Lines Matching +full:group +full:- +full:default
1 /* -*- Mode: Text -*- */
7 #include autogen-version.def
9 prog-name = "ntp-keygen";
10 prog-title = "create a Network Time Protocol host key";
19 arg-type = number;
20 arg-name = imbits;
21 arg-range = '256->2048';
24 doc = <<- _EndOfDoc_
25 The number of bits in the identity modulus. The default is 512.
32 arg-type = string;
33 arg-name = scheme;
36 doc = <<- _EndOfDoc_
38 RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
39 DSA-SHA, or DSA-SHA1.
43 schemes must be used with a DSA sign key. The default without
44 this option is RSA-MD5.
51 arg-type = string;
52 arg-name = cipher;
55 doc = <<- _EndOfDoc_
57 private keys. The default is three-key triple DES in CBC mode,
58 equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
59 available in "@code{openssl -h}" output.
63 #include debug-opt.def
67 name = id-key;
70 doc = <<- _EndOfDoc_
79 name = gq-params;
82 doc = <<- _EndOfDoc_
90 name = host-key;
93 doc = <<- _EndOfDoc_
103 doc = <<- _EndOfDoc_
113 arg-type = string;
114 arg-name = group;
115 descrip = "set Autokey group name";
116 doc = <<- _EndOfDoc_
117 Set the optional Autokey group name to name. This is used in
119 that role, the default is the host name if this option is not
120 provided. The group name, if specified using @code{-i/--ident} or
121 using @code{-s/--subject-name} following an '@code{@@}' character,
122 is also a part of the self-signed host certificate subject and
123 issuer names in the form @code{host@@group} and should match the
133 arg-type = number;
134 arg-name = lifetime;
136 doc = <<- _EndOfDoc_
144 arg-type = number;
145 arg-name = modulus;
146 arg-range = '256->2048';
149 doc = <<- _EndOfDoc_
150 The number of bits in the prime modulus. The default is 512.
158 doc = <<- _EndOfDoc_
165 name = pvt-cert;
168 doc = <<- _EndOfDoc_
169 Generate a private certificate. By default, the program generates
176 name = password; // was: pvt-passwd;
178 arg-type = string;
179 arg-name = passwd;
181 doc = <<- _EndOfDoc_
183 DES-CBC algorithm and the specified password. The same password
185 configuration command. The default password is the local
192 name = export-passwd; // Was: get-pvt-passwd;
194 arg-type = string;
195 arg-name = passwd;
196 descrip = "export IFF or GQ group keys with password";
197 doc = <<- _EndOfDoc_
198 Export IFF or GQ identity group keys to the standard output,
199 encrypted with the DES-CBC algorithm and the specified password.
202 --id-key (-e) for unencrypted exports.
208 name = subject-name;
209 arg-type = string;
210 arg-name = host@group;
212 descrip = "set host and optionally group name";
213 doc = <<- _EndOfDoc_
214 Set the Autokey host name, and optionally, group name specified
217 group name. The host name, and if provided, group name are used
218 in @code{host@@group} form for the host certificate subject and issuer
219 fields. Specifying '@code{-s @@group}' is allowed, and results in
220 leaving the host name unchanged while appending @code{@@group} to the
221 subject and issuer fields, as with @code{-i group}. The group name, or
229 name = sign-key;
230 arg-type = string;
231 arg-name = sign;
234 doc = <<- _EndOfDoc_
236 that may exist. By default, the program uses the host key as the
243 name = trusted-cert;
246 doc = <<- _EndOfDoc_
247 Generate a trusted certificate. By default, the program generates
248 a non-trusted certificate.
254 name = mv-params;
255 arg-type = number;
256 arg-name = num;
259 doc = <<- _EndOfDoc_
260 Generate parameters and keys for the Mu-Varadharajan (MV)
267 name = mv-keys;
268 arg-type = number;
269 arg-name = num;
275 explain = <<- _END_EXPLAIN
278 doc-section = {
279 ds-type = 'DESCRIPTION';
280 ds-format = 'mdoc';
281 ds-text = <<- _END_PROG_MDOC_DESCRIP
294 All other files are in PEM-encoded printable ASCII format,
297 By default, files are not encrypted.
300 produces a file containing ten pseudo-random printable ASCII strings
304 hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
331 command, normally the DNS name of the host, is used as the the default read
339 as the write password by default.
367 NFS-mounted networks and cannot be changed by shared clients.
409 command without arguments to generate a default
412 .Cm RSA-MD5
424 By default, the host key is also the sign key used to encrypt signatures.
431 By default, the message digest type is
464 to assume root may not work properly, since by default the OpenSSL library
476 Installing the keys as root might not work in NFS-mounted
493 The subject name and trusted name default to the hostname
500 All files are installed by default in the keys directory
503 in NFS-mounted networks.
