 +166,14 @@ static char const ntp_keygen_opt_strs[2358] =
 /*  2136 */ "no-load-opts\0"
 /*  2149 */ "no\0"
 /*  2152 */ "NTP_KEYGEN\0"
-/*  2163 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p337\n"
+/*  2163 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p338\n"
             "USAGE:  %s [ - [] | --[{=| }] ]...\n\0"
 /*  2279 */ "$HOME\0"
 /*  2285 */ ".\0"
 /*  2287 */ ".ntprc\0"
 /*  2294 */ "http://bugs.ntp.org, bugs@ntp.org\0"
 /*  2328 */ "\n\n\0"
-/*  2331 */ "ntp-keygen (ntp) 4.2.7p337";
+/*  2331 */ "ntp-keygen (ntp) 4.2.7p338";
 
 /*
  *  imbits option description:
diff --git a/util/ntp-keygen-opts.h b/util/ntp-keygen-opts.h
index 660d1f735..424c93bc1 100644
--- a/util/ntp-keygen-opts.h
+++ b/util/ntp-keygen-opts.h
@@ -1,7 +1,7 @@
 /*  
  *  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.h)
  *  
- *  It has been AutoGen-ed  December 24, 2012 at 12:08:08 PM by AutoGen 5.16.2
+ *  It has been AutoGen-ed  December 25, 2012 at 11:35:32 AM by AutoGen 5.16.2
  *  From the definitions    ntp-keygen-opts.def
  *  and the template file   options
  *
@@ -93,8 +93,8 @@ typedef enum {
 } teOptIndex;
 
 #define OPTION_CT    26
-#define NTP_KEYGEN_VERSION       "4.2.7p337"
-#define NTP_KEYGEN_FULL_VERSION  "ntp-keygen (ntp) 4.2.7p337"
+#define NTP_KEYGEN_VERSION       "4.2.7p338"
+#define NTP_KEYGEN_FULL_VERSION  "ntp-keygen (ntp) 4.2.7p338"
 
