Lines Matching +full:other +full:- +full:key
2 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands
4 .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
6 .\" It has been AutoGen-ed May 25, 2024 at 12:04:46 AM by AutoGen 5.18.16
7 .\" From the definitions ntp-keygen-opts.def
8 .\" and the template file agmdoc-cmd.tpl
10 .Nm ntp-keygen
11 .Nd Create a NTP host key
17 .Op Fl \-option\-name Ns Oo Oo Ns "=| " Oc Ns Ar value Oc
24 It can generate message digest keys used in symmetric key cryptography and,
27 public key cryptography.
34 All other files are in PEM\-encoded printable ASCII format,
35 so they can be embedded as MIME attachments in email to other sites
40 produces a file containing ten pseudo\-random printable ASCII strings
44 hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
45 other message digest algorithms.
55 The remaining generated files are compatible with other OpenSSL
56 applications and other Public Key Infrastructure (PKI) resources.
61 other than Autokey.
104 Other files and links are usually installed in
107 NFS\-mounted networks and cannot be changed by shared clients.
121 where they can be piped to other applications or redirected to files.
150 host key and matching
151 .Cm RSA\-MD5
160 The host key is used to encrypt the cookie when required and so must be
163 By default, the host key is also the sign key used to encrypt signatures.
164 When necessary, a different sign key can be specified and this can be
173 of sign key type and message digest type supported by the OpenSSL library
180 with the sign key.
192 Private/public key files and certificates are compatible with
193 other OpenSSL applications and very likely other libraries as well.
198 as the other files, are probably not compatible with anything other than Autokey.
200 Running the program as other than root and using the Unix
215 Installing the keys as root might not work in NFS\-mounted
226 of other clients or servers, as these data are obtained automatically
231 for other hosts; however, in such cases files should always be encrypted.
236 The owner name is also used for the host and sign key files,
242 in NFS\-mounted networks.
251 including the host key, sign key and identification parameters,
252 are permitted root read/write\-only;
295 Then configure the other hosts to synchronize to the TH directly or
302 The host key is used to encrypt the cookie when required and so must be
304 By default, the host key is also the sign key used to encrypt
306 A different sign key can be assigned using the
316 but any combination of sign key type and
325 This of course creates a chicken\-and\-egg problem
328 should be set by some other means, such as eyeball\-and\-wristwatch, at
331 certificate should be re\-generated.
334 .Dq Autokey Public\-Key Authentication
375 First, configure a NTP subnet including one or more low\-stratum
376 trusted hosts from which all other hosts derive synchronization
379 all other hosts have nontrusted certificates.
398 On all other hosts do the same, but leave off the
406 If it is necessary to use a different sign key or different digest/signature
418 .Cm DSA Ns \-signed
431 using the same scheme and sign key, and soft link.
439 However, if the host or sign key is changed,
445 Other dependent hosts will continue as usual until signatures are refreshed,
474 only as clients have key files that contain only client keys.
481 to generate the host key file
484 .Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
487 they replace the files which would be generated in other schemes.
492 to the host key file and soft link
499 to all other hosts in the group, and recreating the soft links.
595 and client key files
599 is the key number (0 \&<
607 Copy one of the client key files to alice for later distribution
609 It does not matter which client key file goes to alice,
611 Alice copies the client key file to all of her clients.
614 to the client key file.
620 .Bl -tag -width indent
621 .It Fl b Fl \-imbits Ns = Ar modulus
629 .It Fl c Fl \-certificate Ns = Ar scheme
634 .Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
636 .Cm DSA\-SHA1 .
641 sign key and
645 sign key.
647 .Cm RSA\-MD5 .
648 If compatibility with FIPS 140\-2 is required, either the
649 .Cm DSA\-SHA
651 .Cm DSA\-SHA1
653 .It Fl C Fl \-cipher Ns = Ar cipher
655 The default without this option is three\-key triple DES in CBC mode,
656 .Cm des\-ede3\-cbc .
660 .It Fl d Fl \-debug\-level
662 This option displays the cryptographic data produced in eye\-friendly billboards.
663 .It Fl D Fl \-set\-debug\-level Ns = Ar level
666 This option displays the cryptographic data produced in eye\-friendly billboards.
667 .It Fl e Fl \-id\-key
677 This is intended for automatic key distribution by email.
678 .It Fl G Fl \-gq\-params
681 parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
687 .It Fl H Fl \-host\-key
690 public/private host key file.
691 .It Fl I Fl \-iffkey
694 key file for the Schnorr (IFF) identity scheme.
700 .It Fl i Fl \-ident Ns = Ar group
722 .It Fl l Fl \-lifetime Ns = Ar days
726 .It Fl m Fl \-modulus Ns = Ar bits
732 .It Fl M Fl \-md5key
740 key is a string of 20 random printable ASCII characters, while a
742 key is a string of 40 random hex digits.
