Lines Matching +full:host +full:- +full:only
1 /* -*- Mode: Text -*- */
7 #include autogen-version.def
9 prog-name = "ntp-keygen";
10 prog-title = "create a Network Time Protocol host key";
19 arg-type = number;
20 arg-name = imbits;
21 arg-range = '256->2048';
24 doc = <<- _EndOfDoc_
32 arg-type = string;
33 arg-name = scheme;
36 doc = <<- _EndOfDoc_
38 RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
39 DSA-SHA, or DSA-SHA1.
44 this option is RSA-MD5.
51 arg-type = string;
52 arg-name = cipher;
55 doc = <<- _EndOfDoc_
57 private keys. The default is three-key triple DES in CBC mode,
58 equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
59 available in "@code{openssl -h}" output.
63 #include debug-opt.def
67 name = id-key;
70 doc = <<- _EndOfDoc_
79 name = gq-params;
82 doc = <<- _EndOfDoc_
90 name = host-key;
92 descrip = "generate RSA host key";
93 doc = <<- _EndOfDoc_
94 Generate new host keys, obsoleting any that may exist.
103 doc = <<- _EndOfDoc_
113 arg-type = string;
114 arg-name = group;
116 doc = <<- _EndOfDoc_
119 that role, the default is the host name if this option is not
120 provided. The group name, if specified using @code{-i/--ident} or
121 using @code{-s/--subject-name} following an '@code{@@}' character,
122 is also a part of the self-signed host certificate subject and
123 issuer names in the form @code{host@@group} and should match the
133 arg-type = number;
134 arg-name = lifetime;
136 doc = <<- _EndOfDoc_
144 arg-type = number;
145 arg-name = modulus;
146 arg-range = '256->2048';
149 doc = <<- _EndOfDoc_
158 doc = <<- _EndOfDoc_
165 name = pvt-cert;
168 doc = <<- _EndOfDoc_
176 name = password; // was: pvt-passwd;
178 arg-type = string;
179 arg-name = passwd;
181 doc = <<- _EndOfDoc_
183 DES-CBC algorithm and the specified password. The same password
192 name = export-passwd; // Was: get-pvt-passwd;
194 arg-type = string;
195 arg-name = passwd;
197 doc = <<- _EndOfDoc_
199 encrypted with the DES-CBC algorithm and the specified password.
202 --id-key (-e) for unencrypted exports.
208 name = subject-name;
209 arg-type = string;
210 arg-name = host@group;
212 descrip = "set host and optionally group name";
213 doc = <<- _EndOfDoc_
214 Set the Autokey host name, and optionally, group name specified
215 following an '@code{@@}' character. The host name is used in the file
216 name of generated host and signing certificates, without the
217 group name. The host name, and if provided, group name are used
218 in @code{host@@group} form for the host certificate subject and issuer
219 fields. Specifying '@code{-s @@group}' is allowed, and results in
220 leaving the host name unchanged while appending @code{@@group} to the
221 subject and issuer fields, as with @code{-i group}. The group name, or
222 if not provided, the host name are also used in the file names
229 name = sign-key;
230 arg-type = string;
231 arg-name = sign;
234 doc = <<- _EndOfDoc_
236 that may exist. By default, the program uses the host key as the
243 name = trusted-cert;
246 doc = <<- _EndOfDoc_
248 a non-trusted certificate.
254 name = mv-params;
255 arg-type = number;
256 arg-name = num;
259 doc = <<- _EndOfDoc_
260 Generate parameters and keys for the Mu-Varadharajan (MV)
267 name = mv-keys;
268 arg-type = number;
269 arg-name = num;
275 explain = <<- _END_EXPLAIN
278 doc-section = {
279 ds-type = 'DESCRIPTION';
280 ds-format = 'mdoc';
281 ds-text = <<- _END_PROG_MDOC_DESCRIP
285 if the OpenSSL software library has been installed, it can generate host keys,
294 All other files are in PEM-encoded printable ASCII format,
300 produces a file containing ten pseudo-random printable ASCII strings
304 hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
329 If no password is specified, the host name returned by the Unix
331 command, normally the DNS name of the host, is used as the the default read
349 If not specified, the host name is used.
353 without specifying an explicit password but only on the same host.
354 If the write password used for encryption is specified as the host name,
355 these files can be read by that host with no explicit password.
357 Normally, encrypted files for each host are generated by that host and
358 used only by that host, although exceptions exist as noted later on
367 NFS-mounted networks and cannot be changed by shared clients.
385 and include the file type, generating host and filestamp,
411 host key and matching
412 .Cm RSA-MD5
421 The host key is used to encrypt the cookie when required and so must be
424 By default, the host key is also the sign key used to encrypt signatures.
445 however, only
468 However, there should be only one
476 Installing the keys as root might not work in NFS-mounted
490 Ordinarily, cryptographic files are generated by the host that uses them,
494 of the host generating the files, but can be changed by command line options.
497 The owner name is also used for the host and sign key files,
503 in NFS-mounted networks.
507 Normally, the files for each host are generated by that host
508 and used only by that host, although exceptions exist
512 including the host key, sign key and identification parameters,
513 are permitted root read/write-only;
551 Designate one of them as the trusted host (TH) using
559 ascendant host towards the TH to sign its certificate, which is then
560 provided to the immediately descendant host on request.