 /*
  *  Interface defines for all options.  Replace "n" with the UPPER_CASED
diff --git a/util/ntp-keygen.1ntp-keygenman b/util/ntp-keygen.1ntp-keygenman
index b708eb715..14d21ad15 100644
--- a/util/ntp-keygen.1ntp-keygenman
+++ b/util/ntp-keygen.1ntp-keygenman
@@ -1,8 +1,8 @@
-.TH ntp-keygen 1ntp-keygenman "24 Dec 2012" "ntp (4.2.7p337)" "User Commands"
+.TH ntp-keygen 1ntp-keygenman "25 Dec 2012" "ntp (4.2.7p338)" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 24, 2012 at 12:08:20 PM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:40 AM by AutoGen 5.16.2
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
@@ -16,837 +16,6 @@ ntp-keygen \- Create a NTP host key
 All arguments must be options.
 .PP
 .SH DESCRIPTION
-This program generates cryptographic data files used by the NTPv4
-authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
-These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
-compatible with the Internet standard security infrastructure.
-.PP
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
-and certificate authorities.
-By default, files are not encrypted.
-.PP
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
-If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
-using secure means beyond the scope of NTP itself.
-Besides the keys used for ordinary NTP associations, additional keys
-can be defined as passwords for the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-utility programs.
-.PP
-The remaining generated files are compatible with other OpenSSL
-applications and other Public Key Infrastructure (PKI) resources.
-Certificates generated by this program are compatible with extant
-industry practice, although some users might find the interpretation of
-X509v3 extension fields somewhat liberal.
-However, the identity keys are probably not compatible with anything
-other than Autokey.
-.PP
-Some files used by this program are encrypted using a private password.
-The
-p
-option specifies the password for local encrypted files and the
-q
-option the password for encrypted files sent to remote sites.
-If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
-.PP
-The
-\fIpw\fR
-option of the
-\fIcrypto\fR
-configuration command specifies the read
-password for previously encrypted local files.
-This must match the local password used by this program.
-If not specified, the host name is used.
-Thus, if files are generated by this program without password,
-they can be read back by
-\fIntpd\fR
-without password but only on the same host.
-.PP
-Normally, encrypted files for each host are generated by that host and
-used only by that host, although exceptions exist as noted later on
-this page.
-The symmetric keys file, normally called
-\fIntp.keys ,\fR
-is usually installed in
-.Pa /etc .
-Other files and links are usually installed in
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem in
-NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-\fIkeysdir\fR
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
-.PP
-This program directs commentary and error messages to the standard
-error stream
-\fIstderr\fR
-and remote files to the standard output stream
-\fIstdout\fR
-where they can be piped to other applications or redirected to files.
-The names used for generated files and links all begin with the
-string
-\fIntpkey\fR
-and include the file type, generating host and filestamp,
-as described in the
-.Dq Cryptographic Data Files
-section below.
-.SS Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc 
-When run for the first time, or if all files with names beginning with
-\fIntpkey\fR
-have been removed, use the
-.B 
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.PP
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.B 
-with the
-T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.PP
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.PP
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public-Key Authentication
-page.
-.PP
-The
-.Xr ntpd 1ntpdmdoc
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.PP
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-\fI_hostname.filestamp ,\fR
-where
-\fIhostname\fR
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-\fIfilestamp\fR
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-\fI\&*filestamp\fR
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.PP
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.PP
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.PP
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.B 
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-.B 
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.PP
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.PP
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.PP
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.PP
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.PP
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-.PP
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.PP
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.PP
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.B 
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-.B 
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.PP
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.PP
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.PP
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.PP
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.PP
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
-Each cryptographic configuration involves selection of a signature scheme
-and identification scheme, called a cryptotype,
-as explained in the
-.Sx Authentication Options
-section of
-.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
-First, configure a NTP subnet including one or more low-stratum
-trusted hosts from which all other hosts derive synchronization
-directly or indirectly.
-Trusted hosts have trusted certificates;
-all other hosts have nontrusted certificates.
-These hosts will automatically and dynamically build authoritative
-certificate trails to one or more trusted hosts.
-A trusted group is the set of all hosts that have, directly or indirectly,
-a certificate trail ending at a trusted host.
-The trail is defined by static configuration file entries
-or dynamic means described on the
-.Sx Automatic NTP Configuration Options
-section of
-.Xr ntp.conf 5 .
-.PP
-On each trusted host as root, change to the keys directory.
-To insure a fresh fileset, remove all
-.Cm ntpkey
-files.
-Then run
-.B 
-T
-to generate keys and a trusted certificate.
-On all other hosts do the same, but leave off the
-T
-flag to generate keys and nontrusted certificates.
-When complete, start the NTP daemons beginning at the lowest stratum
-and working up the tree.
-It may take some time for Autokey to instantiate the certificate trails
-throughout the subnet, but setting up the environment is completely automatic.
-.PP
-If it is necessary to use a different sign key or different digest/signature
-scheme than the default, run
-.B 
-with the
-S Ar type
-option, where
-\fItype\fR
-is either
-.Cm RSA
-or
-.Cm DSA .
-The most often need to do this is when a DSA-signed certificate is used.
-If it is necessary to use a different certificate scheme than the default,
-run
-.B 
-with the
-c Ar scheme
-option and selected
-\fIscheme\fR
-as needed.
-f
-.B 
-is run again without these options, it generates a new certificate
-using the same scheme and sign key.
-.PP
-After setting up the environment it is advisable to update certificates
-from time to time, if only to extend the validity interval.
-Simply run
-.B 
-with the same flags as before to generate new certificates
-using existing keys.
-However, if the host or sign key is changed,
-.Xr ntpd 1ntpdmdoc
-should be restarted.
-When
-.Xr ntpd 1ntpdmdoc
-is restarted, it loads any new files and restarts the protocol.
-Other dependent hosts will continue as usual until signatures are refreshed,
-at which time the protocol is restarted.
-.SS Identity Schemes
-As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
-However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
-These schemes are based on a TA, one or more trusted hosts
-and some number of nontrusted hosts.
-Trusted hosts prove identity using values provided by the TA,
-while the remaining hosts prove identity using values provided
-by a trusted host and certificate trails that end on that host.
-The name of a trusted host is also the name of its sugroup
-and also the subject and issuer name on its trusted certificate.
-The TA is not necessarily a trusted host in this sense, but often is.
-.PP
-In some schemes there are separate keys for servers and clients.
-A server can also be a client of another server,
-but a client can never be a server for another client.
-In general, trusted hosts and nontrusted hosts that operate
-as both server and client have parameter files that contain
-both server and client keys.
-Hosts that operate
-only as clients have key files that contain only client keys.
-.PP
-The PC scheme supports only one trusted host in the group.
-On trusted host alice run
-.B 
-P
-p Ar password
-to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
-and trusted private certificate file
-.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
-Copy both files to all group hosts;
-they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
-.Pa ntpkey_host_ Ns Ar bob
-to the host key file and soft link
-.Pa ntpkey_cert_ Ns Ar bob
-to the private certificate file.
-Note the generic links are on bob, but point to files generated
-by trusted host alice.
-In this scheme it is not possible to refresh
-either the keys or certificates without copying them
-to all other hosts in the group.
-.PP
-For the IFF scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
-On trusted host alice run
-.B 
-T
-I
-p Ar password
-to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts that operate as both servers
-and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-If there are no hosts restricted to operate only as clients,
-there is nothing further to do.
-As the IFF scheme is independent
-of keys and certificates, these files can be refreshed as needed.
-.PP
-If a rogue client has the parameter file, it could masquerade
-as a legitimate server and present a middleman threat.
-To eliminate this threat, the client keys can be extracted
-from the parameter file and distributed to all restricted clients.
-After generating the parameter file, on alice run
-.B 
-e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
-On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-To further protect the integrity of the keys,
-each file can be encrypted with a secret password.
-.PP
-For the GQ scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
-On trusted host alice run
-.B 
-T
-G
-p Ar password
-to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts and install a soft link
-from the generic
-.Pa ntpkey_gq_ Ns Ar alice
-to this file.
-In addition, on each host bob install a soft link
-from generic
-.Pa ntpkey_gq_ Ns Ar bob
-to this file.
-As the GQ scheme updates the GQ parameters file and certificate
-at the same time, keys and certificates can be regenerated as needed.
-.PP
-For the MV scheme, proceed as in the TC scheme to generate keys
-and certificates for all group hosts.
-For illustration assume trish is the TA, alice one of several trusted hosts
-and bob one of her clients.
-On TA trish run
-.B 
-V Ar n
-p Ar password ,
-where
-\fIn\fR
-is the number of revokable keys (typically 5) to produce
-the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
-and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
-where
-\fId\fR
-is the key number (0 \&<
-\fId\fR
-\&<
-\fIn ) .\fR
-Copy the parameter file to alice and install a soft link
-from the generic
-.Pa ntpkey_mv_ Ns Ar alice
-to this file.
-Copy one of the client key files to alice for later distribution
-to her clients.
-It doesn't matter which client key file goes to alice,
-since they all work the same way.
-Alice copies the client key file to all of her cliens.
-On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
-to the client key file.
-As the MV scheme is independent of keys and certificates,
-these files can be refreshed as needed.
-.SS Command Line Options
-.TP
-.BR Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
-The
-\fIscheme\fR
-can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
-or
-.Cm DSA-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
-The default without this option is
-.Cm RSA-MD5 .
-.TP
-.BR Fl d
-Enable debugging.
-This option displays the cryptographic data produced in eye-friendly billboards.
-.TP
-.BR Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.TP
-.BR Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.TP
-.BR Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.TP
-.BR Fl H
-Generate new host keys, obsoleting any that may exist.
-.TP
-.BR Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.TP
-.BR Fl i Ar name
-Set the suject name to
-\fIname .\fR
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.TP
-.BR Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.TP
-.BR Fl P
-Generate a private certificate.
-By default, the program generates public certificates.
-.TP
-.BR Fl p Ar password
-Encrypt generated files containing private data with
-\fIpassword\fR
-and the DES-CBC algorithm.
-.TP
-.BR Fl q
-Set the password for reading files to password.
-.TP
-.BR Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.TP
-.BR Fl s Ar name
-Set the issuer name to
-\fIname .\fR
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.TP
-.BR Fl T
-Generate a trusted certificate.
-By default, the program generates a non-trusted certificate.
-.TP
-.BR Fl V Ar nkeys
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
-.SS Random Seed File
-All cryptographically sound key generation schemes must have means
-to randomize the entropy seed used to initialize
-the internal pseudo-random number generator used
-by the library routines.
-The OpenSSL library uses a designated random seed file for this purpose.
-The file must be available when starting the NTP daemon and
-.B 
-program.
-If a site supports OpenSSL or its companion OpenSSH,
-it is very likely that means to do this are already available.
-.PP
-It is important to understand that entropy must be evolved
-for each generation, for otherwise the random number sequence
-would be predictable.
-Various means dependent on external events, such as keystroke intervals,
-can be used to do this and some systems have built-in entropy sources.
-Suitable means are described in the OpenSSL software documentation,
-but are outside the scope of this page.
-.PP
-The entropy seed used by the OpenSSL library is contained in a file,
-usually called
-.Cm .rnd ,
-which must be available when starting the NTP daemon
-or the
-.B 
-program.
-The NTP daemon will first look for the file
-using the path specified by the
-.Ic randfile
-subcommand of the
-.Ic crypto
-configuration command.
-If not specified in this way, or when starting the
-.B 
-program,
-the OpenSSL library will look for the file using the path specified
-by the
-.Ev RANDFILE
-environment variable in the user home directory,
-whether root or some other user.
-If the
-.Ev RANDFILE
-environment variable is not present,
-the library will look for the
-.Cm .rnd
-file in the user home directory.
-If the file is not available or cannot be written,
-the daemon exits with a message to the system log and the program
-exits with a suitable error message.
-.SS Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
-.B 
-program and
-.Xr ntpd 1ntpdmdoc
-daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
-.PP
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
-where
-\fIkeyno\fR
-is a positive integer in the range 1-65,535,
-\fItype\fR
-is the string MD5 defining the key format and
-\fIkey\fR
-is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
-.Ql #
-character.
-.PP
-Note that the keys used by the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-programs
-are checked against passwords requested by the programs
-and entered by hand, so it is generally appropriate to specify these keys
-in human readable ASCII format.
-.PP
-The
-.B 
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
-Since the file contains private shared keys,
-it should be visible only to root and distributed by secure means
-to other subnet hosts.
-The NTP daemon loads the file
-.Pa ntp.keys ,
-so
-.B 
-installs a soft link from this name to the generated file.
-Subsequently, similar soft links must be installed by manual
-or automated means on the other subnet hosts.
-While this file is not used with the Autokey Version 2 protocol,
-it is needed to authenticate some remote configuration commands
-used by the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-utilities.
 .SH "OPTIONS"
 .TP
 .BR \-b " \fIimbits\fP, " \-\-imbits "=" \fIimbits\fP
@@ -1043,18 +212,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP".
 If any of these are directories, then the file \fI.ntprc\fP
 is searched for within those directories.
 .SH USAGE
-The
-p Ar password
-option specifies the write password and
-q Ar password
-option the read password for previously encrypted files.
-The
-.B 
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
 .SH "ENVIRONMENT"
 See \fBOPTION PRESETS\fP for configuration environment variables.
 .SH "FILES"
@@ -1080,15 +237,8 @@ The University of Delaware
 Copyright (C) 1970-2012 The University of Delaware all rights reserved.
 This program is released under the terms of the NTP license, .
 .SH BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
-.PP
-Please report bugs to http://bugs.ntp.org .Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
+Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
 .SH NOTES
-This document corresponds to version @VERSION@ of NTP.
-Portions of this document came from FreeBSD.
 .PP
 This manual page was \fIAutoGen\fP-erated from the \fBntp-keygen\fP
 option definitions.
diff --git a/util/ntp-keygen.1ntp-keygenmdoc b/util/ntp-keygen.1ntp-keygenmdoc
index ba66d0071..60274f837 100644
--- a/util/ntp-keygen.1ntp-keygenmdoc
+++ b/util/ntp-keygen.1ntp-keygenmdoc
@@ -1,9 +1,9 @@
-.Dd December 24 2012
+.Dd December 25 2012
 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands
-.Os FreeBSD 6.4-STABLE
+.Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 24, 2012 at 12:08:14 PM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:47 AM by AutoGen 5.16.2
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -19,823 +19,6 @@
 All arguments must be options.
 .Pp
 .Sh DESCRIPTION
-This program generates cryptographic data files used by the NTPv4
-authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
-These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
-compatible with the Internet standard security infrastructure.
-.Pp
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
-and certificate authorities.
-By default, files are not encrypted.
-.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
-If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
-using secure means beyond the scope of NTP itself.
-Besides the keys used for ordinary NTP associations, additional keys
-can be defined as passwords for the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-utility programs.
-.Pp
-The remaining generated files are compatible with other OpenSSL
-applications and other Public Key Infrastructure (PKI) resources.
-Certificates generated by this program are compatible with extant
-industry practice, although some users might find the interpretation of
-X509v3 extension fields somewhat liberal.
-However, the identity keys are probably not compatible with anything
-other than Autokey.
-.Pp
-Some files used by this program are encrypted using a private password.
-The
-.Fl p
-option specifies the password for local encrypted files and the
-.Fl q
-option the password for encrypted files sent to remote sites.
-If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
-.Pp
-The
-.Ar pw
-option of the
-.Ar crypto
-configuration command specifies the read
-password for previously encrypted local files.
-This must match the local password used by this program.
-If not specified, the host name is used.
-Thus, if files are generated by this program without password,
-they can be read back by
-.Ar ntpd
-without password but only on the same host.
-.Pp
-Normally, encrypted files for each host are generated by that host and
-used only by that host, although exceptions exist as noted later on
-this page.
-The symmetric keys file, normally called
-.Ar ntp.keys ,
-is usually installed in
-.Pa /etc .
-Other files and links are usually installed in
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem in
-NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
-.Pp
-This program directs commentary and error messages to the standard
-error stream
-.Ar stderr
-and remote files to the standard output stream
-.Ar stdout
-where they can be piped to other applications or redirected to files.
-The names used for generated files and links all begin with the
-string
-.Ar ntpkey
-and include the file type, generating host and filestamp,
-as described in the
-.Dq Cryptographic Data Files
-section below.
-.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc 
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public-Key Authentication
-page.
-.Pp
-The
-.Xr ntpd 1ntpdmdoc
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
-.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.Pp
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
-.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.Pp
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
-Each cryptographic configuration involves selection of a signature scheme
-and identification scheme, called a cryptotype,
-as explained in the
-.Sx Authentication Options
-section of
-.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
-First, configure a NTP subnet including one or more low-stratum
-trusted hosts from which all other hosts derive synchronization
-directly or indirectly.
-Trusted hosts have trusted certificates;
-all other hosts have nontrusted certificates.
-These hosts will automatically and dynamically build authoritative
-certificate trails to one or more trusted hosts.
-A trusted group is the set of all hosts that have, directly or indirectly,
-a certificate trail ending at a trusted host.
-The trail is defined by static configuration file entries
-or dynamic means described on the
-.Sx Automatic NTP Configuration Options
-section of
-.Xr ntp.conf 5 .
-.Pp
-On each trusted host as root, change to the keys directory.
-To insure a fresh fileset, remove all
-.Cm ntpkey
-files.
-Then run
-.Nm
-.Fl T
-to generate keys and a trusted certificate.
-On all other hosts do the same, but leave off the
-.Fl T
-flag to generate keys and nontrusted certificates.
-When complete, start the NTP daemons beginning at the lowest stratum
-and working up the tree.
-It may take some time for Autokey to instantiate the certificate trails
-throughout the subnet, but setting up the environment is completely automatic.
-.Pp
-If it is necessary to use a different sign key or different digest/signature
-scheme than the default, run
-.Nm
-with the
-.Fl S Ar type
-option, where
-.Ar type
-is either
-.Cm RSA
-or
-.Cm DSA .
-The most often need to do this is when a DSA-signed certificate is used.
-If it is necessary to use a different certificate scheme than the default,
-run
-.Nm
-with the
-.Fl c Ar scheme
-option and selected
-.Ar scheme
-as needed.
-f
-.Nm
-is run again without these options, it generates a new certificate
-using the same scheme and sign key.
-.Pp
-After setting up the environment it is advisable to update certificates
-from time to time, if only to extend the validity interval.
-Simply run
-.Nm
-with the same flags as before to generate new certificates
-using existing keys.
-However, if the host or sign key is changed,
-.Xr ntpd 1ntpdmdoc
-should be restarted.
-When
-.Xr ntpd 1ntpdmdoc
-is restarted, it loads any new files and restarts the protocol.
-Other dependent hosts will continue as usual until signatures are refreshed,
-at which time the protocol is restarted.
-.Ss Identity Schemes
-As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
-However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
-These schemes are based on a TA, one or more trusted hosts
-and some number of nontrusted hosts.
-Trusted hosts prove identity using values provided by the TA,
-while the remaining hosts prove identity using values provided
-by a trusted host and certificate trails that end on that host.
-The name of a trusted host is also the name of its sugroup
-and also the subject and issuer name on its trusted certificate.
-The TA is not necessarily a trusted host in this sense, but often is.
-.Pp
-In some schemes there are separate keys for servers and clients.
-A server can also be a client of another server,
-but a client can never be a server for another client.
-In general, trusted hosts and nontrusted hosts that operate
-as both server and client have parameter files that contain
-both server and client keys.
-Hosts that operate
-only as clients have key files that contain only client keys.
-.Pp
-The PC scheme supports only one trusted host in the group.
-On trusted host alice run
-.Nm
-.Fl P
-.Fl p Ar password
-to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
-and trusted private certificate file
-.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
-Copy both files to all group hosts;
-they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
-.Pa ntpkey_host_ Ns Ar bob
-to the host key file and soft link
-.Pa ntpkey_cert_ Ns Ar bob
-to the private certificate file.
-Note the generic links are on bob, but point to files generated
-by trusted host alice.
-In this scheme it is not possible to refresh
-either the keys or certificates without copying them
-to all other hosts in the group.
-.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
-On trusted host alice run
-.Nm
-.Fl T
-.Fl I
-.Fl p Ar password
-to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts that operate as both servers
-and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-If there are no hosts restricted to operate only as clients,
-there is nothing further to do.
-As the IFF scheme is independent
-of keys and certificates, these files can be refreshed as needed.
-.Pp
-If a rogue client has the parameter file, it could masquerade
-as a legitimate server and present a middleman threat.
-To eliminate this threat, the client keys can be extracted
-from the parameter file and distributed to all restricted clients.
-After generating the parameter file, on alice run
-.Nm
-.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
-On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-To further protect the integrity of the keys,
-each file can be encrypted with a secret password.
-.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
-On trusted host alice run
-.Nm
-.Fl T
-.Fl G
-.Fl p Ar password
-to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts and install a soft link
-from the generic
-.Pa ntpkey_gq_ Ns Ar alice
-to this file.
-In addition, on each host bob install a soft link
-from generic
-.Pa ntpkey_gq_ Ns Ar bob
-to this file.
-As the GQ scheme updates the GQ parameters file and certificate
-at the same time, keys and certificates can be regenerated as needed.
-.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
-and certificates for all group hosts.
-For illustration assume trish is the TA, alice one of several trusted hosts
-and bob one of her clients.
-On TA trish run
-.Nm
-.Fl V Ar n
-.Fl p Ar password ,
-where
-.Ar n
-is the number of revokable keys (typically 5) to produce
-the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
-and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
-where
-.Ar d
-is the key number (0 \&<
-.Ar d
-\&<
-.Ar n ) .
-Copy the parameter file to alice and install a soft link
-from the generic
-.Pa ntpkey_mv_ Ns Ar alice
-to this file.
-Copy one of the client key files to alice for later distribution
-to her clients.
-It doesn't matter which client key file goes to alice,
-since they all work the same way.
-Alice copies the client key file to all of her cliens.
-On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
-to the client key file.
-As the MV scheme is independent of keys and certificates,
-these files can be refreshed as needed.
-.Ss Command Line Options
-.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
-The
-.Ar scheme
-can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
-or
-.Cm DSA-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
-The default without this option is
-.Cm RSA-MD5 .
-.It Fl d
-Enable debugging.
-This option displays the cryptographic data produced in eye-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
-By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
-Generate a trusted certificate.
-By default, the program generates a non-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
-.El
-.Ss Random Seed File
-All cryptographically sound key generation schemes must have means
-to randomize the entropy seed used to initialize
-the internal pseudo-random number generator used
-by the library routines.
-The OpenSSL library uses a designated random seed file for this purpose.
-The file must be available when starting the NTP daemon and
-.Nm
-program.
-If a site supports OpenSSL or its companion OpenSSH,
-it is very likely that means to do this are already available.
-.Pp
-It is important to understand that entropy must be evolved
-for each generation, for otherwise the random number sequence
-would be predictable.
-Various means dependent on external events, such as keystroke intervals,
-can be used to do this and some systems have built-in entropy sources.
-Suitable means are described in the OpenSSL software documentation,
-but are outside the scope of this page.
-.Pp
-The entropy seed used by the OpenSSL library is contained in a file,
-usually called
-.Cm .rnd ,
-which must be available when starting the NTP daemon
-or the
-.Nm
-program.
-The NTP daemon will first look for the file
-using the path specified by the
-.Ic randfile
-subcommand of the
-.Ic crypto
-configuration command.
-If not specified in this way, or when starting the
-.Nm
-program,
-the OpenSSL library will look for the file using the path specified
-by the
-.Ev RANDFILE
-environment variable in the user home directory,
-whether root or some other user.
-If the
-.Ev RANDFILE
-environment variable is not present,
-the library will look for the
-.Cm .rnd
-file in the user home directory.
-If the file is not available or cannot be written,
-the daemon exits with a message to the system log and the program
-exits with a suitable error message.
-.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
-.Nm
-program and
-.Xr ntpd 1ntpdmdoc
-daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
-.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
-where
-.Ar keyno
-is a positive integer in the range 1-65,535,
-.Ar type
-is the string MD5 defining the key format and
-.Ar key
-is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
-.Ql #
-character.
-.Pp
-Note that the keys used by the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-programs
-are checked against passwords requested by the programs
-and entered by hand, so it is generally appropriate to specify these keys
-in human readable ASCII format.
-.Pp
-The
-.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
-Since the file contains private shared keys,
-it should be visible only to root and distributed by secure means
-to other subnet hosts.
-The NTP daemon loads the file
-.Pa ntp.keys ,
-so
-.Nm
-installs a soft link from this name to the generated file.
-Subsequently, similar soft links must be installed by manual
-or automated means on the other subnet hosts.
-While this file is not used with the Autokey Version 2 protocol,
-it is needed to authenticate some remote configuration commands
-used by the
-.Xr ntpq 1ntpqmdoc
-and
-.Xr ntpdc 1ntpdcmdoc
-utilities.
 .Sh "OPTIONS"
 .Bl -tag
 .It  \-b " \fIimbits\fP, " \-\-imbits "=" \fIimbits\fP
@@ -1011,18 +194,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP".
 If any of these are directories, then the file \fI.ntprc\fP
 is searched for within those directories.
 .Sh USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
 .Sh "ENVIRONMENT"
 See \fBOPTION PRESETS\fP for configuration environment variables.
 .Sh "FILES"
@@ -1046,15 +217,8 @@ The University of Delaware
 Copyright (C) 1970-2012 The University of Delaware all rights reserved.
 This program is released under the terms of the NTP license, .
 .Sh BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
-.Pp
-Please report bugs to http://bugs.ntp.org .Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
+Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
 .Sh NOTES
-This document corresponds to version @VERSION@ of NTP.
-Portions of this document came from FreeBSD.
 .Pp
 This manual page was \fIAutoGen\fP-erated from the \fBntp-keygen\fP
 option definitions.
diff --git a/util/ntp-keygen.html b/util/ntp-keygen.html
index 1b6713ec9..efd5a5e3b 100644
--- a/util/ntp-keygen.html
+++ b/util/ntp-keygen.html
@@ -59,8 +59,8 @@ Up: (dir)
 
