Lines Matching +full:host +full:- +full:id
1 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
3 <!-- Created by GNU Texinfo 6.6, http://www.gnu.org/software/texinfo/ -->
5 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
6 <title>Ntp-keygen User’s Manual</title>
8 <meta name="description" content="Ntp-keygen User’s Manual">
9 <meta name="keywords" content="Ntp-keygen User’s Manual">
10 <meta name="resource-type" content="document">
16 <!--
17 a.summary-letter {text-decoration: none}
18 blockquote.indentedblock {margin-right: 0em}
19 div.display {margin-left: 3.2em}
20 div.example {margin-left: 3.2em}
21 div.lisp {margin-left: 3.2em}
22 kbd {font-style: oblique}
23 pre.display {font-family: inherit}
24 pre.format {font-family: inherit}
25 pre.menu-comment {font-family: serif}
26 pre.menu-preformatted {font-family: serif}
27 span.nolinebreak {white-space: nowrap}
28 span.roman {font-family: initial; font-weight: normal}
29 span.sansserif {font-family: sans-serif; font-weight: normal}
30 ul.no-bullet {list-style: none}
31 -->
38 <h1 class="settitle" align="center">Ntp-keygen User’s Manual</h1>
44 <span id="SEC_Overview"></span>
45 <h2 class="shortcontents-heading">Short Table of Contents</h2>
48 <ul class="no-bullet">
49 <li><a id="stoc-Description-1" href="#toc-Description-1">1 Description</a></li>
57 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Invocation" accesskey="2">ntp-keygen Invocation</a></td><td> </td><td align="left" valign="top">Invoking ntp-keygen
59 <tr><td align="left" valign="top">• <a href="#Running-the-Program" accesskey="3">Running the Program</a></td><td> </td><td align="left" valign="top">
61 <tr><td align="left" valign="top">• <a href="#Random-Seed-File" accesskey="4">Random Seed File</a></td><td> </td><td align="left" valign="top">
63 <tr><td align="left" valign="top">• <a href="#Cryptographic-Data-Files" accesskey="5">Cryptographic Data Files</a></td><td> </td><td align="left" valign="top">
67 <span id="Top"></span><div class="header">
71 <span id="NTP-Key-Generation-Program-User-Manual"></span><h1 class="top">NTP Key Generation Program User Manual</h1>
73 <p>This document describes the use of the NTP Project’s <code>ntp-keygen</code>
78 library has been installed, it can generate host keys, sign keys,
83 All other files are in PEM-encoded
87 <p>This document applies to version 4.2.8p18 of <code>ntp-keygen</code>.
95 <span id="Description"></span><div class="header">
97 Next: <a href="#Running-the-Program" accesskey="n" rel="next">Running the Program</a>, Previous: <a href="#Top" accesskey="p" rel="prev">Top</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> </p>
99 <span id="Description-1"></span><h2 class="chapter">1 Description</h2>
104 library has been installed, it can generate host keys, sign keys,
107 format compatible with NTPv3. All other files are in PEM-encoded
112 containing ten pseudo-random printable ASCII strings suitable for the
115 OpenSSL library is installed, it produces an additional ten hex-encoded
133 The <code>-p</code> option specifies the password for local encrypted files and the
134 <code>-q</code> option the password for encrypted files sent to remote sites.
135 If no password is specified, the host name returned by the Unix
136 <code>gethostname()</code> function, normally the DNS name of the host, is used.
141 If not specified, the host name is used.
144 host.
146 <p>Normally, encrypted files for each host are generated by that host and
147 used only by that host, although exceptions exist as noted later on
153 NFS-mounted networks and cannot be changed by shared clients.
164 generating host and filestamp,
165 as described in the <a href="#Cryptographic-Data-Files">Cryptographic Data Files</a> section below.
168 <tr><td align="left" valign="top">• <a href="#Running-the-Program" accesskey="1">Running the Program</a></td><td> </td><td align="left" valign="top">
170 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Invocation" accesskey="2">Invoking ntp-keygen</a></td><td> </td><td align="left" valign="top">
172 <tr><td align="left" valign="top">• <a href="#Random-Seed-File" accesskey="3">Random Seed File</a></td><td> </td><td align="left" valign="top">
174 <tr><td align="left" valign="top">• <a href="#Cryptographic-Data-Files" accesskey="4">Cryptographic Data Files</a></td><td> </td><td align="left" valign="top">
179 <span id="Running-the-Program"></span><div class="header">
181 Next: <a href="#Random-Seed-File" accesskey="n" rel="next">Random Seed File</a>, Previous: <a href="#Description" accesskey="p" rel="prev">Description</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> </p>
183 <span id="Running-the-Program-1"></span><h3 class="section">1.1 Running the Program</h3>
189 removed, use the <code>ntp-keygen</code> command without arguments to generate a
190 default RSA host key and matching RSA-MD5 certificate with expiration
197 Designate one of them as the trusted host (TH) using <code>ntp-keygen</code>
198 with the <code>-T</code> option and configure
202 ascendant host towards the TH to sign its certificate, which is then
203 provided to the immediately descendant host on request.
