Lines Matching +full:other +full:- +full:key
1 @node ntp-keygen Invocation
2 @section Invoking ntp-keygen
3 @pindex ntp-keygen
4 @cindex Create a NTP host key
7 # EDIT THIS FILE WITH CAUTION (invoke-ntp-keygen.texi)
9 # It has been AutoGen-ed May 25, 2024 at 12:04:48 AM by AutoGen 5.18.16
10 # From the definitions ntp-keygen-opts.def
11 # and the template file agtexi-cmd.tpl
18 It can generate message digest keys used in symmetric key cryptography and,
21 public key cryptography.
28 All other files are in PEM-encoded printable ASCII format,
29 so they can be embedded as MIME attachments in email to other sites
34 produces a file containing ten pseudo-random printable ASCII strings
38 hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
39 other message digest algorithms.
49 The remaining generated files are compatible with other OpenSSL
50 applications and other Public Key Infrastructure (PKI) resources.
55 other than Autokey.
59 @code{-p}
61 @code{-q}
68 @code{ntp-keygen}
98 Other files and links are usually installed in
101 NFS-mounted networks and cannot be changed by shared clients.
115 where they can be piped to other applications or redirected to files.
126 @code{ntp-keygen}
142 @code{ntp-keygen}
145 host key and matching
146 @code{RSA-MD5}
155 The host key is used to encrypt the cookie when required and so must be
158 By default, the host key is also the sign key used to encrypt signatures.
159 When necessary, a different sign key can be specified and this can be
168 of sign key type and message digest type supported by the OpenSSL library
175 with the sign key.
187 Private/public key files and certificates are compatible with
188 other OpenSSL applications and very likely other libraries as well.
193 as the other files, are probably not compatible with anything other than Autokey.
195 Running the program as other than root and using the Unix
210 Installing the keys as root might not work in NFS-mounted
221 of other clients or servers, as these data are obtained automatically
226 for other hosts; however, in such cases files should always be encrypted.
231 The owner name is also used for the host and sign key files,
237 in NFS-mounted networks.
246 including the host key, sign key and identification parameters,
247 are permitted root read/write-only;
277 @code{ntp-keygen}
286 @code{ntp-keygen}
288 @code{-T}
290 Then configure the other hosts to synchronize to the TH directly or
297 The host key is used to encrypt the cookie when required and so must be
299 By default, the host key is also the sign key used to encrypt
301 A different sign key can be assigned using the
302 @code{-S}
311 but any combination of sign key type and
314 @code{-c}
320 This of course creates a chicken-and-egg problem
323 should be set by some other means, such as eyeball-and-wristwatch, at
326 certificate should be re-generated.
329 @quotedblleft{}Autokey Public-Key Authentication@quotedblright{}
371 First, configure a NTP subnet including one or more low-stratum
372 trusted hosts from which all other hosts derive synchronization
375 all other hosts have nontrusted certificates.
391 @code{ntp-keygen}
392 @code{-T}
394 On all other hosts do the same, but leave off the
395 @code{-T}
402 If it is necessary to use a different sign key or different digest/signature
404 @code{ntp-keygen}
406 @code{-S} @kbd{type}
414 @code{DSA}-signed
418 @code{ntp-keygen}
420 @code{-c} @kbd{scheme}
425 @code{ntp-keygen}
427 using the same scheme and sign key, and soft link.
432 @code{ntp-keygen}
435 However, if the host or sign key is changed,
441 Other dependent hosts will continue as usual until signatures are refreshed,
471 only as clients have key files that contain only client keys.
475 @code{ntp-keygen}
476 @code{-P}
477 @code{-p} @kbd{password}
478 to generate the host key file
481 @file{ntpkey}_ @code{RSA-MD5} @code{_} @file{cert_alice.} @kbd{filestamp},
484 they replace the files which would be generated in other schemes.
489 to the host key file and soft link
496 to all other hosts in the group, and recreating the soft links.
508 @code{ntp-keygen}
509 @code{-T}
510 @code{-I}
511 @code{-p} @kbd{password}
531 @code{ntp-keygen}
532 @code{-e}
551 @code{ntp-keygen}
552 @code{-T}
553 @code{-G}
554 @code{-p} @kbd{password}
584 @code{ntp-keygen}
585 @code{-V} @kbd{n}
586 @code{-p} @kbd{password},
592 and client key files
596 is the key number (0 <
604 Copy one of the client key files to alice for later distribution
606 It does not matter which client key file goes to alice,
608 Alice copies the client key file to all of her clients.
611 to the client key file.