This document describes the use of the NTP Project's ntp-keygen
 program, that generates cryptographic data files used by the NTPv4
 authentication and identity schemes. 
-It can generate message digest
-keys used in symmetric key cryptography and, if the OpenSSL software
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software
 library has been installed, it can generate host keys, sign keys,
 certificates, and identity keys and parameters used by the Autokey
 public key cryptography. 
@@ -70,7 +70,7 @@ All other files are in PEM-encoded
 printable ASCII format so they can be embedded as MIME attachments in
 mail to other sites.
 
-  
This document applies to version 4.2.7p337 of ntp-keygen.
+  
This document applies to version 4.2.7p338 of ntp-keygen.
 
 

 

@@ -95,11 +95,14 @@ mail to other sites.
 
   
When used to generate message digest keys, the program produces a file
 containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution. If the
+MD5 message digest algorithm included in the distribution. 
+If the
 OpenSSL library is installed, it produces an additional ten hex-encoded
 random bit strings suitable for the SHA1 and other message digest
-algorithms. The message digest keys file must be distributed and stored
-using secure means beyond the scope of NTP itself. Besides the keys
+algorithms. 
+The message digest keys file must be distributed and stored
+using secure means beyond the scope of NTP itself. 
+Besides the keys
 used for ordinary NTP associations, additional keys can be defined as
 passwords for the ntpq and ntpdc utility programs.
 
@@ -107,37 +110,44 @@ passwords for the ntpq and ntpdc utility programs.
 applications and other Public Key Infrastructure (PKI) resources. 
 Certificates generated by this program are compatible with extant
 industry practice, although some users might find the interpretation of
-X509v3 extension fields somewhat liberal. However, the identity keys
+X509v3 extension fields somewhat liberal. 
+However, the identity keys
 are probably not compatible with anything other than Autokey.
 
   
Some files used by this program are encrypted using a private password. 
-The -p option specifies the password for local encrypted files and the
--q option the password for encrypted files sent to remote sites. If no
-password is specified, the host name returned by the Unix gethostname()
-function, normally the DNS name of the host, is used.
-
-  
The pw option of the crypto configuration command specifies the read
-password for previously encrypted local files. This must match the
-local password used by this program. If not specified, the host name is
-used. Thus, if files are generated by this program without password,
+The -p option specifies the password for local encrypted files and the
+-q option the password for encrypted files sent to remote sites. 
+If no password is specified, the host name returned by the Unix
+gethostname() function, normally the DNS name of the host, is used.
+
+  
The pw option of the crypto configuration command
+specifies the read password for previously encrypted local files. 
+This must match the local password used by this program. 
+If not specified, the host name is used. 
+Thus, if files are generated by this program without password,
 they can be read back by ntpd without password, but only on the same
 host.
 
   
Normally, encrypted files for each host are generated by that host and
 used only by that host, although exceptions exist as noted later on
-this page. The symmetric keys file, normally called ntp.keys, is
-usually installed in /etc. Other files and links are usually installed
-in /usr/local/etc, which is normally in a shared filesystem in
-NFS-mounted networks and cannot be changed by shared clients. The
-location of the keys directory can be changed by the keysdir
-configuration command in such cases. Normally, this is in /etc.
+this page. 
+The symmetric keys file, normally called ntp.keys, is
+usually installed in /etc. 
+Other files and links are usually installed
+in /usr/local/etc, which is normally in a shared filesystem in
+NFS-mounted networks and cannot be changed by shared clients. 
+The location of the keys directory can be changed by the keysdir
+configuration command in such cases. 
+Normally, this is in /etc.
 
   
This program directs commentary and error messages to the standard
-error stream stderr and remote files to the standard output stream
-stdout where they can be piped to other applications or redirected to
-files. The names used for generated files and links all begin with the
-string ntpkey and include the file type, generating host and filestamp,
-as described in the Cryptographic Data Files section below.
+error stream stderr and remote files to the standard output stream
+stdout where they can be piped to other applications or redirected to
+files. 
+The names used for generated files and links all begin with the
+string ntpkey and include the file type,
+generating host and filestamp,
+as described in the Cryptographic Data Files section below.
 
 

 

@@ -151,43 +161,49 @@ Up: Top
 
Running the Program

 
 
To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually /usr/local/etc. When run for the
-first time, or if all files with names beginning ntpkey have been
-removed, use the ntp-keygen command without arguments to generate a
+change to the keys directory, usually /usr/local/etc. 
+When run for the
+first time, or if all files with names beginning ntpkey] have been
+removed, use the ntp-keygen command without arguments to generate a
 default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence. If run again without options, the program uses the
+date one year hence. 
+If run again without options, the program uses the
 existing keys and parameters and generates only a new certificate with
 new expiration date one year hence.
 
-  
Run the command on as many hosts as necessary. Designate one of them as
-the trusted host (TH) using ntp-keygen with the -T option and configure
-it to synchronize from reliable Internet servers. Then configure the
-other hosts to synchronize to the TH directly or indirectly. A
-certificate trail is created when Autokey asks the immediately
+  
Run the command on as many hosts as necessary. 
+Designate one of them as the trusted host (TH) using ntp-keygen
+with the -T option and configure
+it to synchronize from reliable Internet servers. 
+Then configure the other hosts to synchronize to the TH directly or indirectly. 
+A certificate trail is created when Autokey asks the immediately
 ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request. All group hosts
-should have acyclic certificate trails ending on the TH.
+provided to the immediately descendant host on request. 
+All group hosts should have acyclic certificate trails ending on the TH.
 