206 <p>The host key is used to encrypt the cookie when required and so must be
208 By default, the host key is also the sign key used to encrypt signatures.
209 A different sign key can be assigned using the <code>-S</code> option
214 using the <code>-c</code> option.
217 filestamps, which means the host should already be synchronized before
219 This of course creates a chicken-and-egg problem
220 when the host is started for the first time.
221 Accordingly, the host time
222 should be set by some other means, such as eyeball-and-wristwatch, at
224 After that and when the host is synchronized to a proventic source, the
225 certificate should be re-generated.
228 Autokey Public-Key Authentication page.
231 <span id="ntp_002dkeygen-Invocation"></span><div class="header">
233 Next: <a href="#Random-Seed-File" accesskey="n" rel="next">Random Seed File</a>, Previous: <a href="#Running-the-Program" accesskey="p" rel="prev">Running the Program</a>, Up: <a href="#Description" accesskey="u" rel="up">Description</a> </p>
235 <span id="Invoking-ntp_002dkeygen"></span><h3 class="section">1.2 Invoking ntp-keygen</h3>
236 <span id="index-ntp_002dkeygen"></span>
237 <span id="index-Create-a-NTP-host-key"></span>
244 if the OpenSSL software library has been installed, it can generate host keys,
253 All other files are in PEM-encoded printable ASCII format,
259 produces a file containing ten pseudo-random printable ASCII strings
263 hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
284 <code>-p</code>
286 <code>-q</code>
288 If no password is specified, the host name returned by the Unix
290 command, normally the DNS name of the host, is used as the the default read
293 <code>ntp-keygen</code>
308 If not specified, the host name is used.
312 without specifying an explicit password but only on the same host.
313 If the write password used for encryption is specified as the host name,
314 these files can be read by that host with no explicit password.
316 <p>Normally, encrypted files for each host are generated by that host and
317 used only by that host, although exceptions exist as noted later on
326 NFS-mounted networks and cannot be changed by shared clients.
344 and include the file type, generating host and filestamp,
346 <a href="#Cryptographic-Data-Files">Cryptographic Data Files</a>
350 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-usage" accesskey="1">ntp-keygen help/usage (<samp>--help</samp>)</a></td><td> </td><td align="left" valign="top">
352 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-imbits" accesskey="2">imbits option (-b)</a></td><td> </td><td align="left" valign="top">
354 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-certificate" accesskey="3">certificate option (-c)</a></td><td> </td><td align="left" valign="top">
356 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-cipher" accesskey="4">cipher option (-C)</a></td><td> </td><td align="left" valign="top">
358 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-id_002dkey" accesskey="5">id-key option (-e)</a></td><td> </td><td align="left" valign="top">
360 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-gq_002dparams" accesskey="6">gq-params option (-G)</a></td><td> </td><td align="left" valign="top">
362 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-host_002dkey" accesskey="7">host-key option (-H)</a></td><td> </td><td align="left" valign="top">
364 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-iffkey" accesskey="8">iffkey option (-I)</a></td><td> </td><td align="left" valign="top">
366 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-ident" accesskey="9">ident option (-i)</a></td><td> </td><td align="left" valign="top">
368 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-lifetime">lifetime option (-l)</a></td><td> </td><td align="left" valign="top">
370 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-modulus">modulus option (-m)</a></td><td> </td><td align="left" valign="top">
372 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-md5key">md5key option (-M)</a></td><td> </td><td align="left" valign="top">
374 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-pvt_002dcert">pvt-cert option (-P)</a></td><td> </td><td align="left" valign="top">
376 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-password">password option (-p)</a></td><td> </td><td align="left" valign="top">
378 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-export_002dpasswd">export-passwd option (-q)</a></td><td> </td><td align="left" valign="top">
380 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-subject_002dname">subject-name option (-s)</a></td><td> </td><td align="left" valign="top">
382 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-sign_002dkey">sign-key option (-S)</a></td><td> </td><td align="left" valign="top">
384 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-trusted_002dcert">trusted-cert option (-T)</a></td><td> </td><td align="left" valign="top">
386 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-mv_002dparams">mv-params option (-V)</a></td><td> </td><td align="left" valign="top">
388 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-mv_002dkeys">mv-keys option (-v)</a></td><td> </td><td align="left" valign="top">
390 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-config">presetting/configuring ntp-keygen</a></td><td> </td><td align="left" valign="top">
392 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a></td><td> </td><td align="left" valign="top">
394 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a></td><td> </td><td align="left" valign="top">
396 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a></td><td> </td><td align="left" valign="top">
398 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a></td><td> </td><td align="left" valign="top">
402 <span id="Running-the-Program-2"></span><h4 class="subsection">1.2.1 Running the Program</h4>
