Lines Matching +full:keys +full:- +full:per +full:- +full:group
2 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands
4 .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
6 .\" It has been AutoGen-ed May 25, 2024 at 12:04:46 AM by AutoGen 5.18.16
7 .\" From the definitions ntp-keygen-opts.def
8 .\" and the template file agmdoc-cmd.tpl
10 .Nm ntp-keygen
17 .Op Fl \-option\-name Ns Oo Oo Ns "=| " Oc Ns Ar value Oc
24 It can generate message digest keys used in symmetric key cryptography and,
25 if the OpenSSL software library has been installed, it can generate host keys,
26 signing keys, certificates, and identity keys and parameters used in Autokey
32 The message digest symmetric keys file is generated in a format
34 All other files are in PEM\-encoded printable ASCII format,
39 When used to generate message digest symmetric keys, the program
40 produces a file containing ten pseudo\-random printable ASCII strings
44 hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
46 The message digest symmetric keys file must be distributed and stored
48 Besides the keys used for ordinary NTP associations, additional keys
60 However, the identity keys are probably not compatible with anything
100 The symmetric keys file, normally called
101 .Pa ntp.keys ,
107 NFS\-mounted networks and cannot be changed by shared clients.
134 .Ar keys
141 .Ar keys
151 .Cm RSA\-MD5
157 existing keys and parameters and generates a new certificate file with
183 sign keys;
190 sign keys.
215 Installing the keys as root might not work in NFS\-mounted
217 to the shared keys directory, even as root.
225 There is no need for one client to read the keys and certificates
239 All files are installed by default in the keys directory
242 in NFS\-mounted networks.
243 The actual location of the keys directory
252 are permitted root read/write\-only;
300 All group hosts should have acyclic certificate trails ending on the TH.
325 This of course creates a chicken\-and\-egg problem
328 should be set by some other means, such as eyeball\-and\-wristwatch, at
331 certificate should be re\-generated.
334 .Dq Autokey Public\-Key Authentication
375 First, configure a NTP subnet including one or more low\-stratum
382 A trusted group is the set of all hosts that have, directly or indirectly,
390 On each trusted host as root, change to the keys directory.
397 to generate keys and a trusted certificate.
400 flag to generate keys and nontrusted certificates.
418 .Cm DSA Ns \-signed
438 using existing keys, and soft links.
467 In some schemes there are separate keys for servers and clients.
472 both server and client keys.
474 only as clients have key files that contain only client keys.
476 The PC scheme supports only one trusted host in the group.
484 .Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
486 Copy both files to all group hosts;
498 either the keys or certificates without copying them
499 to all other hosts in the group, and recreating the soft links.
505 scheme to generate keys
506 and certificates for all group hosts, then for every trusted host in the group,
517 which includes both server and client keys.
518 Copy this file to all group hosts that operate as both servers
527 of keys and certificates, these files can be refreshed as needed.
531 To eliminate this threat, the client keys can be extracted
541 To further protect the integrity of the keys,
548 scheme to generate keys
549 and certificates for all group hosts, then for every trusted host
550 in the group, generate the
560 which includes both server and client keys.
561 Copy this file to all group hosts and install a soft link
576 at the same time, keys and certificates can be regenerated as needed.
582 scheme to generate keys
583 and certificates for all group hosts.
592 is the number of revokable keys (typically 5) to produce
617 scheme is independent of keys and certificates,
620 .Bl -tag -width indent
621 .It Fl b Fl \-imbits Ns = Ar modulus
622 Set the number of bits in the identity modulus for generating identity keys to
629 .It Fl c Fl \-certificate Ns = Ar scheme
634 .Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
636 .Cm DSA\-SHA1 .
647 .Cm RSA\-MD5 .
648 If compatibility with FIPS 140\-2 is required, either the
649 .Cm DSA\-SHA
651 .Cm DSA\-SHA1
653 .It Fl C Fl \-cipher Ns = Ar cipher
654 Select the OpenSSL cipher to encrypt the files containing private keys.
655 The default without this option is three\-key triple DES in CBC mode,
656 .Cm des\-ede3\-cbc .
660 .It Fl d Fl \-debug\-level
662 This option displays the cryptographic data produced in eye\-friendly billboards.
663 .It Fl D Fl \-set\-debug\-level Ns = Ar level
666 This option displays the cryptographic data produced in eye\-friendly billboards.
667 .It Fl e Fl \-id\-key
674 client keys file previously specified
678 .It Fl G Fl \-gq\-params
681 parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
687 .It Fl H Fl \-host\-key
691 .It Fl I Fl \-iffkey
700 .It Fl i Fl \-ident Ns = Ar group
701 Set the optional Autokey group name to
702 .Ar group .
708 In that role, the default is the host name if no group is provided.
709 The group name, if specified using
716 .Ar host @ group
717 and should match the group specified via
722 .It Fl l Fl \-lifetime Ns = Ar days
726 .It Fl m Fl \-modulus Ns = Ar bits
732 .It Fl M Fl \-md5key
733 Generate a new symmetric keys file containing 10
735 keys, and if OpenSSL is available, 10
737 keys.
745 .It Fl p Fl \-password Ns = Ar passwd
752 .It Fl P Fl \-pvt\-cert
758 .It Fl q Fl \-export\-passwd Ns = Ar passwd
773 .It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
777 .Ar group
778 is the optional group name.
779 The host name, and if provided, group name are used in
780 .Ar host @ group
783 .Fl s @ Ar group
785 .Fl i Ar group .
