Lines Matching +full:other +full:- +full:key
1 /* -*- Mode: Text -*- */
7 #include autogen-version.def
9 prog-name = "ntp-keygen";
10 prog-title = "create a Network Time Protocol host key";
19 arg-type = number;
20 arg-name = imbits;
21 arg-range = '256->2048';
24 doc = <<- _EndOfDoc_
32 arg-type = string;
33 arg-name = scheme;
36 doc = <<- _EndOfDoc_
38 RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
39 DSA-SHA, or DSA-SHA1.
42 Note that RSA schemes must be used with a RSA sign key and DSA
43 schemes must be used with a DSA sign key. The default without
44 this option is RSA-MD5.
51 arg-type = string;
52 arg-name = cipher;
55 doc = <<- _EndOfDoc_
57 private keys. The default is three-key triple DES in CBC mode,
58 equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
59 available in "@code{openssl -h}" output.
63 #include debug-opt.def
67 name = id-key;
70 doc = <<- _EndOfDoc_
73 This is intended for automatic key distribution by email.
79 name = gq-params;
82 doc = <<- _EndOfDoc_
90 name = host-key;
92 descrip = "generate RSA host key";
93 doc = <<- _EndOfDoc_
103 doc = <<- _EndOfDoc_
113 arg-type = string;
114 arg-name = group;
116 doc = <<- _EndOfDoc_
120 provided. The group name, if specified using @code{-i/--ident} or
121 using @code{-s/--subject-name} following an '@code{@@}' character,
122 is also a part of the self-signed host certificate subject and
133 arg-type = number;
134 arg-name = lifetime;
136 doc = <<- _EndOfDoc_
144 arg-type = number;
145 arg-name = modulus;
146 arg-range = '256->2048';
149 doc = <<- _EndOfDoc_
158 doc = <<- _EndOfDoc_
165 name = pvt-cert;
168 doc = <<- _EndOfDoc_
176 name = password; // was: pvt-passwd;
178 arg-type = string;
179 arg-name = passwd;
181 doc = <<- _EndOfDoc_
183 DES-CBC algorithm and the specified password. The same password
192 name = export-passwd; // Was: get-pvt-passwd;
194 arg-type = string;
195 arg-name = passwd;
197 doc = <<- _EndOfDoc_
199 encrypted with the DES-CBC algorithm and the specified password.
202 --id-key (-e) for unencrypted exports.
208 name = subject-name;
209 arg-type = string;
210 arg-name = host@group;
213 doc = <<- _EndOfDoc_
219 fields. Specifying '@code{-s @@group}' is allowed, and results in
221 subject and issuer fields, as with @code{-i group}. The group name, or
229 name = sign-key;
230 arg-type = string;
231 arg-name = sign;
233 descrip = "generate sign key (RSA or DSA)";
234 doc = <<- _EndOfDoc_
235 Generate a new sign key of the designated type, obsoleting any
236 that may exist. By default, the program uses the host key as the
237 sign key.
243 name = trusted-cert;
246 doc = <<- _EndOfDoc_
248 a non-trusted certificate.
254 name = mv-params;
255 arg-type = number;
256 arg-name = num;
259 doc = <<- _EndOfDoc_
260 Generate parameters and keys for the Mu-Varadharajan (MV)
267 name = mv-keys;
268 arg-type = number;
269 arg-name = num;
275 explain = <<- _END_EXPLAIN
278 doc-section = {
279 ds-type = 'DESCRIPTION';
280 ds-format = 'mdoc';
281 ds-text = <<- _END_PROG_MDOC_DESCRIP
284 It can generate message digest keys used in symmetric key cryptography and,
287 public key cryptography.
294 All other files are in PEM-encoded printable ASCII format,
295 so they can be embedded as MIME attachments in email to other sites
300 produces a file containing ten pseudo-random printable ASCII strings
304 hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
305 other message digest algorithms.
315 The remaining generated files are compatible with other OpenSSL
316 applications and other Public Key Infrastructure (PKI) resources.
321 other than Autokey.
364 Other files and links are usually installed in
367 NFS-mounted networks and cannot be changed by shared clients.
381 where they can be piped to other applications or redirected to files.
411 host key and matching
412 .Cm RSA-MD5
421 The host key is used to encrypt the cookie when required and so must be
424 By default, the host key is also the sign key used to encrypt signatures.
425 When necessary, a different sign key can be specified and this can be
434 of sign key type and message digest type supported by the OpenSSL library
441 with the sign key.
453 Private/public key files and certificates are compatible with
454 other OpenSSL applications and very likely other libraries as well.
459 as the other files, are probably not compatible with anything other than Autokey.
461 Running the program as other than root and using the Unix
476 Installing the keys as root might not work in NFS-mounted
487 of other clients or servers, as these data are obtained automatically
492 for other hosts; however, in such cases files should always be encrypted.
497 The owner name is also used for the host and sign key files,
503 in NFS-mounted networks.
512 including the host key, sign key and identification parameters,
513 are permitted root read/write-only;
556 Then configure the other hosts to synchronize to the TH directly or
563 The host key is used to encrypt the cookie when required and so must be
565 By default, the host key is also the sign key used to encrypt
567 A different sign key can be assigned using the
577 but any combination of sign key type and
586 This of course creates a chicken-and-egg problem
589 should be set by some other means, such as eyeball-and-wristwatch, at
592 certificate should be re-generated.