404 <code>ntp-keygen</code>
420 <code>ntp-keygen</code>
423 host key and matching
424 <code>RSA-MD5</code>
433 <p>The host key is used to encrypt the cookie when required and so must be
436 By default, the host key is also the sign key used to encrypt signatures.
488 <p>Installing the keys as root might not work in NFS-mounted
502 <p>Ordinarily, cryptographic files are generated by the host that uses them,
506 of the host generating the files, but can be changed by command line options.
509 The owner name is also used for the host and sign key files,
515 in NFS-mounted networks.
519 Normally, the files for each host are generated by that host
520 and used only by that host, although exceptions exist
524 including the host key, sign key and identification parameters,
525 are permitted root read/write-only;
555 <code>ntp-keygen</code>
563 Designate one of them as the trusted host (TH) using
564 <code>ntp-keygen</code>
566 <code>-T</code>
571 ascendant host towards the TH to sign its certificate, which is then
572 provided to the immediately descendant host on request.
575 <p>The host key is used to encrypt the cookie when required and so must be
577 By default, the host key is also the sign key used to encrypt
580 <code>-S</code>
592 <code>-c</code>
596 filestamps, which means the host should already be synchronized before
598 This of course creates a chicken-and-egg problem
599 when the host is started for the first time.
600 Accordingly, the host time
601 should be set by some other means, such as eyeball-and-wristwatch, at
603 After that and when the host is synchronized to a proventic source, the
604 certificate should be re-generated.
607 “Autokey Public-Key Authentication”
634 <span id="Trusted-Hosts-and-Groups"></span><h4 class="subsubsection">1.2.1.1 Trusted Hosts and Groups</h4>
649 First, configure a NTP subnet including one or more low-stratum
657 a certificate trail ending at a trusted host.
664 <p>On each trusted host as root, change to the keys directory.
669 <code>ntp-keygen</code>
670 <code>-T</code>
673 <code>-T</code>
682 <code>ntp-keygen</code>
684 <code>-S</code> <kbd>type</kbd>
692 <code>DSA</code>-signed
696 <code>ntp-keygen</code>
698 <code>-c</code> <kbd>scheme</kbd>
703 <code>ntp-keygen</code>
710 <code>ntp-keygen</code>
713 However, if the host or sign key is changed,
722 <span id="Identity-Schemes"></span><h4 class="subsubsection">1.2.1.2 Identity Schemes</h4>
737 by a trusted host and certificate trails that end on that host.
738 The name of a trusted host is also the name of its sugroup
740 The TA is not necessarily a trusted host in this sense, but often is.
751 <p>The PC scheme supports only one trusted host in the group.
752 On trusted host alice run
753 <code>ntp-keygen</code>
754 <code>-P</code>
755 <code>-p</code> <kbd>password</kbd>
756 to generate the host key file
759 <samp>ntpkey</samp>_ <code>RSA-MD5</code> <code>_</code> <samp>cert_alice.</samp> <kbd>filestamp</kbd>,
763 On each host
767 to the host key file and soft link
771 by trusted host alice.
781 and certificates for all group hosts, then for every trusted host in the group,
785 On trusted host alice run
786 <code>ntp-keygen</code>
787 <code>-T</code>
788 <code>-I</code>
789 <code>-p</code> <kbd>password</kbd>
809 <code>ntp-keygen</code>
810 <code>-e</code>
824 and certificates for all group hosts, then for every trusted host
828 On trusted host alice run
829 <code>ntp-keygen</code>
830 <code>-T</code>
831 <code>-G</code>
832 <code>-p</code> <kbd>password</kbd>
840 In addition, on each host
862 <code>ntp-keygen</code>
863 <code>-V</code> <kbd>n</kbd>
864 <code>-p</code> <kbd>password</kbd>,
895 <span id="Command-Line-Options"></span><h4 class="subsubsection">1.2.1.3 Command Line Options</h4>
897 <dt><code>-b</code> <code>--imbits</code>= <kbd>modulus</kbd></dt>
906 <dt><code>-c</code> <code>--certificate</code>= <kbd>scheme</kbd></dt>
911 <code>RSA-MD2</code>, <code>RSA-MD5</code>, <code>RSA-MDC2</code>, <code>RSA-SHA</code>, <code>RSA-SHA1</code>, <code>RSA-RIPEMD160</code>, <code>DSA-SHA</code>,
913 <code>DSA-SHA1</code>.