513 are permitted root read/write-only;
561 All group hosts should have acyclic certificate trails ending on the TH.
565 By default, the host key is also the sign key used to encrypt
574 By default, the signature
586 This of course creates a chicken-and-egg problem
589 should be set by some other means, such as eyeball-and-wristwatch, at
592 certificate should be re-generated.
595 .Dq Autokey Public-Key Authentication
629 The default cryptotype uses
637 First, configure a NTP subnet including one or more low-stratum
644 A trusted group is the set of all hosts that have, directly or indirectly,
669 scheme than the default, run
680 .Cm DSA Ns -signed
682 If it is necessary to use a different certificate scheme than the default,
712 the default
739 The PC scheme supports only one trusted host in the group.
747 .Pa ntpkey Ns _ Cm RSA-MD5 _ Pa cert_alice. Ar filestamp ,
749 Copy both files to all group hosts;
762 to all other hosts in the group, and recreating the soft links.
769 and certificates for all group hosts, then for every trusted host in the group,
781 Copy this file to all group hosts that operate as both servers
812 and certificates for all group hosts, then for every trusted host
813 in the group, generate the
824 Copy this file to all group hosts and install a soft link
846 and certificates for all group hosts.
884 .Bl -tag -width indent
885 .It Fl b Fl -imbits Ns = Ar modulus
893 .It Fl c Fl -certificate Ns = Ar scheme
898 .Cm RSA-MD2 , RSA-MD5 , RSA-MDC2 , RSA-SHA , RSA-SHA1 , RSA-RIPEMD160 , DSA-SHA ,
900 .Cm DSA-SHA1 .
910 The default without this option is
911 .Cm RSA-MD5 .
912 If compatibility with FIPS 140-2 is required, either the
913 .Cm DSA-SHA
915 .Cm DSA-SHA1
917 .It Fl C Fl -cipher Ns = Ar cipher
919 The default without this option is three-key triple DES in CBC mode,
920 .Cm des-ede3-cbc .
924 .It Fl d Fl -debug-level
926 This option displays the cryptographic data produced in eye-friendly billboards.
927 .It Fl D Fl -set-debug-level Ns = Ar level
930 This option displays the cryptographic data produced in eye-friendly billboards.
931 .It Fl e Fl -id-key
942 .It Fl G Fl -gq-params
945 parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
951 .It Fl H Fl -host-key
955 .It Fl I Fl -iffkey
964 .It Fl i Fl -ident Ns = Ar group
965 Set the optional Autokey group name to
966 .Ar group .
972 In that role, the default is the host name if no group is provided.
973 The group name, if specified using
980 .Ar host @@ group
981 and should match the group specified via
986 .It Fl l Fl -lifetime Ns = Ar days
989 The default lifetime is one year (365 days).
990 .It Fl m Fl -modulus Ns = Ar bits
996 .It Fl M Fl -md5key
1009 .It Fl p Fl -password Ns = Ar passwd
1013 By default, the password is the string returned by the Unix
1016 .It Fl P Fl -pvt-cert
1020 By default, the program generates public certificates.
1022 .It Fl q Fl -export-passwd Ns = Ar passwd
1034 By default, the password is the string returned by the Unix
1037 .It Fl s Fl -subject-key Ns = Ar Oo host Oc Op @@ Ar group
1041 .Ar group
1042 is the optional group name.
1043 The host name, and if provided, group name are used in
1044 .Ar host @@ group
1047 .Fl s @@ Ar group
1049 .Fl i Ar group .
1050 The group name, or if no group is provided, the host name are also used in the
1058 is not specified, the default host name is the string returned by the Unix
1061 .It Fl S Fl -sign-key Ns = Op Cm RSA | DSA
1063 By default, the sign key is the host key and has the same type.
1064 If compatibility with FIPS 140-2 is required, the sign key type must be
1066 .It Fl T Fl -trusted-cert
1068 By default, the program generates a non-trusted certificate.
1069 .It Fl V Fl -mv-params Ar nkeys
1072 encrypted server keys and parameters for the Mu-Varadharajan (MV)
1085 the internal pseudo-random number generator used
1098 can be used to do this and some systems have built-in entropy sources.
1150 is the host or group name and
1172 rules, then encrypted if necessary, and finally written in PEM-encoded
1180 .Bd -literal -unfilled -offset center
1192 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
1213 is a positive integer in the range 1-65535;
1221 however, if compatibility with FIPS 140-2 is required,
1239 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
1275 doc-section = {
1276 ds-type = 'USAGE';
1277 ds-format = 'mdoc';
1278 ds-text = <<- _END_MDOC_USAGE
1282 doc-section = {
1283 ds-type = 'NOTES';
1284 ds-format = 'mdoc';
1285 ds-text = <<- _END_MDOC_NOTES
1290 doc-section = {
1291 ds-type = 'BUGS';
1292 ds-format = 'mdoc';
1293 ds-text = <<- _END_MDOC_BUGS