595 .Dq Autokey Public-Key Authentication
637 First, configure a NTP subnet including one or more low-stratum
638 trusted hosts from which all other hosts derive synchronization
641 all other hosts have nontrusted certificates.
660 On all other hosts do the same, but leave off the
668 If it is necessary to use a different sign key or different digest/signature
680 .Cm DSA Ns -signed
693 using the same scheme and sign key, and soft link.
701 However, if the host or sign key is changed,
707 Other dependent hosts will continue as usual until signatures are refreshed,
737 only as clients have key files that contain only client keys.
744 to generate the host key file
747 .Pa ntpkey Ns _ Cm RSA-MD5 _ Pa cert_alice. Ar filestamp ,
750 they replace the files which would be generated in other schemes.
755 to the host key file and soft link
762 to all other hosts in the group, and recreating the soft links.
858 and client key files
862 is the key number (0 \&<
870 Copy one of the client key files to alice for later distribution
872 It does not matter which client key file goes to alice,
874 Alice copies the client key file to all of her clients.
877 to the client key file.
884 .Bl -tag -width indent
885 .It Fl b Fl -imbits Ns = Ar modulus
893 .It Fl c Fl -certificate Ns = Ar scheme
898 .Cm RSA-MD2 , RSA-MD5 , RSA-MDC2 , RSA-SHA , RSA-SHA1 , RSA-RIPEMD160 , DSA-SHA ,
900 .Cm DSA-SHA1 .
905 sign key and
909 sign key.
911 .Cm RSA-MD5 .
912 If compatibility with FIPS 140-2 is required, either the
913 .Cm DSA-SHA
915 .Cm DSA-SHA1
917 .It Fl C Fl -cipher Ns = Ar cipher
919 The default without this option is three-key triple DES in CBC mode,
920 .Cm des-ede3-cbc .
924 .It Fl d Fl -debug-level
926 This option displays the cryptographic data produced in eye-friendly billboards.
927 .It Fl D Fl -set-debug-level Ns = Ar level
930 This option displays the cryptographic data produced in eye-friendly billboards.
931 .It Fl e Fl -id-key
941 This is intended for automatic key distribution by email.
942 .It Fl G Fl -gq-params
945 parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
951 .It Fl H Fl -host-key
954 public/private host key file.
955 .It Fl I Fl -iffkey
958 key file for the Schnorr (IFF) identity scheme.
964 .It Fl i Fl -ident Ns = Ar group
986 .It Fl l Fl -lifetime Ns = Ar days
990 .It Fl m Fl -modulus Ns = Ar bits
996 .It Fl M Fl -md5key
1004 key is a string of 20 random printable ASCII characters, while a
1006 key is a string of 40 random hex digits.
1007 The file can be edited using a text editor to change the key type or key content.
1008 This option is mutually exclusive with all other options.
1009 .It Fl p Fl -password Ns = Ar passwd
1012 These include the host, sign and identify key files.
1016 .It Fl P Fl -pvt-cert
1022 .It Fl q Fl -export-passwd Ns = Ar passwd
1037 .It Fl s Fl -subject-key Ns = Ar Oo host Oc Op @@ Ar group
1061 .It Fl S Fl -sign-key Ns = Op Cm RSA | DSA
1062 Generate a new encrypted public/private sign key file of the specified type.
1063 By default, the sign key is the host key and has the same type.
1064 If compatibility with FIPS 140-2 is required, the sign key type must be
1066 .It Fl T Fl -trusted-cert
1068 By default, the program generates a non-trusted certificate.
1069 .It Fl V Fl -mv-params Ar nkeys
1072 encrypted server keys and parameters for the Mu-Varadharajan (MV)
1083 All cryptographically sound key generation schemes must have means
1085 the internal pseudo-random number generator used
1098 can be used to do this and some systems have built-in entropy sources.
1122 whether root or some other user.
1145 .Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
1147 .Ar key
1148 is the key or parameter type,
1154 .Ar key
1157 .Ar key
1172 rules, then encrypted if necessary, and finally written in PEM-encoded
1177 is somewhat different than the other files in the interest of backward compatibility.
1180 .Bd -literal -unfilled -offset center
1184 1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
1185 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
1186 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
1187 4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
1188 5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
1189 6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key
1190 7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
1191 8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
1192 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
1193 10 MD5 2late4Me # MD5 key
1194 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
1195 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
1196 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
1197 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
1198 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
1199 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
1200 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
1201 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
1202 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
1203 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
1205 .D1 Figure 1. Typical Symmetric Key File
1210 .D1 Ar keyno Ar type Ar key
1213 is a positive integer in the range 1-65535;
1215 is the key type for the message digest algorithm, which in the absence of the
1219 if the OpenSSL library is installed, the key type can be any
1221 however, if compatibility with FIPS 140-2 is required,
1222 the key type must be either
1226 .Ar key
1227 is the key itself,
1239 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
1257 to other subnet hosts.
1264 or automated means on the other subnet hosts.
1275 doc-section = {
1276 ds-type = 'USAGE';
1277 ds-format = 'mdoc';
1278 ds-text = <<- _END_MDOC_USAGE
1282 doc-section = {
1283 ds-type = 'NOTES';
1284 ds-format = 'mdoc';
1285 ds-text = <<- _END_MDOC_NOTES
1290 doc-section = {
1291 ds-type = 'BUGS';
1292 ds-format = 'mdoc';
1293 ds-text = <<- _END_MDOC_BUGS