924 <code>RSA-MD5</code>.
925 If compatibility with FIPS 140-2 is required, either the
926 <code>DSA-SHA</code>
928 <code>DSA-SHA1</code>
931 <dt><code>-C</code> <code>--cipher</code>= <kbd>cipher</kbd></dt>
933 The default without this option is three-key triple DES in CBC mode,
934 <code>des-ede3-cbc</code>.
936 <code>openssl</code> <code>-h</code>
939 <dt><code>-d</code> <code>--debug-level</code></dt>
941 This option displays the cryptographic data produced in eye-friendly billboards.
943 <dt><code>-D</code> <code>--set-debug-level</code>= <kbd>level</kbd></dt>
946 This option displays the cryptographic data produced in eye-friendly billboards.
948 <dt><code>-e</code> <code>--id-key</code></dt>
960 <dt><code>-G</code> <code>--gq-params</code></dt>
963 parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
965 <code>-I</code>
967 <code>-V</code>
970 <dt><code>-H</code> <code>--host-key</code></dt>
973 public/private host key file.
975 <dt><code>-I</code> <code>--iffkey</code></dt>
980 <code>-G</code>
985 <dt><code>-i</code> <code>--ident</code>= <kbd>group</kbd></dt>
993 In that role, the default is the host name if no group is provided.
995 <code>-i</code>
997 <code>-s</code>
1001 <kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd>
1008 <dt><code>-l</code> <code>--lifetime</code>= <kbd>days</kbd></dt>
1013 <dt><code>-m</code> <code>--modulus</code>= <kbd>bits</kbd></dt>
1020 <dt><code>-M</code> <code>--md5key</code></dt>
1034 <dt><code>-p</code> <code>--password</code>= <kbd>passwd</kbd></dt>
1037 These include the host, sign and identify key files.
1042 <dt><code>-P</code> <code>--pvt-cert</code></dt>
1049 <dt><code>-q</code> <code>--export-passwd</code>= <kbd>passwd</kbd></dt>
1057 <code>-p</code>
1059 <code>-q</code>
1065 <dt><code>-s</code> <code>--subject-key</code>= <code>[host]</code> <code>[@ <kbd>group</kbd>]</code></dt>
1066 <dd><p>Specify the Autokey host name, where
1067 <kbd>host</kbd>
1068 is the optional host name and
1071 The host name, and if provided, group name are used in
1072 <kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd>
1075 <code>-s</code> <code>-@</code> <kbd>group</kbd>
1076 is allowed, and results in leaving the host name unchanged, as with
1077 <code>-i</code> <kbd>group</kbd>.
1078 The group name, or if no group is provided, the host name are also used in the
1085 <kbd>host</kbd>
1086 is not specified, the default host name is the string returned by the Unix
1090 <dt><code>-S</code> <code>--sign-key</code>= <code>[<code>RSA</code> | <code>DSA</code>]</code></dt>
1092 By default, the sign key is the host key and has the same type.
1093 If compatibility with FIPS 140-2 is required, the sign key type must be
1096 <dt><code>-T</code> <code>--trusted-cert</code></dt>
1098 By default, the program generates a non-trusted certificate.
1100 <dt><code>-V</code> <code>--mv-params</code> <kbd>nkeys</kbd></dt>
1103 encrypted server keys and parameters for the Mu-Varadharajan (MV)
1106 <code>-I</code>
1108 <code>-G</code>
1114 <span id="Random-Seed-File-1"></span><h4 class="subsubsection">1.2.1.4 Random Seed File</h4>
1117 the internal pseudo-random number generator used
1121 <code>ntp-keygen</code>
1130 can be used to do this and some systems have built-in entropy sources.
