keygen.html - OpenGrok cross reference for /freebsd/contrib/ntp/html/keygen.html

Lines Matching +full:host +full:- +full:id
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4     <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
6     <title>ntp-keygen - generate public and private keys</title>
10     <h3><tt>ntp-keygen</tt> - generate public and private keys</h3>
14       <!-- #BeginDate format:En2m -->24-Jul-2018  07:27<!-- #EndDate -->
30     <h4 id="synop">Synopsis</h4>
31 …<p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA
32 	| RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ]
33 	[ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>]
34 	[ -m <i>modulus</i> ]  [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ] 
35 	[ -S [ RSA | DSA ] ] [ -s <i>host</i> ] [ -V <i>nkeys</i> ]</tt></p>
36     <h4 id="descrip">Description</h4>
40       has been installed, it can generate host keys, sign keys, certificates,
43       compatible with NTPv3.  All other files are in PEM-encoded printable ASCII
47       containing ten pseudo-random printable ASCII strings suitable for the MD5
49       library is installed, it produces an additional ten hex-encoded random bit
50       strings suitable for the SHA1, AES-128 CMAC, and other message digest
64       password.  The <tt>-p</tt> option specifies the password for local
65       encrypted files and the <tt>-q</tt> option the password for encrypted
66       files sent to remote sites.  If no password is specified, the host name
68       name of the host, is used.</p>
72       specified, the host name is used.  Thus, if files are generated by
74       without password, but only on the same host.</p>
75     <p>Normally, encrypted files for each host are generated by that host
76       and used only by that host, although exceptions exist as noted later
81       in NFS-mounted networks and cannot be changed by shared clients.  The
90       generating host and filestamp, as described in
92     <h4 id="run">Running the Program</h4>
97       the <tt>ntp-keygen</tt> command without arguments to generate a
98       default RSA host key and matching RSA-MD5 certificate with expiration
103       as the trusted host (TH) using <tt>ntp-keygen</tt> with
104       the <tt>-T</tt> option and configure it to synchronize from reliable
107       Autokey asks the immediately ascendant host towards the TH to sign its
108       certificate, which is then provided to the immediately descendant host
111     <p>The host key is used to encrypt the cookie when required and so must
112       be RSA type.  By default, the host key is also the sign key used to
114       the <tt>-S</tt> option and this can be either RSA or DSA type.  By
117       library can be specified using the <tt>-c</tt> option.</p>
119       filestamps, which means the host should already be synchronized before
120       this program is run.  This of course creates a chicken-and-egg problem
121       when the host is started for the first time.  Accordingly, the host
123       eyeball-and-wristwatch, at least so that the certificate lifetime is
124       within the current year.  After that and when the host is synchronized
125       to a proventic source, the certificate should be re-generated.</p>
127       the <a href="autokey.html">Autokey Public-Key Authentication</a>
129     <h4 id="cmd">Command Line Options</h4>
131       <dt><tt>-b <i>modulus</i></tt></dt>
137 …<dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA…
141 	option is <tt>RSA-MD5</tt>.  If compatibility with FIPS 140-2 is
142 	required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme
144       <dt><tt>-C <i>cipher</i></tt></dt>
145       <dd>Select the OpenSSL cipher to use for password-protected keys.
146 	The <tt>openssl -h</tt> command provided with OpenSSL displays
148 	is <tt>des-ede3-cbc</tt>.</dd>
149       <dt><tt>-d</tt></dt>
151 	produced for eye-friendly billboards.</dd>
152       <dt><tt>-e</tt></dt>
156       <dt><tt>-G</tt></dt>
157       <dd>Generate a new encrypted GQ key file for the Guillou-Quisquater
159        the <tt>-I</tt> and <tt>-V</tt> options.</dd>
160       <dt><tt>-H</tt></dt>
161       <dd>Generate a new encrypted RSA public/private host key file.</dd>
162       <dt><tt>-i <i>group</i></tt></dt>
165 	the default is the host name if no group is provided.  The group
166 	name, if specified using <tt>-i</tt> or using <tt>-s</tt> following
168 	issuer names in the form <tt><i>host</i>@<i>group</i></tt> and
171       <dt><tt>-I</tt></dt>
174 	the <tt>-G</tt> and <tt>-V</tt> options.</dd>
175       <dt><tt>-l <i>days</i></tt></dt>
178       <dt><tt>-m <i>modulus</i></tt></dt>
184       <dt><tt>-M</tt></dt>
190       <dt><tt>-P</tt></dt>
194       <dt><tt>-p <i>passwd</i></tt></dt>
196 	to <tt><i>passwd</i></tt>.  These include the host, sign and
199       <dt><tt>-q <i>passwd</i></tt></dt>
202 	effect, these files are decrypted with the <tt>-p</tt> password,
203 	then encrypted with the <tt>-q</tt> password.  By default, the
206       <dt><tt>-S [ RSA | DSA ]</tt></dt>
208 	specified type.  By default, the sign key is the host key and has
209 	the same type.  If compatibly with FIPS 140-2 is required, the sign
211       <dt><tt>-s <i>host</i>[@<i>group</i>]</tt></dt>
212       <dd>Specify the Autokey host name, where <tt><i>host</i></tt> is the
213 	host name and <tt><i>group</i></tt> is the optional group name.  The
214 	host name, and if provided, group name are used
215 	in <tt><i>host</i>@<i>group</i></tt> form as certificate subject and
216 	issuer.  Specifying <tt>-s @<i>group</i></tt> is allowed, and
217 	results in leaving the host name unchanged, as
218 	with <tt>-i <i>group</i></tt>.  The group name, or if no group is
219 	provided, the host name are also used in the file names of IFF, GQ,
220 	and MV identity scheme parameter files.  If <tt><i>host</i></tt> is
221 	not specified, the default host name is the string returned by
223       <dt><tt>-T</tt></dt>
226       <dt><tt>-V <i>nkeys</i></tt></dt>
228 	Mu-Varadharajan (MV) identity scheme.  This option is mutually
229 	exclusive with the <tt>-I</tt> and <tt>-G</tt> options.  Note:
233     <h4 id="rand">Random Seed File</h4>
236       pseudo-random number generator used by the OpenSSL library routines.
240       must be available when starting the <tt>ntp-keygen</tt> program
246       in the user home directory.  Since both the <tt>ntp-keygen</tt>
251     <h4 id="fmt">Cryptographic Data Files</h4>
255       type, <tt><i>name</i></tt> is the host or group name
263       key type.  Key types include public/private keys <tt>host</tt>
271     format <tt>ntpkey_<i>key</i>_<i>host</i>.<i>fstamp</i></tt>.  The second
275       using ASN.1 rules, then encrypted using the DES-CBC algorithm with
276       given password and finally written in PEM-encoded printable ASCII text
284       <caption style="caption-side: bottom;">
287       <tr><td style="border: 1px solid black; border-spacing: 0;">
300 	    9  MD5 3-5vcn*6l29DS?Xdsg)*  # MD5 key
322       by that library.  However, if compatibility with FIPS 140-2 is
328       OpenSSL key consists of a hex-encoded ASCII string of 40 characters,
338     <p>The <tt>ntp-keygen</tt> program generates a MD5 symmetric keys
342       loads the file <tt>ntp.keys</tt>, so <tt>ntp-keygen</tt> installs a
349     <h4 id="bug">Bugs</h4>