Lines Matching +full:multi +full:- +full:tt
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
7 <!-- Changed by: Harlan Stenn, 24-Jul-2018 -->
10 <!--
13 font-weight: bold;
16 -->
24 <!-- #BeginDate format:En2m -->24-Jul-2018 09:12<!-- #EndDate -->
43 server. A detailed discussion of the NTP multi-layer security model
47 <p>The NTPv3 specification (RFC-1305) defined an authentication scheme
49 the Data Encryption Standard (DES) algorithm operating in cipher-block
51 RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5.
52 Either algorithm computes a message digest or one-way hash which can
60 to FIPS 140-2 is required, only a limited subset of these algorithms
69 specified in RFC-5906 "Network Time Protocol Version 4: Autokey
71 library has been installed and the <tt>--enable-autokey</tt> option is
79 the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility program in
88 the <tt>key</tt> or <tt>autokey</tt> option of the <tt>server</tt>
91 The <a href="keygen.html">ntp-keygen</a> page describes the files
95 <p>By default, the client sends non-authenticated packets and the server
96 responds with non-authenticated packets. If the client sends
98 if correct, or a crypto-NAK packet if not. In the case of unsolicited
101 overridden by a <tt>disable auth</tt> command. In the current climate
104 the <tt>notrust </tt>flag, described on
108 <p>The original NTPv3 specification (RFC-1305), as well as the current
109 NTPv4 specification (RFC-5905), allows any one of possibly 65,535
110 message digest keys (excluding zero), each distinguished by a 32-bit
115 such as MD5, SHA, or AES-128 CMAC. When authentication is specified,
117 header. The MAC consists of a 32-bit key identifier (key ID) followed
118 by a 128- or 160-bit message digest. The algorithm computes the
119 digest as the hash of a 128- or 160- bit message digest key
126 server returns a special message called a <em>crypto-NAK</em>. Since
127 the crypto-NAK is protected by the loopback test, an intruder cannot
128 disrupt the protocol by sending a bogus crypto-NAK.</p>
133 the <tt><a href="ntpq.html">ntpq</a></tt>
134 and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.
135 Ordinarily, the <tt>ntp.keys</tt> file is generated by
136 the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can
142 characters, and an optional comma-separated list of IPs that are
148 <caption style="caption-side: bottom;">
151 <tr><td style="border: 1px solid black; border-spacing: 0;">
164 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
183 OpenSSL library must be <tt>MD5</tt>, which designates the MD5 message
185 field is one or more comma-separated IPs. An IP may end with an
186 optional <tt>/subnetbits</tt> suffix, which limits the acceptance of
188 space. In this example, for the key IDs in the range 1-10 the key is
190 11-20, the key is a 40-character hex digit string. In either case,
191 the key is truncated or zero-filled internally to either 128 or 160
194 password, such as <tt>2late4Me</tt> for key ID 10. Note that two or
197 <p>When <tt>ntpd</tt> is started, it reads the keys file specified by
198 the <tt>keys</tt> command and installs the keys in the key cache.
200 the <tt>trustedkey</tt> configuration command before use. This
202 keys and then activating a key remotely using <tt>ntpq</tt>
203 or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID
204 used as the password for the <tt>ntpdc</tt> utility, while
205 the <tt>controlkey</tt> command selects the key ID used as the
206 password for the <tt>ntpq</tt> utility.</p>
208 <p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft
209 Windows MS-SNTP authentication using Active Directory services. This
211 It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt>
217 no clients other than MS-SNTP.</span></p>
219 <p>See the <a href="autokey.html">Autokey Public-Key Authentication</a>