619 @item @code{-b} @code{--imbits}= @kbd{modulus}
627 @item @code{-c} @code{--certificate}= @kbd{scheme}
632 @code{RSA-MD2}, @code{RSA-MD5}, @code{RSA-MDC2}, @code{RSA-SHA}, @code{RSA-SHA1}, @code{RSA-RIPEMD160}, @code{DSA-SHA},
634 @code{DSA-SHA1}.
639 sign key and
643 sign key.
645 @code{RSA-MD5}.
646 If compatibility with FIPS 140-2 is required, either the
647 @code{DSA-SHA}
649 @code{DSA-SHA1}
651 @item @code{-C} @code{--cipher}= @kbd{cipher}
653 The default without this option is three-key triple DES in CBC mode,
654 @code{des-ede3-cbc}.
656 @code{openssl} @code{-h}
658 @item @code{-d} @code{--debug-level}
660 This option displays the cryptographic data produced in eye-friendly billboards.
661 @item @code{-D} @code{--set-debug-level}= @kbd{level}
664 This option displays the cryptographic data produced in eye-friendly billboards.
665 @item @code{-e} @code{--id-key}
675 This is intended for automatic key distribution by email.
676 @item @code{-G} @code{--gq-params}
679 parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
681 @code{-I}
683 @code{-V}
685 @item @code{-H} @code{--host-key}
688 public/private host key file.
689 @item @code{-I} @code{--iffkey}
692 key file for the Schnorr (IFF) identity scheme.
694 @code{-G}
698 @item @code{-i} @code{--ident}= @kbd{group}
708 @code{-i}
710 @code{-s}
720 @item @code{-l} @code{--lifetime}= @kbd{days}
724 @item @code{-m} @code{--modulus}= @kbd{bits}
730 @item @code{-M} @code{--md5key}
738 key is a string of 20 random printable ASCII characters, while a
740 key is a string of 40 random hex digits.
741 The file can be edited using a text editor to change the key type or key content.
742 This option is mutually exclusive with all other options.
743 @item @code{-p} @code{--password}= @kbd{passwd}
746 These include the host, sign and identify key files.
750 @item @code{-P} @code{--pvt-cert}
756 @item @code{-q} @code{--export-passwd}= @kbd{passwd}
764 @code{-p}
766 @code{-q}
771 @item @code{-s} @code{--subject-key}= @code{[host]} @code{[@@ @kbd{group}]}
781 @code{-s} @code{-@@} @kbd{group}
783 @code{-i} @kbd{group}.
795 @item @code{-S} @code{--sign-key}= @code{[@code{RSA} | @code{DSA}]}
796 Generate a new encrypted public/private sign key file of the specified type.
797 By default, the sign key is the host key and has the same type.
798 If compatibility with FIPS 140-2 is required, the sign key type must be
800 @item @code{-T} @code{--trusted-cert}
802 By default, the program generates a non-trusted certificate.
803 @item @code{-V} @code{--mv-params} @kbd{nkeys}
806 encrypted server keys and parameters for the Mu-Varadharajan (MV)
809 @code{-I}
811 @code{-G}
817 All cryptographically sound key generation schemes must have means
819 the internal pseudo-random number generator used
823 @code{ntp-keygen}
832 can be used to do this and some systems have built-in entropy sources.
841 @code{ntp-keygen}
850 @code{ntp-keygen}
856 whether root or some other user.
864 @code{ntp-keygen}
879 @file{ntpkey_}@kbd{key} @kbd{_} @kbd{name}. @kbd{filestamp},
881 @kbd{key}
882 is the key or parameter type,
888 @kbd{key}
891 @kbd{key}
900 @code{ntp-keygen}
906 rules, then encrypted if necessary, and finally written in PEM-encoded
911 is somewhat different than the other files in the interest of backward compatibility.
918 1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
919 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
920 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
921 4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
922 5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
923 6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key
924 7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
925 8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
926 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
927 10 MD5 2late4Me # MD5 key
928 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
929 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
930 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
931 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
932 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
933 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
934 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
935 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
936 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
937 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
940 Figure 1. Typical Symmetric Key File
947 @kbd{keyno} @kbd{type} @kbd{key}
951 is a positive integer in the range 1-65535;
953 is the key type for the message digest algorithm, which in the absence of the
957 if the OpenSSL library is installed, the key type can be any
959 however, if compatibility with FIPS 140-2 is required,
960 the key type must be either
964 @kbd{key}
965 is the key itself,
977 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
990 @code{ntp-keygen}
995 to other subnet hosts.