   
The host key is used to encrypt the cookie when required and so must be
-RSA type. By default, the host key is also the sign key used to encrypt
-signatures. A different sign key can be assigned using the -S option
-and this can be either RSA or DSA type. By default, the signature
+RSA type. 
+By default, the host key is also the sign key used to encrypt signatures. 
+A different sign key can be assigned using the -S option
+and this can be either RSA or DSA type. 
+By default, the signature
 message digest type is MD5, but any combination of sign key type and
 message digest type supported by the OpenSSL library can be specified
-using the -c option.
+using the -c option.
 
   
The rules say cryptographic media should be generated with proventic
 filestamps, which means the host should already be synchronized before
-this program is run. This of course creates a chicken-and-egg problem
-when the host is started for the first time. Accordingly, the host time
+this program is run. 
+This of course creates a chicken-and-egg problem
+when the host is started for the first time. 
+Accordingly, the host time
 should be set by some other means, such as eyeball-and-wristwatch, at
 least so that the certificate lifetime is within the current year. 
 After that and when the host is synchronized to a proventic source, the
 certificate should be re-generated.
 
   
Additional information on trusted groups and identity schemes is on the
-Autokey Public-Key Authentication
-page.
+Autokey Public-Key Authentication page.
 
 

 

@@ -223,7 +239,11 @@ digest algorithms.
 The message digest keys file must be distributed and stored
 using secure means beyond the scope of NTP itself. 
 Besides the keys used for ordinary NTP associations, additional keys
-can be defined as passwords for the ntpq and ntpdc utility programs.
+can be defined as passwords for the
+ntpq(1ntpqmdoc)
+and
+ntpdc(1ntpdcmdoc)
+utility programs.
 
   
The remaining generated files are compatible with other OpenSSL
 applications and other Public Key Infrastructure (PKI) resources. 
@@ -235,50 +255,46 @@ other than Autokey.
 
   
Some files used by this program are encrypted using a private password. 
 The
---p option specifies the password for local encrypted files and the
---q option the password for encrypted files sent to remote sites. 
+-p option specifies the password for local encrypted files and the
+-q option the password for encrypted files sent to remote sites. 
 If no password is specified, the host name returned by the Unix
-.Fn
-gethostname
+gethostname()
 function, normally the DNS name of the host is used.
 
   
The
-pw option of the
-crypto configuration command specifies the read
+pw option of the
+crypto configuration command specifies the read
 password for previously encrypted local files. 
 This must match the local password used by this program. 
 If not specified, the host name is used. 
 Thus, if files are generated by this program without password,
 they can be read back by
-ntpd without password but only on the same host.
+ntpd without password but only on the same host.
 
   
Normally, encrypted files for each host are generated by that host and
 used only by that host, although exceptions exist as noted later on
 this page. 
 The symmetric keys file, normally called
-ntp.keys, is usually installed in
+ntp.keys, is usually installed in
 /etc. 
-. 
 Other files and links are usually installed in
 /usr/local/etc,
-,
 which is normally in a shared filesystem in
 NFS-mounted networks and cannot be changed by shared clients. 
 The location of the keys directory can be changed by the
-keysdir configuration command in such cases. 
+keysdir configuration command in such cases. 
 Normally, this is in
-/etc. 
-.
+/etc.
 
   
This program directs commentary and error messages to the standard
 error stream
-stderr and remote files to the standard output stream
-stdout where they can be piped to other applications or redirected to files. 
+stderr and remote files to the standard output stream
+stdout where they can be piped to other applications or redirected to files. 
 The names used for generated files and links all begin with the
 string
-ntpkey and include the file type, generating host and filestamp,
+ntpkey and include the file type, generating host and filestamp,
 as described in the
-CryptographicDataFiles
+Cryptographic Data Files
 section below. 
 

 

@@ -295,7 +311,7 @@ To test and gain experience with Autokey concepts, log in as root and
 change to the keys directory, usually
 /usr/local/etc
 When run for the first time, or if all files with names beginning with
-ntpkey have been removed, use the
+ntpkey have been removed, use the
 ntp-keygen
 command without arguments to generate a
 default RSA host key and matching RSA-MD5 certificate with expiration
@@ -339,13 +355,13 @@ After that and when the host is synchronized to a proventic source, the
 certificate should be re-generated.
 
   
Additional information on trusted groups and identity schemes is on the
-AutokeyPublic-KeyAuthentication
+Autokey Public-Key Authentication
 page.
 
   
The
-ntpd(8)
+ntpd(1ntpdmdoc)
 configuration command
-crypto pw Ar password specifies the read password for previously encrypted files. 
+crypto pw password specifies the read password for previously encrypted files. 
 The daemon expires on the spot if the password is missing
 or incorrect. 
 For convenience, if a file has been previously encrypted,
@@ -356,23 +372,22 @@ these files can be read by that host with no explicit password.
 
   
File names begin with the prefix
 ntpkey_ and end with the postfix
-_hostname.filestamp, where
-hostname is the owner name, usually the string returned
+_hostname.filestamp, where
+hostname is the owner name, usually the string returned
 by the Unix gethostname() routine, and
-filestamp is the NTP seconds when the file was generated, in decimal digits. 
+filestamp is the NTP seconds when the file was generated, in decimal digits. 
 This both guarantees uniqueness and simplifies maintenance
 procedures, since all files can be quickly removed
 by a
-rmntpkey\&* command or all files generated
+rm ntpkey\&* command or all files generated
 at a specific time can be removed by a
-rm \&*filestamp command. 
+rm \&*filestamp command. 
 To further reduce the risk of misconfiguration,
 the first two lines of a file contain the file name
 and generation date and time as comments.
 
   
All files are installed by default in the keys directory
 /usr/local/etc,
-,
 which is normally in a shared filesystem
 in NFS-mounted networks. 
 The actual location of the keys directory
@@ -402,7 +417,7 @@ by changing the link.
 If a link is present, ntpd follows it to the file name
 to extract the filestamp. 
 If a link is not present,
-ntpd(8)
+ntpd(1ntpdmdoc)
 extracts the filestamp from the file itself. 
 This allows clients to verify that the file and generation times
 are always current. 
@@ -428,7 +443,6 @@ program is logged in directly as root.
 The recommended procedure is change to the keys directory,
 usually
 /usr/local/etc,
-,
 then run the program. 
 When run for the first time,
 or if all
@@ -465,12 +479,12 @@ as the other files, are probably not compatible with anything other than Autokey
 su command
 to assume root may not work properly, since by default the OpenSSL library
 looks for the random seed file
-.rnd in the user home directory. 
+.rnd in the user home directory. 
 However, there should be only one
-.rnd, most conveniently
+.rnd, most conveniently
 in the root directory, so it is convenient to define the
-$RANDFILE environment variable used by the OpenSSL library as the path to
-/.rnd. 
+$RANDFILE environment variable used by the OpenSSL library as the path to
+/.rnd. 
 Installing the keys as root might not work in NFS-mounted
 shared file systems, as NFS clients may not be able to write
 to the shared keys directory, even as root. 
@@ -495,7 +509,6 @@ while the trusted name is used for the identity files.
 
   
All files are installed by default in the keys directory
 /usr/local/etc,
-,
 which is normally in a shared filesystem
 in NFS-mounted networks. 
 The actual location of the keys directory
@@ -525,7 +538,7 @@ by changing the link.
 If a link is present, ntpd follows it to the file name
 to extract the filestamp. 
 If a link is not present,
-ntpd(8)
+ntpd(1ntpdmdoc)
 extracts the filestamp from the file itself. 
 This allows clients to verify that the file and generation times
 are always current. 
@@ -551,7 +564,6 @@ program is logged in directly as root.
 The recommended procedure is change to the keys directory,
 usually
 /usr/local/etc,
-,
 then run the program. 
 When run for the first time,
 or if all
@@ -588,12 +600,12 @@ as the other files, are probably not compatible with anything other than Autokey
 su command
 to assume root may not work properly, since by default the OpenSSL library
 looks for the random seed file
-.rnd in the user home directory. 
+.rnd in the user home directory. 
 However, there should be only one
-.rnd, most conveniently
+.rnd, most conveniently
 in the root directory, so it is convenient to define the
-$RANDFILE environment variable used by the OpenSSL library as the path to
-/.rnd. 
+$RANDFILE environment variable used by the OpenSSL library as the path to
+/.rnd. 
 Installing the keys as root might not work in NFS-mounted
 shared file systems, as NFS clients may not be able to write
 to the shared keys directory, even as root. 
@@ -663,16 +675,16 @@ throughout the subnet, but setting up the environment is completely automatic.
 scheme than the default, run
 ntp-keygen
 with the
--S -Ar -type option, where
-type is either
+-S -type option, where
+type is either
 RSA or
 DSA. The most often need to do this is when a DSA-signed certificate is used. 
 If it is necessary to use a different certificate scheme than the default,
 run
 ntp-keygen
 with the
--c -Ar -scheme option and selected
-scheme as needed. 
+-c -scheme option and selected
+scheme as needed. 
 f
 ntp-keygen
 is run again without these options, it generates a new certificate
@@ -685,10 +697,10 @@ Simply run
 with the same flags as before to generate new certificates
 using existing keys. 
 However, if the host or sign key is changed,
-ntpd(8)
+ntpd(1ntpdmdoc)
 should be restarted. 
 When
-ntpd(8)
+ntpd(1ntpdmdoc)
 is restarted, it loads any new files and restarts the protocol. 
 Other dependent hosts will continue as usual until signatures are refreshed,
 at which time the protocol is restarted. 
@@ -706,7 +718,7 @@ As mentioned on the Autonomous Authentication page,
 the default TC identity scheme is vulnerable to a middleman attack. 
 However, there are more secure identity schemes available,
 including PC, IFF, GQ and MV described on the
-"IdentificationSchemes"
+"Identification Schemes"
 page
 (maybe available at
 .Li
@@ -734,29 +746,16 @@ only as clients have key files that contain only client keys.
   