1139 <code>ntp-keygen</code>
1148 <code>ntp-keygen</code>
1162 <code>ntp-keygen</code>
1173 <span id="Cryptographic-Data-Files-1"></span><h4 class="subsubsection">1.2.1.5 Cryptographic Data Files</h4>
1175 The first line contains the file name, including the generated host name
1182 is the host or group name and
1198 <code>ntp-keygen</code>
1204 rules, then encrypted if necessary, and finally written in PEM-encoded
1223 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
1247 is a positive integer in the range 1-65535;
1255 however, if compatibility with FIPS 140-2 is required,
1273 An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
1286 <code>ntp-keygen</code>
1295 <code>ntp-keygen</code>
1308 using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp-keygen</code> program.
1312 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-usage" accesskey="1">ntp-keygen usage</a></td><td> </td><td align="left" valign="top">ntp-keygen help/usage (<samp>--help</samp>)
1314 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-imbits" accesskey="2">ntp-keygen imbits</a></td><td> </td><td align="left" valign="top">imbits option (-b)
1316 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-certificate" accesskey="3">ntp-keygen certificate</a></td><td> </td><td align="left" valign="top">certificate option (-c)
1318 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-cipher" accesskey="4">ntp-keygen cipher</a></td><td> </td><td align="left" valign="top">cipher option (-C)
1320 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-id_002dkey" accesskey="5">ntp-keygen id-key</a></td><td> </td><td align="left" valign="top">id-key option (-e)
1322 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-gq_002dparams" accesskey="6">ntp-keygen gq-params</a></td><td> </td><td align="left" valign="top">gq-params option (-G)
1324 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-host_002dkey" accesskey="7">ntp-keygen host-key</a></td><td> </td><td align="left" valign="top">host-key option (-H)
1326 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-iffkey" accesskey="8">ntp-keygen iffkey</a></td><td> </td><td align="left" valign="top">iffkey option (-I)
1328 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-ident" accesskey="9">ntp-keygen ident</a></td><td> </td><td align="left" valign="top">ident option (-i)
1330 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a></td><td> </td><td align="left" valign="top">lifetime option (-l)
1332 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a></td><td> </td><td align="left" valign="top">modulus option (-m)
1334 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a></td><td> </td><td align="left" valign="top">md5key option (-M)
1336 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a></td><td> </td><td align="left" valign="top">pvt-cert option (-P)
1338 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-password">ntp-keygen password</a></td><td> </td><td align="left" valign="top">password option (-p)
1340 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a></td><td> </td><td align="left" valign="top">export-passwd option (-q)
1342 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a></td><td> </td><td align="left" valign="top">subject-name option (-s)
1344 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a></td><td> </td><td align="left" valign="top">sign-key option (-S)
1346 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a></td><td> </td><td align="left" valign="top">trusted-cert option (-T)
1348 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a></td><td> </td><td align="left" valign="top">mv-params option (-V)
1350 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a></td><td> </td><td align="left" valign="top">mv-keys option (-v)
1352 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-config">ntp-keygen config</a></td><td> </td><td align="left" valign="top">presetting/configuring ntp-keygen
1354 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-exit-status">ntp-keygen exit status</a></td><td> </td><td align="left" valign="top">exit status
1356 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Usage">ntp-keygen Usage</a></td><td> </td><td align="left" valign="top">Usage
1358 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Notes">ntp-keygen Notes</a></td><td> </td><td align="left" valign="top">Notes
1360 <tr><td align="left" valign="top">• <a href="#ntp_002dkeygen-Bugs">ntp-keygen Bugs</a></td><td> </td><td align="left" valign="top">Bugs
1365 <span id="ntp_002dkeygen-usage"></span><div class="header">
1367 Next: <a href="#ntp_002dkeygen-imbits" accesskey="n" rel="next">ntp-keygen imbits</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1369 <span id="ntp_002dkeygen-help_002fusage-_0028_002d_002dhelp_0029"></span><h4 class="subsection">1.2.2 ntp-keygen help/usage (<samp>--help</samp>)</h4>
1370 <span id="index-ntp_002dkeygen-help"></span>
1372 <p>This is the automatically generated usage text for ntp-keygen.