999 @code{ntp-keygen}
1002 or automated means on the other subnet hosts.
1012 using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp-keygen} program.
1016 * ntp-keygen usage:: ntp-keygen help/usage (@option{--help})
1017 * ntp-keygen imbits:: imbits option (-b)
1018 * ntp-keygen certificate:: certificate option (-c)
1019 * ntp-keygen cipher:: cipher option (-C)
1020 * ntp-keygen id-key:: id-key option (-e)
1021 * ntp-keygen gq-params:: gq-params option (-G)
1022 * ntp-keygen host-key:: host-key option (-H)
1023 * ntp-keygen iffkey:: iffkey option (-I)
1024 * ntp-keygen ident:: ident option (-i)
1025 * ntp-keygen lifetime:: lifetime option (-l)
1026 * ntp-keygen modulus:: modulus option (-m)
1027 * ntp-keygen md5key:: md5key option (-M)
1028 * ntp-keygen pvt-cert:: pvt-cert option (-P)
1029 * ntp-keygen password:: password option (-p)
1030 * ntp-keygen export-passwd:: export-passwd option (-q)
1031 * ntp-keygen subject-name:: subject-name option (-s)
1032 * ntp-keygen sign-key:: sign-key option (-S)
1033 * ntp-keygen trusted-cert:: trusted-cert option (-T)
1034 * ntp-keygen mv-params:: mv-params option (-V)
1035 * ntp-keygen mv-keys:: mv-keys option (-v)
1036 * ntp-keygen config:: presetting/configuring ntp-keygen
1037 * ntp-keygen exit status:: exit status
1038 * ntp-keygen Usage:: Usage
1039 * ntp-keygen Notes:: Notes
1040 * ntp-keygen Bugs:: Bugs
1043 @node ntp-keygen usage
1044 @subsection ntp-keygen help/usage (@option{--help})
1045 @cindex ntp-keygen help
1047 This is the automatically generated usage text for ntp-keygen.
1050 (@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
1052 @code{more-help} is disabled on platforms without a working
1059 ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p18
1060 Usage: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
1061 Flg Arg Option-Name Description
1062 -b Num imbits identity modulus bits
1063 - it must be in the range:
1065 -c Str certificate certificate scheme
1066 -C Str cipher privatekey cipher
1067 -d no debug-level Increase debug verbosity level
1068 - may appear multiple times
1069 -D Num set-debug-level Set the debug verbosity level
1070 - may appear multiple times
1071 -e no id-key Write IFF or GQ identity keys
1072 -G no gq-params Generate GQ parameters and keys
1073 -H no host-key generate RSA host key
1074 -I no iffkey generate IFF parameters
1075 -i Str ident set Autokey group name
1076 -l Num lifetime set certificate lifetime
1077 -m Num modulus prime modulus
1078 - it must be in the range:
1080 -M no md5key generate symmetric keys
1081 -P no pvt-cert generate PC private certificate
1082 -p Str password local private password
1083 -q Str export-passwd export IFF or GQ group keys with password
1084 -s Str subject-name set host and optionally group name
1085 -S Str sign-key generate sign key (RSA or DSA)
1086 -T no trusted-cert trusted certificate (TC scheme)
1087 -V Num mv-params generate <num> MV parameters
1088 -v Num mv-keys update <num> MV keys
1090 -? no help display extended usage information and exit
1091 -! no more-help extended usage information passed thru pager
1092 -> opt save-opts save the option state to a config file
1093 -< Str load-opts load options from a config file
1094 - disabled as '--no-load-opts'
1095 - may appear multiple times
1102 - reading file $HOME/.ntprc
1103 - reading file ./.ntprc
1104 - examining environment variables named NTP_KEYGEN_*
1110 @node ntp-keygen imbits
1111 @subsection imbits option (-b)
1112 @cindex ntp-keygen-imbits
1125 @node ntp-keygen certificate
1126 @subsection certificate option (-c)
1127 @cindex ntp-keygen-certificate
1140 RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
1141 DSA-SHA, or DSA-SHA1.
1144 Note that RSA schemes must be used with a RSA sign key and DSA
1145 schemes must be used with a DSA sign key. The default without
1146 this option is RSA-MD5.