The PC scheme supports only one trusted host in the group. 
 On trusted host alice run
 ntp-keygen
--P -p -Ar -password to generate the host key file
+-P -p -password to generate the host key file
 ntpkey_RSAkey_NsAralice.filestamp
-Ns
-Ar
-alice.filestamp
 and trusted private certificate file
 ntpkey_RSA-MD5_cert_NsAralice.filestamp. 
-Ns
-Ar
-alice.filestamp
-. 
 Copy both files to all group hosts;
 they replace the files which would be generated in other schemes. 
 On each host bob install a soft link from the generic name
 ntpkey_host_NsArbob
-Ns
-Ar
-bob
 to the host key file and soft link
 ntpkey_cert_NsArbob
-Ns
-Ar
-bob
 to the private certificate file. 
 Note the generic links are on bob, but point to files generated
 by trusted host alice. 
@@ -769,19 +768,12 @@ and certificates for all group hosts, then for every trusted host in the group,
 generate the IFF parameter file. 
 On trusted host alice run
 ntp-keygen
--T -I -p -Ar -password to produce her parameter file
+-T -I -p -password to produce her parameter file
 ntpkey_IFFpar_NsAralice.filestamp,
-Ns
-Ar
-alice.filestamp
-,
 which includes both server and client keys. 
 Copy this file to all group hosts that operate as both servers
 and clients and install a soft link from the generic
 ntpkey_iff_NsAralice
-Ns
-Ar
-alice
 to this file. 
 If there are no hosts restricted to operate only as clients,
 there is nothing further to do. 
@@ -798,9 +790,6 @@ After generating the parameter file, on alice run
 Copy or mail this file to all restricted clients. 
 On these clients install a soft link from the generic
 ntpkey_iff_NsAralice
-Ns
-Ar
-alice
 to this file. 
 To further protect the integrity of the keys,
 each file can be encrypted with a secret password.
@@ -810,26 +799,16 @@ and certificates for all group hosts, then for every trusted host
 in the group, generate the IFF parameter file. 
 On trusted host alice run
 ntp-keygen
--T -G -p -Ar -password to produce her parameter file
+-T -G -p -password to produce her parameter file
 ntpkey_GQpar_NsAralice.filestamp,
-Ns
-Ar
-alice.filestamp
-,
 which includes both server and client keys. 
 Copy this file to all group hosts and install a soft link
 from the generic
 ntpkey_gq_NsAralice
-Ns
-Ar
-alice
 to this file. 
 In addition, on each host bob install a soft link
 from generic
 ntpkey_gq_NsArbob
-Ns
-Ar
-bob
 to this file. 
 As the GQ scheme updates the GQ parameters file and certificate
 at the same time, keys and certificates can be regenerated as needed.
@@ -840,27 +819,18 @@ For illustration assume trish is the TA, alice one of several trusted hosts
 and bob one of her clients. 
 On TA trish run
 ntp-keygen
--V -Ar -n -p -Ar -password, where
-n is the number of revokable keys (typically 5) to produce
+-V -n -p -password, where
+n is the number of revokable keys (typically 5) to produce
 the parameter file
 ntpkeys_MVpar_NsArtrish.filestamp
-Ns
-Ar
-trish.filestamp
 and client key files
 ntpkeys_MVkeyd_NsArtrish.filestamp
-Ns
-Ar
-trish.filestamp
 where
-d is the key number (0 \&<
-d \&<
-n). Copy the parameter file to alice and install a soft link
+d is the key number (0 \&<
+d \&<
+n). Copy the parameter file to alice and install a soft link
 from the generic
 ntpkey_mv_NsAralice
-Ns
-Ar
-alice
 to this file. 
 Copy one of the client key files to alice for later distribution
 to her clients. 
@@ -869,9 +839,6 @@ since they all work the same way.
 Alice copies the client key file to all of her cliens. 
 On client bob install a soft link from generic
 ntpkey_mvkey_NsArbob
-Ns
-Ar
-bob
 to the client key file. 
 As the MV scheme is independent of keys and certificates,
 these files can be refreshed as needed. 
@@ -889,7 +856,7 @@ Options
      

 
Fl
Select certificate message digest/signature encryption scheme. 
 The
-scheme can be one of the following:
+scheme can be one of the following:
 . 
 Cm
 RSA-MD2
@@ -923,19 +890,19 @@ If the GQ parameters do not yet exist, create them first.
 
Fl
Generate parameters for the IFF identification scheme,
 obsoleting any that may exist. 
 
Fl
Set the suject name to
-name. This is used as the subject field in certificates
+name. This is used as the subject field in certificates
 and in the file name for host and sign keys. 
 
Fl
Generate MD5 keys, obsoleting any that may exist. 
 
Fl
Generate a private certificate. 
 By default, the program generates public certificates. 
 
Fl
Encrypt generated files containing private data with
-password and the DES-CBC algorithm. 
+password and the DES-CBC algorithm. 
 
Fl
Set the password for reading files to password. 
 
Fl
Generate a new sign key of the designated type,
 obsoleting any that may exist. 
 By default, the program uses the host key as the sign key. 
 
Fl
Set the issuer name to
-name. This is used for the issuer field in certificates
+name. This is used for the issuer field in certificates
 and in the file name for identity files. 
 
Fl
Generate a trusted certificate. 
 By default, the program generates a non-trusted certificate. 
@@ -973,7 +940,7 @@ but are outside the scope of this page.
 
        
The entropy seed used by the OpenSSL library is contained in a file,
 usually called
-.rnd, which must be available when starting the NTP daemon
+.rnd, which must be available when starting the NTP daemon
 or the
 ntp-keygen
 program. 
@@ -995,7 +962,7 @@ If the
 RANDFILE
 environment variable is not present,
 the library will look for the
-.rnd file in the user home directory. 
+.rnd file in the user home directory. 
 If the file is not available or cannot be written,
 the daemon exits with a message to the system log and the program
 exits with a suitable error message. 
@@ -1017,7 +984,7 @@ The second contains the datestamp in conventional Unix date format.
 Lines beginning with # are considered comments and ignored by the
 ntp-keygen
 program and
-ntpd(8)
+ntpd(1ntpdmdoc)
 daemon. 
 Cryptographic values are encoded first using ASN.1 rules,
 then encrypted if necessary, and finally written PEM-encoded
@@ -1035,9 +1002,9 @@ keyno
 type
 key
 where
-keyno is a positive integer in the range 1-65,535,
-type is the string MD5 defining the key format and
-key is the key itself,
+keyno is a positive integer in the range 1-65,535,
+type is the string MD5 defining the key format and
+key is the key itself,
 which is a printable ASCII string 16 characters or less in length. 
 Each character is chosen from the 93 printable characters
 in the range 0x21 through 0x7f excluding space and the
@@ -1045,9 +1012,9 @@ in the range 0x21 through 0x7f excluding space and the
 character.
 
        
Note that the keys used by the
-ntpq(8)
+ntpq(1ntpqmdoc)
 and
-ntpdc(8)
+ntpdc(1ntpdcmdoc)
 programs
 are checked against passwords requested by the programs
 and entered by hand, so it is generally appropriate to specify these keys
@@ -1057,16 +1024,11 @@ in human readable ASCII format.
 ntp-keygen
 program generates a MD5 symmetric keys file
 ntpkey_MD5key_NsArhostname.filestamp. 
-Ns
-Ar
-hostname.filestamp
-. 
 Since the file contains private shared keys,
 it should be visible only to root and distributed by secure means
 to other subnet hosts. 
 The NTP daemon loads the file
 ntp.keys,
-,
 so
 ntp-keygen
 installs a soft link from this name to the generated file. 
@@ -1075,9 +1037,9 @@ or automated means on the other subnet hosts.
 While this file is not used with the Autokey Version 2 protocol,
 it is needed to authenticate some remote configuration commands
 used by the
-ntpq(8)
+ntpq(1ntpqmdoc)
 and
-ntpdc(8)
+ntpdc(1ntpdcmdoc)
 utilities.
 
        
This section was generated by AutoGen,
@@ -1132,7 +1094,7 @@ the usage text by passing it through a pager program.
 used to select the program, defaulting to more.  Both will exit
 with a status code of 0.
 
-     
     ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p336
+     
     ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p337
      USAGE:  ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
        Flg Arg Option-Name    Description
         -b Num imbits         identity modulus bits
@@ -1250,9 +1212,9 @@ This option takes an argument string cipher.
 
        
Select the cipher which is used to encrypt the files containing
 private keys.  The default is three-key triple DES in CBC mode,
-equivalent to "-C des-ede3-cbc".  The openssl tool lists ciphers
+equivalent to "-C des-ede3-cbc".  The openssl tool lists ciphers
 available in "openssl -h" output. 
-

+

 

 Next: ,
 Previous: ntp-keygen cipher,
@@ -1353,12 +1315,13 @@ This option takes an argument string group.
        
Set the optional Autokey group name to name.  This is used in
 the file name of IFF, GQ, and MV client parameters files.  In
 that role, the default is the host name if this option is not
-provided.  The group name, if specified using -i/–ident or
-using -s/–subject-name following an '´character, is also a
-part of the self-signed host certificate's subject and issuer
-names in the form host
-       
or 'server ident' configuration in ntpd's configuration file. 
-

+provided.  The group name, if specified using -i/--ident or
+using -s/--subject-name following an '}' character,
+is also a part of the self-signed host certificate's subject and
+issuer names in the form host
+       
'crypto ident' or 'server ident' configuration in
+ntpd's configuration file. 
+

 

 Next: ,
 Previous: ntp-keygen ident,
@@ -1369,7 +1332,7 @@ Up: Cryptographic
 
lifetime option (-l)

 
      

-This is the “set certificate lifetime” option. 
+This is the ``set certificate lifetime'' option. 
 This option takes an argument number lifetime.
 
      
This option has some usage constraints.  It:
@@ -1389,7 +1352,7 @@ Up: Cryptographic
 
md5key option (-M)

 
      

-This is the “generate md5 keys” option. 
+This is the ``generate md5 keys'' option. 
 Generate MD5 keys, obsoleting any that may exist. 
 

 

@@ -1402,7 +1365,7 @@ Up: Cryptographic
 
modulus option (-m)

 
      

-This is the “modulus” option. 
+This is the ``modulus'' option. 
 This option takes an argument number modulus.
 
      
This option has some usage constraints.  It:
@@ -1422,7 +1385,7 @@ Up: Cryptographic
 
pvt-cert option (-P)

 
      

-This is the “generate pc private certificate” option.
+This is the ``generate pc private certificate'' option.
 
      
This option has some usage constraints.  It:
           
    
@@ -1442,7 +1405,7 @@ Up: Cryptographic
 
    pvt-passwd option (-p)
    
 
      
    
-This is the “output private password” option. 
+This is the ``output private password'' option. 
 This option takes an argument string passwd.
 
      
    This option has some usage constraints.  It:
@@ -1451,7 +1414,7 @@ This option takes an argument string passwd.
 

 
        
Encrypt generated files containing private data with the specified
-password and the cipher selected with -C/–cipher. 
+password and the cipher selected with -C/--cipher. 
 

 

 Next: ,
@@ -1463,7 +1426,7 @@ Up: Cryptographic
 
get-pvt-passwd option (-q)

 
      

-This is the “input private password” option. 
+This is the ``input private password'' option. 
 This option takes an argument string passwd.
 
      
This option has some usage constraints.  It:
@@ -1483,7 +1446,7 @@ Up: Cryptographic
 
sign-key option (-S)

 
      

-This is the “generate sign key (rsa or dsa)” option. 
+This is the ``generate sign key (rsa or dsa)'' option. 
 This option takes an argument string sign.
 
      
This option has some usage constraints.  It:
@@ -1505,7 +1468,7 @@ Up: Cryptographic
 
subject-name option (-s)

 
      

-This is the “set host and optionally group name” option. 
+This is the ``set host and optionally group name'' option. 
 This option takes an argument string host@group.
 
      
This option has some usage constraints.  It:
@@ -1514,16 +1477,16 @@ This option takes an argument string host@group.
 
 
        
Set the Autokey host name, and optionally, group name specified
-following an '´character.  The host name is used in the file
+following an '}' character.  The host name is used in the file
 name of generated host and signing certificates, without the
 group name.  The host name, and if provided, group name are used
 in host
-       
fields.  Specifying '-s  is allowed, and results in
-leaving the host name unchanged while appending
+       
fields.  Specifying '-s
+       
leaving the host name unchanged while appending
        
subject and issuer fields, as with -i group.  The group name, or
 if not provided, the host name are also used in the file names
 of IFF, GQ, and MV client parameter files. 
-

+

 

 Next: ,
 Previous: ntp-keygen subject-name,
@@ -1534,7 +1497,7 @@ Up: Cryptographic
 
trusted-cert option (-T)

 
      

-This is the “trusted certificate (tc scheme)” option.
+This is the ``trusted certificate (tc scheme)'' option.
 