1375 (<samp>--help</samp>) or the <code>more-help</code> option (<samp>--more-help</samp>). <code>more-help</code> will print
1377 <code>more-help</code> is disabled on platforms without a working
1383 <pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p18
1384 Usage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
1385 Flg Arg Option-Name Description
1386 -b Num imbits identity modulus bits
1387 - it must be in the range:
1389 -c Str certificate certificate scheme
1390 -C Str cipher privatekey cipher
1391 -d no debug-level Increase debug verbosity level
1392 - may appear multiple times
1393 -D Num set-debug-level Set the debug verbosity level
1394 - may appear multiple times
1395 -e no id-key Write IFF or GQ identity keys
1396 -G no gq-params Generate GQ parameters and keys
1397 -H no host-key generate RSA host key
1398 -I no iffkey generate IFF parameters
1399 -i Str ident set Autokey group name
1400 -l Num lifetime set certificate lifetime
1401 -m Num modulus prime modulus
1402 - it must be in the range:
1404 -M no md5key generate symmetric keys
1405 -P no pvt-cert generate PC private certificate
1406 -p Str password local private password
1407 -q Str export-passwd export IFF or GQ group keys with password
1408 -s Str subject-name set host and optionally group name
1409 -S Str sign-key generate sign key (RSA or DSA)
1410 -T no trusted-cert trusted certificate (TC scheme)
1411 -V Num mv-params generate <num> MV parameters
1412 -v Num mv-keys update <num> MV keys
1414 -? no help display extended usage information and exit
1415 -! no more-help extended usage information passed thru pager
1416 -> opt save-opts save the option state to a config file
1417 -< Str load-opts load options from a config file
1418 - disabled as '--no-load-opts'
1419 - may appear multiple times
1426 - reading file $HOME/.ntprc
1427 - reading file ./.ntprc
1428 - examining environment variables named NTP_KEYGEN_*
1434 <span id="ntp_002dkeygen-imbits"></span><div class="header">
1436 Next: <a href="#ntp_002dkeygen-certificate" accesskey="n" rel="next">ntp-keygen certificate</a>, Previous: <a href="#ntp_002dkeygen-usage" accesskey="p" rel="prev">ntp-keygen usage</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1438 <span id="imbits-option-_0028_002db_0029"></span><h4 class="subsection">1.2.3 imbits option (-b)</h4>
1439 <span id="index-ntp_002dkeygen_002dimbits"></span>
1451 <span id="ntp_002dkeygen-certificate"></span><div class="header">
1453 Next: <a href="#ntp_002dkeygen-cipher" accesskey="n" rel="next">ntp-keygen cipher</a>, Previous: <a href="#ntp_002dkeygen-imbits" accesskey="p" rel="prev">ntp-keygen imbits</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1455 <span id="certificate-option-_0028_002dc_0029"></span><h4 class="subsection">1.2.4 certificate option (-c)</h4>
1456 <span id="index-ntp_002dkeygen_002dcertificate"></span>
1467 RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
1468 DSA-SHA, or DSA-SHA1.
1473 this option is RSA-MD5.
1475 <span id="ntp_002dkeygen-cipher"></span><div class="header">
1477 Next: <a href="#ntp_002dkeygen-id_002dkey" accesskey="n" rel="next">ntp-keygen id-key</a>, Previous: <a href="#ntp_002dkeygen-certificate" accesskey="p" rel="prev">ntp-keygen certificate</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1479 <span id="cipher-option-_0028_002dC_0029"></span><h4 class="subsection">1.2.5 cipher option (-C)</h4>
1480 <span id="index-ntp_002dkeygen_002dcipher"></span>
1491 private keys. The default is three-key triple DES in CBC mode,
1492 equivalent to "<code>-C des-ede3-cbc</code>". The openssl tool lists ciphers
1493 available in "<code>openssl -h</code>" output.
1495 <span id="ntp_002dkeygen-id_002dkey"></span><div class="header">
1497 Next: <a href="#ntp_002dkeygen-gq_002dparams" accesskey="n" rel="next">ntp-keygen gq-params</a>, Previous: <a href="#ntp_002dkeygen-cipher" accesskey="p" rel="prev">ntp-keygen cipher</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1499 <span id="id_002dkey-option-_0028_002de_0029"></span><h4 class="subsection">1.2.6 id-key option (-e)</h4>
1500 <span id="index-ntp_002dkeygen_002did_002dkey"></span>
1513 <span id="ntp_002dkeygen-gq_002dparams"></span><div class="header">
1515 Next: <a href="#ntp_002dkeygen-host_002dkey" accesskey="n" rel="next">ntp-keygen host-key</a>, Previous: <a href="#ntp_002dkeygen-id_002dkey" accesskey="p" rel="prev">ntp-keygen id-key</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1517 <span id="gq_002dparams-option-_0028_002dG_0029"></span><h4 class="subsection">1.2.7 gq-params option (-G)</h4>
1518 <span id="index-ntp_002dkeygen_002dgq_002dparams"></span>
1530 <span id="ntp_002dkeygen-host_002dkey"></span><div class="header">
1532 Next: <a href="#ntp_002dkeygen-iffkey" accesskey="n" rel="next">ntp-keygen iffkey</a>, Previous: <a href="#ntp_002dkeygen-gq_002dparams" accesskey="p" rel="prev">ntp-keygen gq-params</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1534 <span id="host_002dkey-option-_0028_002dH_0029"></span><h4 class="subsection">1.2.8 host-key option (-H)</h4>
1535 <span id="index-ntp_002dkeygen_002dhost_002dkey"></span>
1537 <p>This is the “generate rsa host key” option.