563 The host key is used to encrypt the cookie when required and so must be
565 By default, the host key is also the sign key used to encrypt
584 filestamps, which means the host should already be synchronized before
586 This of course creates a chicken-and-egg problem
587 when the host is started for the first time.
588 Accordingly, the host time
589 should be set by some other means, such as eyeball-and-wristwatch, at
591 After that and when the host is synchronized to a proventic source, the
592 certificate should be re-generated.
595 .Dq Autokey Public-Key Authentication
637 First, configure a NTP subnet including one or more low-stratum
645 a certificate trail ending at a trusted host.
652 On each trusted host as root, change to the keys directory.
680 .Cm DSA Ns -signed
696 from time to time, if only to extend the validity interval.
701 However, if the host or sign key is changed,
725 by a trusted host and certificate trails that end on that host.
726 The name of a trusted host is also the name of its sugroup
728 The TA is not necessarily a trusted host in this sense, but often is.
737 only as clients have key files that contain only client keys.
739 The PC scheme supports only one trusted host in the group.
740 On trusted host alice run
744 to generate the host key file
747 .Pa ntpkey Ns _ Cm RSA-MD5 _ Pa cert_alice. Ar filestamp ,
751 On each host
755 to the host key file and soft link
759 by trusted host alice.
769 and certificates for all group hosts, then for every trusted host in the group,
773 On trusted host alice run
785 If there are no hosts restricted to operate only as clients,
812 and certificates for all group hosts, then for every trusted host
816 On trusted host alice run
828 In addition, on each host
884 .Bl -tag -width indent
885 .It Fl b Fl -imbits Ns = Ar modulus
893 .It Fl c Fl -certificate Ns = Ar scheme
898 .Cm RSA-MD2 , RSA-MD5 , RSA-MDC2 , RSA-SHA , RSA-SHA1 , RSA-RIPEMD160 , DSA-SHA ,
900 .Cm DSA-SHA1 .
911 .Cm RSA-MD5 .
912 If compatibility with FIPS 140-2 is required, either the
913 .Cm DSA-SHA
915 .Cm DSA-SHA1
917 .It Fl C Fl -cipher Ns = Ar cipher
919 The default without this option is three-key triple DES in CBC mode,
920 .Cm des-ede3-cbc .
924 .It Fl d Fl -debug-level
926 This option displays the cryptographic data produced in eye-friendly billboards.
927 .It Fl D Fl -set-debug-level Ns = Ar level
930 This option displays the cryptographic data produced in eye-friendly billboards.
931 .It Fl e Fl -id-key
942 .It Fl G Fl -gq-params
945 parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
951 .It Fl H Fl -host-key
954 public/private host key file.
955 .It Fl I Fl -iffkey
964 .It Fl i Fl -ident Ns = Ar group
972 In that role, the default is the host name if no group is provided.
980 .Ar host @@ group
986 .It Fl l Fl -lifetime Ns = Ar days
990 .It Fl m Fl -modulus Ns = Ar bits
996 .It Fl M Fl -md5key
1009 .It Fl p Fl -password Ns = Ar passwd
1012 These include the host, sign and identify key files.
1016 .It Fl P Fl -pvt-cert
1022 .It Fl q Fl -export-passwd Ns = Ar passwd
1037 .It Fl s Fl -subject-key Ns = Ar Oo host Oc Op @@ Ar group
1038 Specify the Autokey host name, where
1039 .Ar host
1040 is the optional host name and
1043 The host name, and if provided, group name are used in
1044 .Ar host @@ group
1048 is allowed, and results in leaving the host name unchanged, as with
1050 The group name, or if no group is provided, the host name are also used in the
1057 .Ar host
1058 is not specified, the default host name is the string returned by the Unix
1061 .It Fl S Fl -sign-key Ns = Op Cm RSA | DSA
1063 By default, the sign key is the host key and has the same type.
1064 If compatibility with FIPS 140-2 is required, the sign key type must be
1066 .It Fl T Fl -trusted-cert
1068 By default, the program generates a non-trusted certificate.
1069 .It Fl V Fl -mv-params Ar nkeys
1072 encrypted server keys and parameters for the Mu-Varadharajan (MV)
1085 the internal pseudo-random number generator used
1098 can be used to do this and some systems have built-in entropy sources.
1143 The first line contains the file name, including the generated host name
1150 is the host or group name and
1158 names in generated link names include only lower case characters.
1172 rules, then encrypted if necessary, and finally written in PEM-encoded
1180 .Bd -literal -unfilled -offset center
1192 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
1213 is a positive integer in the range 1-65535;
1221 however, if compatibility with FIPS 140-2 is required,
1239 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
1256 it should be visible only to root and distributed by secure means
1275 doc-section = {
1276 ds-type = 'USAGE';
1277 ds-format = 'mdoc';
1278 ds-text = <<- _END_MDOC_USAGE
1282 doc-section = {
1283 ds-type = 'NOTES';
1284 ds-format = 'mdoc';
1285 ds-text = <<- _END_MDOC_NOTES
1290 doc-section = {
1291 ds-type = 'BUGS';
1292 ds-format = 'mdoc';
1293 ds-text = <<- _END_MDOC_BUGS