      
This option has some usage constraints.  It:
           
    
@@ -1554,7 +1517,7 @@ Up: Cryptographic
 
    mv-params option (-V)
    
 
      
    
-This is the “generate <num> mv parameters” option. 
+This is the ``generate <num> mv parameters'' option. 
 This option takes an argument number num.
 
      
    This option has some usage constraints.  It:
@@ -1575,7 +1538,7 @@ Up: Cryptographic
 
    mv-keys option (-v)
    
 
      
    
-This is the “update <num> mv keys” option. 
+This is the ``update <num> mv keys'' option. 
 This option takes an argument number num.
 
      
    This option has some usage constraints.  It:
@@ -1686,8 +1649,8 @@ Up: Cryptographic
 
    ntp-keygen Usage
    
 
      
    The
--p -Ar -password option specifies the write password and
--q -Ar -password option the read password for previously encrypted files. 
+-p -password option specifies the write password and
+-q -password option the read password for previously encrypted files. 
 The
 ntp-keygen
 program prompts for the password if it reads an encrypted file
@@ -1736,18 +1699,22 @@ Up: Top
 
      
    All cryptographically sound key generation schemes must have means to
 randomize the entropy seed used to initialize the internal
-pseudo-random number generator used by the OpenSSL library routines. If
-a site supports ssh, it is very likely that means to do this are
-already available. The entropy seed used by the OpenSSL library is
-contained in a file, usually called .rnd, which must be available when
-starting the ntp-keygen program or ntpd daemon.
+pseudo-random number generator used by the OpenSSL library routines. 
+If a site supports ssh, it is very likely that means to do this are
+already available. 
+The entropy seed used by the OpenSSL library is contained in a file,
+usually called .rnd, which must be available when
+starting the ntp-keygen program or ntpd daemon.
 
        
    The OpenSSL library looks for the file using the path specified by the
-RANDFILE environment variable in the user home directory, whether root
-or some other user. If the RANDFILE environment variable is not
-present, the library looks for the .rnd file in the user home
-directory. Since both the ntp-keygen program and ntpd daemon must run
-as root, the logical place to put this file is in /.rnd or /root/.rnd. 
+RANDFILE environment variable in the user home directory, whether root
+or some other user. 
+If the RANDFILE environment variable is not
+present, the library looks for the .rnd file in the user home
+directory. 
+Since both the ntp-keygen program and ntpd daemon must run
+as root, the logical place to put this file is in /.rnd or
+/root/.rnd. 
 If the file is not available or cannot be written, the program exits
 with a message to the system log.
 
@@ -1761,34 +1728,37 @@ Up: Top
      
 
    Cryptographic Data Files
    
 
-     
    File and link names are in the form ntpkey_key_name.fstamp, where key
-is the key or parameter type, name is the host or group name and fstamp
-is the filestamp (NTP seconds) when the file was created). By
-convention, key names in generated file names include both upper and
+     
    File and link names are in the form ntpkey_key_name.fstamp,
+where key is the key or parameter type,
+name is the host or group name and
+fstamp is the filestamp (NTP seconds) when the file was created). 
+By convention, key names in generated file names include both upper and
 lower case characters, while key names in generated link names include
 only lower case characters. The filestamp is not used in generated link
 names.
 
-       
    The key name is a string defining the cryptographic key type. Key types
-include public/private keys host and sign, certificate cert and several
-challenge/response key types. By convention, client files used for
+       
    The key name is a string defining the cryptographic key type. 
+Key types include public/private keys host and sign, certificate cert
+and several challenge/response key types. 
+By convention, client files used for
 challenges have a par subtype, as in the IFF challenge IFFpar, while
 server files for responses have a key subtype, as in the GQ response
 GQkey.
 
        
    All files begin with two nonencrypted lines. The first line contains
-the file name in the format ntpkey_key_host.fstamp. The second line
-contains the datestamp in conventional Unix date format. Lines
-beginning with # are ignored.
+the file name in the format ntpkey_key_host.fstamp. 
+The second line contains the datestamp in conventional Unix date format. 
+Lines beginning with # are ignored.
 
        
    The remainder of the file contains cryptographic data encoded first
 using ASN.1 rules, then encrypted using the DES-CBC algorithm with
 given password and finally written in PEM-encoded printable ASCII text
 preceded and followed by MIME content identifier lines.
 
-       
    The format of the symmetric keys file, ordinarily named ntp.keys, is
-somewhat different than the other files in the interest of backward
-compatibility. Ordinarily, the file is generated by this program, but
+       
    The format of the symmetric keys file, ordinarily named ntp.keys,
+is somewhat different than the other files in the interest of backward
+compatibility. 
+Ordinarily, the file is generated by this program, but
 it can be constructed and edited using an ordinary text editor.
 
      
             # ntpkey_MD5key_hms.local.3564038757
@@ -1818,33 +1788,43 @@ it can be constructed and edited using an ordinary text editor.
        
    Figure 1. Typical Symmetric Key File
 
        
    Figure 1 shows a typical symmetric keys file used by the reference
-implementation. Each line of the file contains three fields, first an
+implementation. 
+Each line of the file contains three fields, first an
 integer between 1 and 65534, inclusive, representing the key identifier
-used in the server and peer configuration commands. Next is the key
-type for the message digest algorithm, which in the absence of the
+used in the server and peer configuration commands. 
+Next is the key type for the message digest algorithm,
+which in the absence of the
 OpenSSL library must be MD5 to designate the MD5 message digest
-algorithm. If the OpenSSL library is installed, the key type can be any
-message digest algorithm supported by that library. However, if
+algorithm. 
+If the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library. 
+However, if
 compatibility with FIPS 140-2 is required, the key type must be either
-SHA or SHA1. The key type can be changed using an ASCII text editor.
+SHA or SHA1. 
+The key type can be changed using an ASCII text editor.
 
        
    An MD5 key consists of a printable ASCII string less than or equal to
-16 characters and terminated by whitespace or a # character. An OpenSSL
+16 characters and terminated by whitespace or a # character. 
+An OpenSSL
 key consists of a hex-encoded ASCII string of 40 characters, which is
 truncated as necessary.
 
-       
    Note that the keys used by the ntpq and ntpdc programs are checked
-against passwords requested by the programs and entered by hand, so it
+       
    Note that the keys used by the ntpq and ntpdc programs are
+checked against passwords requested by the programs and entered by hand,
+so it
 is generally appropriate to specify these keys in human readable ASCII
 format.
 