1147 @node ntp-keygen cipher
1148 @subsection cipher option (-C)
1149 @cindex ntp-keygen-cipher
1162 private keys. The default is three-key triple DES in CBC mode,
1163 equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
1164 available in "@code{openssl -h}" output.
1165 @node ntp-keygen id-key
1166 @subsection id-key option (-e)
1167 @cindex ntp-keygen-id-key
1180 This is intended for automatic key distribution by email.
1181 @node ntp-keygen gq-params
1182 @subsection gq-params option (-G)
1183 @cindex ntp-keygen-gq-params
1196 @node ntp-keygen host-key
1197 @subsection host-key option (-H)
1198 @cindex ntp-keygen-host-key
1200 This is the ``generate rsa host key'' option.
1210 @node ntp-keygen iffkey
1211 @subsection iffkey option (-I)
1212 @cindex ntp-keygen-iffkey
1225 @node ntp-keygen ident
1226 @subsection ident option (-i)
1227 @cindex ntp-keygen-ident
1242 provided. The group name, if specified using @code{-i/--ident} or
1243 using @code{-s/--subject-name} following an '@code{@@}' character,
1244 is also a part of the self-signed host certificate subject and
1248 @node ntp-keygen lifetime
1249 @subsection lifetime option (-l)
1250 @cindex ntp-keygen-lifetime
1263 @node ntp-keygen modulus
1264 @subsection modulus option (-m)
1265 @cindex ntp-keygen-modulus
1278 @node ntp-keygen md5key
1279 @subsection md5key option (-M)
1280 @cindex ntp-keygen-md5key
1284 @node ntp-keygen pvt-cert
1285 @subsection pvt-cert option (-P)
1286 @cindex ntp-keygen-pvt-cert
1299 @node ntp-keygen password
1300 @subsection password option (-p)
1301 @cindex ntp-keygen-password
1314 DES-CBC algorithm and the specified password. The same password
1318 @node ntp-keygen export-passwd
1319 @subsection export-passwd option (-q)
1320 @cindex ntp-keygen-export-passwd
1333 encrypted with the DES-CBC algorithm and the specified password.
1336 --id-key (-e) for unencrypted exports.
1337 @node ntp-keygen subject-name
1338 @subsection subject-name option (-s)
1339 @cindex ntp-keygen-subject-name
1356 fields. Specifying '@code{-s @@group}' is allowed, and results in
1358 subject and issuer fields, as with @code{-i group}. The group name, or
1361 @node ntp-keygen sign-key
1362 @subsection sign-key option (-S)
1363 @cindex ntp-keygen-sign-key
1365 This is the ``generate sign key (rsa or dsa)'' option.
1375 Generate a new sign key of the designated type, obsoleting any
1376 that may exist. By default, the program uses the host key as the
1377 sign key.
1378 @node ntp-keygen trusted-cert
1379 @subsection trusted-cert option (-T)
1380 @cindex ntp-keygen-trusted-cert
1392 a non-trusted certificate.
1393 @node ntp-keygen mv-params
1394 @subsection mv-params option (-V)
1395 @cindex ntp-keygen-mv-params
1407 Generate parameters and keys for the Mu-Varadharajan (MV)
1409 @node ntp-keygen mv-keys
1410 @subsection mv-keys option (-v)
1411 @cindex ntp-keygen-mv-keys
1426 @node ntp-keygen config
1427 @subsection presetting/configuring ntp-keygen
1430 loading values from configuration ("rc" or "ini") files, and values from environment variables named @code{NTP-KEYGEN} and @code{NTP-KEYGEN_<OPTION_NAME>}. @code{<OPTION_NAME>} must be one of
1432 The @code{NTP-KEYGEN} variable will be tokenized and parsed like
1446 are expanded and replaced when @file{ntp-keygen} runs.
1461 [NTP-KEYGEN]
1466 <?program ntp-keygen>
1474 <option-name>
1475 <sub-opt>...<...>...</sub-opt>
1476 </option-name>
1479 yielding an @code{option-name.sub-opt} string value of
1489 @subsubheading version (-)
1505 @node ntp-keygen exit status
1506 @subsection ntp-keygen exit status
1518 it to autogen-users@@lists.sourceforge.net. Thank you.
1520 @node ntp-keygen Usage
1521 @subsection ntp-keygen Usage
1522 @node ntp-keygen Notes
1523 @subsection ntp-keygen Notes
1524 @node ntp-keygen Bugs
1525 @subsection ntp-keygen Bugs