1544 <p>Generate new host keys, obsoleting any that may exist.
1546 <span id="ntp_002dkeygen-iffkey"></span><div class="header">
1548 Next: <a href="#ntp_002dkeygen-ident" accesskey="n" rel="next">ntp-keygen ident</a>, Previous: <a href="#ntp_002dkeygen-host_002dkey" accesskey="p" rel="prev">ntp-keygen host-key</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1550 <span id="iffkey-option-_0028_002dI_0029"></span><h4 class="subsection">1.2.9 iffkey option (-I)</h4>
1551 <span id="index-ntp_002dkeygen_002diffkey"></span>
1563 <span id="ntp_002dkeygen-ident"></span><div class="header">
1565 Next: <a href="#ntp_002dkeygen-lifetime" accesskey="n" rel="next">ntp-keygen lifetime</a>, Previous: <a href="#ntp_002dkeygen-iffkey" accesskey="p" rel="prev">ntp-keygen iffkey</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1567 <span id="ident-option-_0028_002di_0029"></span><h4 class="subsection">1.2.10 ident option (-i)</h4>
1568 <span id="index-ntp_002dkeygen_002dident"></span>
1580 that role, the default is the host name if this option is not
1581 provided. The group name, if specified using <code>-i/--ident</code> or
1582 using <code>-s/--subject-name</code> following an ’<code>@</code>’ character,
1583 is also a part of the self-signed host certificate subject and
1584 issuer names in the form <code>host@group</code> and should match the
1588 <span id="ntp_002dkeygen-lifetime"></span><div class="header">
1590 Next: <a href="#ntp_002dkeygen-modulus" accesskey="n" rel="next">ntp-keygen modulus</a>, Previous: <a href="#ntp_002dkeygen-ident" accesskey="p" rel="prev">ntp-keygen ident</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1592 <span id="lifetime-option-_0028_002dl_0029"></span><h4 class="subsection">1.2.11 lifetime option (-l)</h4>
1593 <span id="index-ntp_002dkeygen_002dlifetime"></span>
1605 <span id="ntp_002dkeygen-modulus"></span><div class="header">
1607 Next: <a href="#ntp_002dkeygen-md5key" accesskey="n" rel="next">ntp-keygen md5key</a>, Previous: <a href="#ntp_002dkeygen-lifetime" accesskey="p" rel="prev">ntp-keygen lifetime</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1609 <span id="modulus-option-_0028_002dm_0029"></span><h4 class="subsection">1.2.12 modulus option (-m)</h4>
1610 <span id="index-ntp_002dkeygen_002dmodulus"></span>
1622 <span id="ntp_002dkeygen-md5key"></span><div class="header">
1624 Next: <a href="#ntp_002dkeygen-pvt_002dcert" accesskey="n" rel="next">ntp-keygen pvt-cert</a>, Previous: <a href="#ntp_002dkeygen-modulus" accesskey="p" rel="prev">ntp-keygen modulus</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1626 <span id="md5key-option-_0028_002dM_0029"></span><h4 class="subsection">1.2.13 md5key option (-M)</h4>
1627 <span id="index-ntp_002dkeygen_002dmd5key"></span>
1632 <span id="ntp_002dkeygen-pvt_002dcert"></span><div class="header">
1634 Next: <a href="#ntp_002dkeygen-password" accesskey="n" rel="next">ntp-keygen password</a>, Previous: <a href="#ntp_002dkeygen-md5key" accesskey="p" rel="prev">ntp-keygen md5key</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1636 <span id="pvt_002dcert-option-_0028_002dP_0029"></span><h4 class="subsection">1.2.14 pvt-cert option (-P)</h4>
1637 <span id="index-ntp_002dkeygen_002dpvt_002dcert"></span>
1649 <span id="ntp_002dkeygen-password"></span><div class="header">
1651 Next: <a href="#ntp_002dkeygen-export_002dpasswd" accesskey="n" rel="next">ntp-keygen export-passwd</a>, Previous: <a href="#ntp_002dkeygen-pvt_002dcert" accesskey="p" rel="prev">ntp-keygen pvt-cert</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1653 <span id="password-option-_0028_002dp_0029"></span><h4 class="subsection">1.2.15 password option (-p)</h4>
1654 <span id="index-ntp_002dkeygen_002dpassword"></span>
1665 DES-CBC algorithm and the specified password. The same password
1670 <span id="ntp_002dkeygen-export_002dpasswd"></span><div class="header">
1672 Next: <a href="#ntp_002dkeygen-subject_002dname" accesskey="n" rel="next">ntp-keygen subject-name</a>, Previous: <a href="#ntp_002dkeygen-password" accesskey="p" rel="prev">ntp-keygen password</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1674 <span id="export_002dpasswd-option-_0028_002dq_0029"></span><h4 class="subsection">1.2.16 export-passwd option (-q)</h4>
1675 <span id="index-ntp_002dkeygen_002dexport_002dpasswd"></span>
1686 encrypted with the DES-CBC algorithm and the specified password.