        
    The ntp-keygen program generates a MD5 symmetric keys file
-ntpkey_MD5key_hostname.filestamp. Since the file contains private
+ntpkey_MD5key_hostname.filestamp. 
+Since the file contains private
 shared keys, it should be visible only to root and distributed by
-secure means to other subnet hosts. The NTP daemon loads the file
-ntp.keys, so ntp-keygen installs a soft link from this name to the
-generated file. Subsequently, similar soft links must be installed by
-manual or automated means on the other subnet hosts. While this file is
+secure means to other subnet hosts. 
+The NTP daemon loads the file ntp.keys, so ntp-keygen
+installs a soft link from this name to the generated file. 
+Subsequently, similar soft links must be installed by
+manual or automated means on the other subnet hosts. 
+While this file is
 not used with the Autokey Version 2 protocol, it is needed to
 authenticate some remote configuration commands used by the ntpq and
 ntpdc utilities.
diff --git a/util/ntp-keygen.man.in b/util/ntp-keygen.man.in
index 936a59199..b4dd85000 100644
--- a/util/ntp-keygen.man.in
+++ b/util/ntp-keygen.man.in
@@ -1,8 +1,8 @@
-.TH ntp-keygen @NTP_KEYGEN_MS@ "24 Dec 2012" "ntp (4.2.7p337)" "User Commands"
+.TH ntp-keygen @NTP_KEYGEN_MS@ "25 Dec 2012" "ntp (4.2.7p338)" "User Commands"
 .\"
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.man)
 .\"  
-.\"  It has been AutoGen-ed  December 24, 2012 at 12:08:20 PM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:40 AM by AutoGen 5.16.2
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agman-cmd.tpl
 .\"
@@ -16,837 +16,6 @@ ntp-keygen \- Create a NTP host key
 All arguments must be options.
 .PP
 .SH DESCRIPTION
-This program generates cryptographic data files used by the NTPv4
-authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
-These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
-compatible with the Internet standard security infrastructure.
-.PP
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
-and certificate authorities.
-By default, files are not encrypted.
-.PP
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
-If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
-using secure means beyond the scope of NTP itself.
-Besides the keys used for ordinary NTP associations, additional keys
-can be defined as passwords for the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-utility programs.
-.PP
-The remaining generated files are compatible with other OpenSSL
-applications and other Public Key Infrastructure (PKI) resources.
-Certificates generated by this program are compatible with extant
-industry practice, although some users might find the interpretation of
-X509v3 extension fields somewhat liberal.
-However, the identity keys are probably not compatible with anything
-other than Autokey.
-.PP
-Some files used by this program are encrypted using a private password.
-The
-p
-option specifies the password for local encrypted files and the
-q
-option the password for encrypted files sent to remote sites.
-If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
-.PP
-The
-\fIpw\fR
-option of the
-\fIcrypto\fR
-configuration command specifies the read
-password for previously encrypted local files.
-This must match the local password used by this program.
-If not specified, the host name is used.
-Thus, if files are generated by this program without password,
-they can be read back by
-\fIntpd\fR
-without password but only on the same host.
-.PP
-Normally, encrypted files for each host are generated by that host and
-used only by that host, although exceptions exist as noted later on
-this page.
-The symmetric keys file, normally called
-\fIntp.keys ,\fR
-is usually installed in
-.Pa /etc .
-Other files and links are usually installed in
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem in
-NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-\fIkeysdir\fR
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
-.PP
-This program directs commentary and error messages to the standard
-error stream
-\fIstderr\fR
-and remote files to the standard output stream
-\fIstdout\fR
-where they can be piped to other applications or redirected to files.
-The names used for generated files and links all begin with the
-string
-\fIntpkey\fR
-and include the file type, generating host and filestamp,
-as described in the
-.Dq Cryptographic Data Files
-section below.
-.SS Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc 
-When run for the first time, or if all files with names beginning with
-\fIntpkey\fR
-have been removed, use the
-.B 
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.PP
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.B 
-with the
-T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.PP
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.PP
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public-Key Authentication
-page.
-.PP
-The
-.Xr ntpd @NTPD_MS@
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.PP
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-\fI_hostname.filestamp ,\fR
-where
-\fIhostname\fR
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-\fIfilestamp\fR
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-\fI\&*filestamp\fR
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.PP
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.PP
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.PP
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.B 
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-.B 
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.PP
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.PP
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.PP
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.PP
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.PP
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-.PP
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.PP
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.PP
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.B 
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-.B 
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.PP
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.PP
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.PP
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.PP
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.PP
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
-Each cryptographic configuration involves selection of a signature scheme
-and identification scheme, called a cryptotype,
-as explained in the
-.Sx Authentication Options
-section of
-.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
-First, configure a NTP subnet including one or more low-stratum
-trusted hosts from which all other hosts derive synchronization
-directly or indirectly.
-Trusted hosts have trusted certificates;
-all other hosts have nontrusted certificates.
-These hosts will automatically and dynamically build authoritative
-certificate trails to one or more trusted hosts.
-A trusted group is the set of all hosts that have, directly or indirectly,
-a certificate trail ending at a trusted host.
-The trail is defined by static configuration file entries
-or dynamic means described on the
-.Sx Automatic NTP Configuration Options
-section of
-.Xr ntp.conf 5 .
-.PP
-On each trusted host as root, change to the keys directory.
-To insure a fresh fileset, remove all
-.Cm ntpkey
-files.
-Then run
-.B 
-T
-to generate keys and a trusted certificate.
-On all other hosts do the same, but leave off the
-T
-flag to generate keys and nontrusted certificates.
-When complete, start the NTP daemons beginning at the lowest stratum
-and working up the tree.
-It may take some time for Autokey to instantiate the certificate trails
-throughout the subnet, but setting up the environment is completely automatic.
-.PP
-If it is necessary to use a different sign key or different digest/signature
-scheme than the default, run
-.B 
-with the
-S Ar type
-option, where
-\fItype\fR
-is either
-.Cm RSA
-or
-.Cm DSA .
-The most often need to do this is when a DSA-signed certificate is used.
-If it is necessary to use a different certificate scheme than the default,
-run
-.B 
-with the
-c Ar scheme
-option and selected
-\fIscheme\fR
-as needed.
-f
-.B 
-is run again without these options, it generates a new certificate
-using the same scheme and sign key.
-.PP
-After setting up the environment it is advisable to update certificates
-from time to time, if only to extend the validity interval.
-Simply run
-.B 
-with the same flags as before to generate new certificates
-using existing keys.
-However, if the host or sign key is changed,
-.Xr ntpd @NTPD_MS@
-should be restarted.
-When
-.Xr ntpd @NTPD_MS@
-is restarted, it loads any new files and restarts the protocol.
-Other dependent hosts will continue as usual until signatures are refreshed,
-at which time the protocol is restarted.
-.SS Identity Schemes
-As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
-However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
-These schemes are based on a TA, one or more trusted hosts
-and some number of nontrusted hosts.
-Trusted hosts prove identity using values provided by the TA,
-while the remaining hosts prove identity using values provided
-by a trusted host and certificate trails that end on that host.
-The name of a trusted host is also the name of its sugroup
-and also the subject and issuer name on its trusted certificate.
-The TA is not necessarily a trusted host in this sense, but often is.
-.PP
-In some schemes there are separate keys for servers and clients.
-A server can also be a client of another server,
-but a client can never be a server for another client.
-In general, trusted hosts and nontrusted hosts that operate
-as both server and client have parameter files that contain
-both server and client keys.
-Hosts that operate
-only as clients have key files that contain only client keys.
-.PP
-The PC scheme supports only one trusted host in the group.
-On trusted host alice run
-.B 
-P
-p Ar password
-to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
-and trusted private certificate file
-.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
-Copy both files to all group hosts;
-they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
-.Pa ntpkey_host_ Ns Ar bob
-to the host key file and soft link
-.Pa ntpkey_cert_ Ns Ar bob
-to the private certificate file.
-Note the generic links are on bob, but point to files generated
-by trusted host alice.
-In this scheme it is not possible to refresh
-either the keys or certificates without copying them
-to all other hosts in the group.
-.PP
-For the IFF scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
-On trusted host alice run
-.B 
-T
-I
-p Ar password
-to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts that operate as both servers
-and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-If there are no hosts restricted to operate only as clients,
-there is nothing further to do.
-As the IFF scheme is independent
-of keys and certificates, these files can be refreshed as needed.
-.PP
-If a rogue client has the parameter file, it could masquerade
-as a legitimate server and present a middleman threat.
-To eliminate this threat, the client keys can be extracted
-from the parameter file and distributed to all restricted clients.
-After generating the parameter file, on alice run
-.B 
-e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
-On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-To further protect the integrity of the keys,
-each file can be encrypted with a secret password.
-.PP
-For the GQ scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
-On trusted host alice run
-.B 
-T
-G
-p Ar password
-to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts and install a soft link
-from the generic
-.Pa ntpkey_gq_ Ns Ar alice
-to this file.
-In addition, on each host bob install a soft link
-from generic
-.Pa ntpkey_gq_ Ns Ar bob
-to this file.
-As the GQ scheme updates the GQ parameters file and certificate
-at the same time, keys and certificates can be regenerated as needed.
-.PP
-For the MV scheme, proceed as in the TC scheme to generate keys
-and certificates for all group hosts.
-For illustration assume trish is the TA, alice one of several trusted hosts
-and bob one of her clients.
-On TA trish run
-.B 
-V Ar n
-p Ar password ,
-where
-\fIn\fR
-is the number of revokable keys (typically 5) to produce
-the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
-and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
-where
-\fId\fR
-is the key number (0 \&<
-\fId\fR
-\&<
-\fIn ) .\fR
-Copy the parameter file to alice and install a soft link
-from the generic
-.Pa ntpkey_mv_ Ns Ar alice
-to this file.
-Copy one of the client key files to alice for later distribution
-to her clients.
-It doesn't matter which client key file goes to alice,
-since they all work the same way.
-Alice copies the client key file to all of her cliens.
-On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
-to the client key file.
-As the MV scheme is independent of keys and certificates,
-these files can be refreshed as needed.
-.SS Command Line Options
-.TP
-.BR Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
-The
-\fIscheme\fR
-can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
-or
-.Cm DSA-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
-The default without this option is
-.Cm RSA-MD5 .
-.TP
-.BR Fl d
-Enable debugging.
-This option displays the cryptographic data produced in eye-friendly billboards.
-.TP
-.BR Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.TP
-.BR Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.TP
-.BR Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.TP
-.BR Fl H
-Generate new host keys, obsoleting any that may exist.
-.TP
-.BR Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.TP
-.BR Fl i Ar name
-Set the suject name to
-\fIname .\fR
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.TP
-.BR Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.TP
-.BR Fl P
-Generate a private certificate.
-By default, the program generates public certificates.
-.TP
-.BR Fl p Ar password
-Encrypt generated files containing private data with
-\fIpassword\fR
-and the DES-CBC algorithm.
-.TP
-.BR Fl q
-Set the password for reading files to password.
-.TP
-.BR Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.TP
-.BR Fl s Ar name
-Set the issuer name to
-\fIname .\fR
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.TP
-.BR Fl T
-Generate a trusted certificate.
-By default, the program generates a non-trusted certificate.
-.TP
-.BR Fl V Ar nkeys
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
-.SS Random Seed File
-All cryptographically sound key generation schemes must have means
-to randomize the entropy seed used to initialize
-the internal pseudo-random number generator used
-by the library routines.
-The OpenSSL library uses a designated random seed file for this purpose.
-The file must be available when starting the NTP daemon and
-.B 
-program.
-If a site supports OpenSSL or its companion OpenSSH,
-it is very likely that means to do this are already available.
-.PP
-It is important to understand that entropy must be evolved
-for each generation, for otherwise the random number sequence
-would be predictable.
-Various means dependent on external events, such as keystroke intervals,
-can be used to do this and some systems have built-in entropy sources.
-Suitable means are described in the OpenSSL software documentation,
-but are outside the scope of this page.
-.PP
-The entropy seed used by the OpenSSL library is contained in a file,
-usually called
-.Cm .rnd ,
-which must be available when starting the NTP daemon
-or the
-.B 
-program.
-The NTP daemon will first look for the file
-using the path specified by the
-.Ic randfile
-subcommand of the
-.Ic crypto
-configuration command.
-If not specified in this way, or when starting the
-.B 
-program,
-the OpenSSL library will look for the file using the path specified
-by the
-.Ev RANDFILE
-environment variable in the user home directory,
-whether root or some other user.
-If the
-.Ev RANDFILE
-environment variable is not present,
-the library will look for the
-.Cm .rnd
-file in the user home directory.
-If the file is not available or cannot be written,
-the daemon exits with a message to the system log and the program
-exits with a suitable error message.
-.SS Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
-.B 
-program and
-.Xr ntpd @NTPD_MS@
-daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
-.PP
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
-where
-\fIkeyno\fR
-is a positive integer in the range 1-65,535,
-\fItype\fR
-is the string MD5 defining the key format and
-\fIkey\fR
-is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
-.Ql #
-character.
-.PP
-Note that the keys used by the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-programs
-are checked against passwords requested by the programs
-and entered by hand, so it is generally appropriate to specify these keys
-in human readable ASCII format.
-.PP
-The
-.B 
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
-Since the file contains private shared keys,