786 The group name, or if no group is provided, the host name are also used in the
797 .It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
800 If compatibility with FIPS 140\-2 is required, the sign key type must be
802 .It Fl T Fl \-trusted\-cert
804 By default, the program generates a non\-trusted certificate.
805 .It Fl V Fl \-mv\-params Ar nkeys
808 encrypted server keys and parameters for the Mu\-Varadharajan (MV)
820 the internal pseudo\-random number generator used
833 can be used to do this and some systems have built\-in entropy sources.
884 is the host or group name and
906 rules, then encrypted if necessary, and finally written in PEM\-encoded
909 The format of the symmetric keys file, ordinarily named
910 .Pa ntp.keys ,
914 .Bd -literal -unfilled -offset center
925 9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
940 Figure 1 shows a typical symmetric keys file used by the reference
942 Following the header the keys are entered one per line in the format
946 is a positive integer in the range 1\-65535;
954 however, if compatibility with FIPS 140\-2 is required,
972 An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
975 Note that the keys used by the
981 and entered by hand, so it is generally appropriate to specify these keys
986 program generates a symmetric keys file
988 Since the file contains private shared keys,
992 .Pa ntp.keys ,
1006 .Bl -tag
1007 .It Fl b Ar imbits , Fl \-imbits Ns = Ns Ar imbits
1018 .in -4
1021 .It Fl c Ar scheme , Fl \-certificate Ns = Ns Ar scheme
1025 RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
1026 DSA\-SHA, or DSA\-SHA1.
1031 this option is RSA\-MD5.
1032 .It Fl C Ar cipher , Fl \-cipher Ns = Ns Ar cipher
1036 private keys. The default is three\-key triple DES in CBC mode,
1037 equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
1038 available in "\fBopenssl \-h\fP" output.
1039 .It Fl d , Fl \-debug\-level
1043 .It Fl D Ar number , Fl \-set\-debug\-level Ns = Ns Ar number
1048 .It Fl e , Fl \-id\-key
1049 Write IFF or GQ identity keys.
1051 Write the public parameters from the IFF or GQ client keys to
1054 .It Fl G , Fl \-gq\-params
1055 Generate GQ parameters and keys.
1057 Generate parameters and keys for the GQ identification scheme,
1059 .It Fl H , Fl \-host\-key
1062 Generate new host keys, obsoleting any that may exist.
1063 .It Fl I , Fl \-iffkey
1068 .It Fl i Ar group , Fl \-ident Ns = Ns Ar group
1069 set Autokey group name.
1071 Set the optional Autokey group name to name. This is used in
1074 provided. The group name, if specified using \fB\-i/\-\-ident\fP or
1075 using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
1076 is also a part of the self\-signed host certificate subject and
1077 issuer names in the form \fBhost@group\fP and should match the
1080 .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
1085 .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
1096 .in -4
1099 .It Fl M , Fl \-md5key
1100 generate symmetric keys.
1102 Generate symmetric keys, obsoleting any that may exist.
1103 .It Fl P , Fl \-pvt\-cert
1108 .It Fl p Ar passwd , Fl \-password Ns = Ns Ar passwd
1112 DES\-CBC algorithm and the specified password. The same password
1116 .It Fl q Ar passwd , Fl \-export\-passwd Ns = Ns Ar passwd
1117 export IFF or GQ group keys with password.
1119 Export IFF or GQ identity group keys to the standard output,
1120 encrypted with the DES\-CBC algorithm and the specified password.
1123 -\-id\-key (\-e) for unencrypted exports.
1124 .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
1125 set host and optionally group name.
1127 Set the Autokey host name, and optionally, group name specified
1130 group name. The host name, and if provided, group name are used
1131 in \fBhost@group\fP form for the host certificate subject and issuer
1132 fields. Specifying '\fB\-s @group\fP' is allowed, and results in
1133 leaving the host name unchanged while appending \fB@group\fP to the
1134 subject and issuer fields, as with \fB\-i group\fP. The group name, or
1137 .It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
1143 .It Fl T , Fl \-trusted\-cert
1147 a non\-trusted certificate.
1148 .It Fl V Ar num , Fl \-mv\-params Ns = Ns Ar num
1152 Generate parameters and keys for the Mu\-Varadharajan (MV)
1154 .It Fl v Ar num , Fl \-mv\-keys Ns = Ns Ar num
1155 update <num> MV keys.
1159 .It Fl \&? , Fl \-help
1161 .It Fl \&! , Fl \-more\-help
1163 .It Fl > Oo Ar cfgfile Oc , Fl \-save\-opts Oo Ns = Ns Ar cfgfile Oc
1167 .It Fl < Ar cfgfile , Fl \-load\-opts Ns = Ns Ar cfgfile , Fl \-no\-load\-opts
1169 The \fIno\-load\-opts\fP form will disable the loading
1170 of earlier config/rc/ini files. \fI\-\-no\-load\-opts\fP is handled early,
1172 .It Fl \-version Op Brq Ar v|c|n
1182 \fBNTP_KEYGEN_<option\-name>\fP or \fBNTP_KEYGEN\fP
1197 .Bl -tag
1206 it to autogen\-users@lists.sourceforge.net. Thank you.
1211 Copyright (C) 1992\-2024 The University of Delaware and Network Time Foundation all rights reserved.
1222 This manual page was \fIAutoGen\fP\-erated from the \fBntp\-keygen\fP