743 The file can be edited using a text editor to change the key type or key content.
744 This option is mutually exclusive with all other options.
745 .It Fl p Fl \-password Ns = Ar passwd
748 These include the host, sign and identify key files.
752 .It Fl P Fl \-pvt\-cert
758 .It Fl q Fl \-export\-passwd Ns = Ar passwd
773 .It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
797 .It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
798 Generate a new encrypted public/private sign key file of the specified type.
799 By default, the sign key is the host key and has the same type.
800 If compatibility with FIPS 140\-2 is required, the sign key type must be
802 .It Fl T Fl \-trusted\-cert
804 By default, the program generates a non\-trusted certificate.
805 .It Fl V Fl \-mv\-params Ar nkeys
808 encrypted server keys and parameters for the Mu\-Varadharajan (MV)
818 All cryptographically sound key generation schemes must have means
820 the internal pseudo\-random number generator used
833 can be used to do this and some systems have built\-in entropy sources.
857 whether root or some other user.
879 .Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
881 .Ar key
882 is the key or parameter type,
888 .Ar key
891 .Ar key
906 rules, then encrypted if necessary, and finally written in PEM\-encoded
911 is somewhat different than the other files in the interest of backward compatibility.
914 .Bd -literal -unfilled -offset center
917 1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
918 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
919 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
920 4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
921 5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
922 6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key
923 7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
924 8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
925 9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
926 10 MD5 2late4Me # MD5 key
927 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
928 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
929 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
930 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
931 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
932 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
933 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
934 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
935 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
936 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
938 .D1 Figure 1. Typical Symmetric Key File
943 .D1 Ar keyno Ar type Ar key
946 is a positive integer in the range 1\-65535;
948 is the key type for the message digest algorithm, which in the absence of the
952 if the OpenSSL library is installed, the key type can be any
954 however, if compatibility with FIPS 140\-2 is required,
955 the key type must be either
959 .Ar key
960 is the key itself,
972 An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
990 to other subnet hosts.
997 or automated means on the other subnet hosts.
1006 .Bl -tag
1007 .It Fl b Ar imbits , Fl \-imbits Ns = Ns Ar imbits
1018 .in -4
1021 .It Fl c Ar scheme , Fl \-certificate Ns = Ns Ar scheme
1025 RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
1026 DSA\-SHA, or DSA\-SHA1.
1029 Note that RSA schemes must be used with a RSA sign key and DSA
1030 schemes must be used with a DSA sign key. The default without
1031 this option is RSA\-MD5.
1032 .It Fl C Ar cipher , Fl \-cipher Ns = Ns Ar cipher
1036 private keys. The default is three\-key triple DES in CBC mode,
1037 equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
1038 available in "\fBopenssl \-h\fP" output.
1039 .It Fl d , Fl \-debug\-level
1043 .It Fl D Ar number , Fl \-set\-debug\-level Ns = Ns Ar number
1048 .It Fl e , Fl \-id\-key
1053 This is intended for automatic key distribution by email.
1054 .It Fl G , Fl \-gq\-params
1059 .It Fl H , Fl \-host\-key
1060 generate RSA host key.
1063 .It Fl I , Fl \-iffkey
1068 .It Fl i Ar group , Fl \-ident Ns = Ns Ar group
1074 provided. The group name, if specified using \fB\-i/\-\-ident\fP or
1075 using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
1076 is also a part of the self\-signed host certificate subject and
1080 .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
1085 .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
1096 .in -4
1099 .It Fl M , Fl \-md5key
1103 .It Fl P , Fl \-pvt\-cert
1108 .It Fl p Ar passwd , Fl \-password Ns = Ns Ar passwd
1112 DES\-CBC algorithm and the specified password. The same password
1116 .It Fl q Ar passwd , Fl \-export\-passwd Ns = Ns Ar passwd
1120 encrypted with the DES\-CBC algorithm and the specified password.
1123 -\-id\-key (\-e) for unencrypted exports.
1124 .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
1132 fields. Specifying '\fB\-s @group\fP' is allowed, and results in
1134 subject and issuer fields, as with \fB\-i group\fP. The group name, or
1137 .It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
1138 generate sign key (RSA or DSA).
1140 Generate a new sign key of the designated type, obsoleting any
1141 that may exist. By default, the program uses the host key as the
1142 sign key.
1143 .It Fl T , Fl \-trusted\-cert
1147 a non\-trusted certificate.
1148 .It Fl V Ar num , Fl \-mv\-params Ns = Ns Ar num
1152 Generate parameters and keys for the Mu\-Varadharajan (MV)
1154 .It Fl v Ar num , Fl \-mv\-keys Ns = Ns Ar num
1159 .It Fl \&? , Fl \-help
1161 .It Fl \&! , Fl \-more\-help
1163 .It Fl > Oo Ar cfgfile Oc , Fl \-save\-opts Oo Ns = Ns Ar cfgfile Oc
1167 .It Fl < Ar cfgfile , Fl \-load\-opts Ns = Ns Ar cfgfile , Fl \-no\-load\-opts
1169 The \fIno\-load\-opts\fP form will disable the loading
1170 of earlier config/rc/ini files. \fI\-\-no\-load\-opts\fP is handled early,
1172 .It Fl \-version Op Brq Ar v|c|n
1182 \fBNTP_KEYGEN_<option\-name>\fP or \fBNTP_KEYGEN\fP
1197 .Bl -tag
1206 it to autogen\-users@lists.sourceforge.net. Thank you.
1211 Copyright (C) 1992\-2024 The University of Delaware and Network Time Foundation all rights reserved.
1222 This manual page was \fIAutoGen\fP\-erated from the \fBntp\-keygen\fP