-it should be visible only to root and distributed by secure means
-to other subnet hosts.
-The NTP daemon loads the file
-.Pa ntp.keys ,
-so
-.B 
-installs a soft link from this name to the generated file.
-Subsequently, similar soft links must be installed by manual
-or automated means on the other subnet hosts.
-While this file is not used with the Autokey Version 2 protocol,
-it is needed to authenticate some remote configuration commands
-used by the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-utilities.
 .SH "OPTIONS"
 .TP
 .BR \-b " \fIimbits\fP, " \-\-imbits "=" \fIimbits\fP
@@ -1043,18 +212,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP".
 If any of these are directories, then the file \fI.ntprc\fP
 is searched for within those directories.
 .SH USAGE
-The
-p Ar password
-option specifies the write password and
-q Ar password
-option the read password for previously encrypted files.
-The
-.B 
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
 .SH "ENVIRONMENT"
 See \fBOPTION PRESETS\fP for configuration environment variables.
 .SH "FILES"
@@ -1080,15 +237,8 @@ The University of Delaware
 Copyright (C) 1970-2012 The University of Delaware all rights reserved.
 This program is released under the terms of the NTP license, .
 .SH BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
-.PP
-Please report bugs to http://bugs.ntp.org .Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
+Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
 .SH NOTES
-This document corresponds to version @VERSION@ of NTP.
-Portions of this document came from FreeBSD.
 .PP
 This manual page was \fIAutoGen\fP-erated from the \fBntp-keygen\fP
 option definitions.
diff --git a/util/ntp-keygen.mdoc.in b/util/ntp-keygen.mdoc.in
index 900d54072..47f2e9d46 100644
--- a/util/ntp-keygen.mdoc.in
+++ b/util/ntp-keygen.mdoc.in
@@ -1,9 +1,9 @@
-.Dd December 24 2012
+.Dd December 25 2012
 .Dt NTP_KEYGEN @NTP_KEYGEN_MS@ User Commands
-.Os FreeBSD 6.4-STABLE
+.Os SunOS 5.10
 .\"  EDIT THIS FILE WITH CAUTION  (ntp-keygen-opts.mdoc)
 .\"  
-.\"  It has been AutoGen-ed  December 24, 2012 at 12:08:14 PM by AutoGen 5.16.2
+.\"  It has been AutoGen-ed  December 25, 2012 at 11:35:47 AM by AutoGen 5.16.2
 .\"  From the definitions    ntp-keygen-opts.def
 .\"  and the template file   agmdoc-cmd.tpl
 .Sh NAME
@@ -19,823 +19,6 @@
 All arguments must be options.
 .Pp
 .Sh DESCRIPTION
-This program generates cryptographic data files used by the NTPv4
-authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
-These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
-compatible with the Internet standard security infrastructure.
-.Pp
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
-and certificate authorities.
-By default, files are not encrypted.
-.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
-If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
-using secure means beyond the scope of NTP itself.
-Besides the keys used for ordinary NTP associations, additional keys
-can be defined as passwords for the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-utility programs.
-.Pp
-The remaining generated files are compatible with other OpenSSL
-applications and other Public Key Infrastructure (PKI) resources.
-Certificates generated by this program are compatible with extant
-industry practice, although some users might find the interpretation of
-X509v3 extension fields somewhat liberal.
-However, the identity keys are probably not compatible with anything
-other than Autokey.
-.Pp
-Some files used by this program are encrypted using a private password.
-The
-.Fl p
-option specifies the password for local encrypted files and the
-.Fl q
-option the password for encrypted files sent to remote sites.
-If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
-.Pp
-The
-.Ar pw
-option of the
-.Ar crypto
-configuration command specifies the read
-password for previously encrypted local files.
-This must match the local password used by this program.
-If not specified, the host name is used.
-Thus, if files are generated by this program without password,
-they can be read back by
-.Ar ntpd
-without password but only on the same host.
-.Pp
-Normally, encrypted files for each host are generated by that host and
-used only by that host, although exceptions exist as noted later on
-this page.
-The symmetric keys file, normally called
-.Ar ntp.keys ,
-is usually installed in
-.Pa /etc .
-Other files and links are usually installed in
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem in
-NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
-.Pp
-This program directs commentary and error messages to the standard
-error stream
-.Ar stderr
-and remote files to the standard output stream
-.Ar stdout
-where they can be piped to other applications or redirected to files.
-The names used for generated files and links all begin with the
-string
-.Ar ntpkey
-and include the file type, generating host and filestamp,
-as described in the
-.Dq Cryptographic Data Files
-section below.
-.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc 
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public-Key Authentication
-page.
-.Pp
-The
-.Xr ntpd @NTPD_MS@
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
-.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.Pp
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
-.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
-.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
-.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
-.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
-.Pp
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
-Each cryptographic configuration involves selection of a signature scheme
-and identification scheme, called a cryptotype,
-as explained in the
-.Sx Authentication Options
-section of
-.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
-First, configure a NTP subnet including one or more low-stratum
-trusted hosts from which all other hosts derive synchronization
-directly or indirectly.
-Trusted hosts have trusted certificates;
-all other hosts have nontrusted certificates.
-These hosts will automatically and dynamically build authoritative
-certificate trails to one or more trusted hosts.
-A trusted group is the set of all hosts that have, directly or indirectly,
-a certificate trail ending at a trusted host.
-The trail is defined by static configuration file entries
-or dynamic means described on the
-.Sx Automatic NTP Configuration Options
-section of
-.Xr ntp.conf 5 .
-.Pp
-On each trusted host as root, change to the keys directory.
-To insure a fresh fileset, remove all
-.Cm ntpkey
-files.
-Then run
-.Nm
-.Fl T
-to generate keys and a trusted certificate.
-On all other hosts do the same, but leave off the
-.Fl T
-flag to generate keys and nontrusted certificates.
-When complete, start the NTP daemons beginning at the lowest stratum
-and working up the tree.
-It may take some time for Autokey to instantiate the certificate trails
-throughout the subnet, but setting up the environment is completely automatic.
-.Pp
-If it is necessary to use a different sign key or different digest/signature
-scheme than the default, run
-.Nm
-with the
-.Fl S Ar type
-option, where
-.Ar type
-is either
-.Cm RSA
-or
-.Cm DSA .
-The most often need to do this is when a DSA-signed certificate is used.
-If it is necessary to use a different certificate scheme than the default,
-run
-.Nm
-with the
-.Fl c Ar scheme
-option and selected
-.Ar scheme
-as needed.
-f
-.Nm
-is run again without these options, it generates a new certificate
-using the same scheme and sign key.
-.Pp
-After setting up the environment it is advisable to update certificates
-from time to time, if only to extend the validity interval.
-Simply run
-.Nm
-with the same flags as before to generate new certificates
-using existing keys.
-However, if the host or sign key is changed,
-.Xr ntpd @NTPD_MS@
-should be restarted.
-When
-.Xr ntpd @NTPD_MS@
-is restarted, it loads any new files and restarts the protocol.
-Other dependent hosts will continue as usual until signatures are refreshed,
-at which time the protocol is restarted.
-.Ss Identity Schemes
-As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
-However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
-These schemes are based on a TA, one or more trusted hosts
-and some number of nontrusted hosts.
-Trusted hosts prove identity using values provided by the TA,
-while the remaining hosts prove identity using values provided
-by a trusted host and certificate trails that end on that host.
-The name of a trusted host is also the name of its sugroup
-and also the subject and issuer name on its trusted certificate.
-The TA is not necessarily a trusted host in this sense, but often is.
-.Pp
-In some schemes there are separate keys for servers and clients.
-A server can also be a client of another server,
-but a client can never be a server for another client.
-In general, trusted hosts and nontrusted hosts that operate
-as both server and client have parameter files that contain
-both server and client keys.
-Hosts that operate
-only as clients have key files that contain only client keys.
-.Pp
-The PC scheme supports only one trusted host in the group.
-On trusted host alice run
-.Nm
-.Fl P
-.Fl p Ar password
-to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
-and trusted private certificate file
-.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
-Copy both files to all group hosts;
-they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
-.Pa ntpkey_host_ Ns Ar bob
-to the host key file and soft link
-.Pa ntpkey_cert_ Ns Ar bob
-to the private certificate file.
-Note the generic links are on bob, but point to files generated
-by trusted host alice.
-In this scheme it is not possible to refresh
-either the keys or certificates without copying them
-to all other hosts in the group.
-.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
-On trusted host alice run
-.Nm
-.Fl T
-.Fl I
-.Fl p Ar password
-to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts that operate as both servers
-and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-If there are no hosts restricted to operate only as clients,
-there is nothing further to do.
-As the IFF scheme is independent
-of keys and certificates, these files can be refreshed as needed.
-.Pp
-If a rogue client has the parameter file, it could masquerade
-as a legitimate server and present a middleman threat.
-To eliminate this threat, the client keys can be extracted
-from the parameter file and distributed to all restricted clients.
-After generating the parameter file, on alice run
-.Nm
-.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
-On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
-to this file.
-To further protect the integrity of the keys,
-each file can be encrypted with a secret password.
-.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
-and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
-On trusted host alice run
-.Nm
-.Fl T
-.Fl G
-.Fl p Ar password
-to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
-which includes both server and client keys.
-Copy this file to all group hosts and install a soft link
-from the generic
-.Pa ntpkey_gq_ Ns Ar alice
-to this file.
-In addition, on each host bob install a soft link
-from generic
-.Pa ntpkey_gq_ Ns Ar bob
-to this file.
-As the GQ scheme updates the GQ parameters file and certificate
-at the same time, keys and certificates can be regenerated as needed.
-.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
-and certificates for all group hosts.
-For illustration assume trish is the TA, alice one of several trusted hosts
-and bob one of her clients.
-On TA trish run
-.Nm
-.Fl V Ar n
-.Fl p Ar password ,
-where
-.Ar n
-is the number of revokable keys (typically 5) to produce
-the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
-and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
-where
-.Ar d
-is the key number (0 \&<
-.Ar d
-\&<
-.Ar n ) .
-Copy the parameter file to alice and install a soft link
-from the generic
-.Pa ntpkey_mv_ Ns Ar alice
-to this file.
-Copy one of the client key files to alice for later distribution
-to her clients.
-It doesn't matter which client key file goes to alice,
-since they all work the same way.
-Alice copies the client key file to all of her cliens.
-On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
-to the client key file.
-As the MV scheme is independent of keys and certificates,
-these files can be refreshed as needed.
-.Ss Command Line Options
-.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
-The
-.Ar scheme
-can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
-or
-.Cm DSA-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
-The default without this option is
-.Cm RSA-MD5 .
-.It Fl d
-Enable debugging.
-This option displays the cryptographic data produced in eye-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
-By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
-Generate a trusted certificate.
-By default, the program generates a non-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
-.El
-.Ss Random Seed File
-All cryptographically sound key generation schemes must have means
-to randomize the entropy seed used to initialize
-the internal pseudo-random number generator used
-by the library routines.
-The OpenSSL library uses a designated random seed file for this purpose.
-The file must be available when starting the NTP daemon and
-.Nm
-program.
-If a site supports OpenSSL or its companion OpenSSH,
-it is very likely that means to do this are already available.
-.Pp
-It is important to understand that entropy must be evolved
-for each generation, for otherwise the random number sequence
-would be predictable.
-Various means dependent on external events, such as keystroke intervals,
-can be used to do this and some systems have built-in entropy sources.
-Suitable means are described in the OpenSSL software documentation,
-but are outside the scope of this page.
-.Pp
-The entropy seed used by the OpenSSL library is contained in a file,
-usually called
-.Cm .rnd ,
-which must be available when starting the NTP daemon
-or the
-.Nm
-program.
-The NTP daemon will first look for the file
-using the path specified by the
-.Ic randfile
-subcommand of the
-.Ic crypto
-configuration command.
-If not specified in this way, or when starting the
-.Nm
-program,
-the OpenSSL library will look for the file using the path specified
-by the
-.Ev RANDFILE
-environment variable in the user home directory,
-whether root or some other user.
-If the
-.Ev RANDFILE
-environment variable is not present,
-the library will look for the
-.Cm .rnd
-file in the user home directory.
-If the file is not available or cannot be written,
-the daemon exits with a message to the system log and the program
-exits with a suitable error message.
-.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
-.Nm
-program and
-.Xr ntpd @NTPD_MS@
-daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
-.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
-where
-.Ar keyno
-is a positive integer in the range 1-65,535,
-.Ar type
-is the string MD5 defining the key format and
-.Ar key
-is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
-.Ql #
-character.
-.Pp
-Note that the keys used by the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-programs
-are checked against passwords requested by the programs
-and entered by hand, so it is generally appropriate to specify these keys
-in human readable ASCII format.
-.Pp
-The
-.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
-Since the file contains private shared keys,
-it should be visible only to root and distributed by secure means
-to other subnet hosts.
-The NTP daemon loads the file
-.Pa ntp.keys ,
-so
-.Nm
-installs a soft link from this name to the generated file.
-Subsequently, similar soft links must be installed by manual
-or automated means on the other subnet hosts.
-While this file is not used with the Autokey Version 2 protocol,
-it is needed to authenticate some remote configuration commands
-used by the
-.Xr ntpq @NTPQ_MS@
-and
-.Xr ntpdc @NTPDC_MS@
-utilities.
 .Sh "OPTIONS"
 .Bl -tag
 .It  \-b " \fIimbits\fP, " \-\-imbits "=" \fIimbits\fP
@@ -1011,18 +194,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP".
 If any of these are directories, then the file \fI.ntprc\fP
 is searched for within those directories.
 .Sh USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
 .Sh "ENVIRONMENT"
 See \fBOPTION PRESETS\fP for configuration environment variables.
 .Sh "FILES"
@@ -1046,15 +217,8 @@ The University of Delaware
 Copyright (C) 1970-2012 The University of Delaware all rights reserved.
 This program is released under the terms of the NTP license, .
 .Sh BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
-.Pp
-Please report bugs to http://bugs.ntp.org .Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
+Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
 .Sh NOTES
-This document corresponds to version @VERSION@ of NTP.
-Portions of this document came from FreeBSD.
 .Pp
 This manual page was \fIAutoGen\fP-erated from the \fBntp-keygen\fP
 option definitions.
-- 
2.47.3