1689 –id-key (-e) for unencrypted exports.
1691 <span id="ntp_002dkeygen-subject_002dname"></span><div class="header">
1693 Next: <a href="#ntp_002dkeygen-sign_002dkey" accesskey="n" rel="next">ntp-keygen sign-key</a>, Previous: <a href="#ntp_002dkeygen-export_002dpasswd" accesskey="p" rel="prev">ntp-keygen export-passwd</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1695 <span id="subject_002dname-option-_0028_002ds_0029"></span><h4 class="subsection">1.2.17 subject-name option (-s)</h4>
1696 <span id="index-ntp_002dkeygen_002dsubject_002dname"></span>
1698 <p>This is the “set host and optionally group name” option.
1699 This option takes a string argument <samp>host@group</samp>.
1706 <p>Set the Autokey host name, and optionally, group name specified
1707 following an ’<code>@</code>’ character. The host name is used in the file
1708 name of generated host and signing certificates, without the
1709 group name. The host name, and if provided, group name are used
1710 in <code>host@group</code> form for the host certificate subject and issuer
1711 fields. Specifying ’<code>-s @group</code>’ is allowed, and results in
1712 leaving the host name unchanged while appending <code>@group</code> to the
1713 subject and issuer fields, as with <code>-i group</code>. The group name, or
1714 if not provided, the host name are also used in the file names
1717 <span id="ntp_002dkeygen-sign_002dkey"></span><div class="header">
1719 Next: <a href="#ntp_002dkeygen-trusted_002dcert" accesskey="n" rel="next">ntp-keygen trusted-cert</a>, Previous: <a href="#ntp_002dkeygen-subject_002dname" accesskey="p" rel="prev">ntp-keygen subject-name</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1721 <span id="sign_002dkey-option-_0028_002dS_0029"></span><h4 class="subsection">1.2.18 sign-key option (-S)</h4>
1722 <span id="index-ntp_002dkeygen_002dsign_002dkey"></span>
1733 that may exist. By default, the program uses the host key as the
1736 <span id="ntp_002dkeygen-trusted_002dcert"></span><div class="header">
1738 Next: <a href="#ntp_002dkeygen-mv_002dparams" accesskey="n" rel="next">ntp-keygen mv-params</a>, Previous: <a href="#ntp_002dkeygen-sign_002dkey" accesskey="p" rel="prev">ntp-keygen sign-key</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1740 <span id="trusted_002dcert-option-_0028_002dT_0029"></span><h4 class="subsection">1.2.19 trusted-cert option (-T)</h4>
1741 <span id="index-ntp_002dkeygen_002dtrusted_002dcert"></span>
1751 a non-trusted certificate.
1753 <span id="ntp_002dkeygen-mv_002dparams"></span><div class="header">
1755 Next: <a href="#ntp_002dkeygen-mv_002dkeys" accesskey="n" rel="next">ntp-keygen mv-keys</a>, Previous: <a href="#ntp_002dkeygen-trusted_002dcert" accesskey="p" rel="prev">ntp-keygen trusted-cert</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1757 <span id="mv_002dparams-option-_0028_002dV_0029"></span><h4 class="subsection">1.2.20 mv-params option (-V)</h4>
1758 <span id="index-ntp_002dkeygen_002dmv_002dparams"></span>
1768 <p>Generate parameters and keys for the Mu-Varadharajan (MV)
1771 <span id="ntp_002dkeygen-mv_002dkeys"></span><div class="header">
1773 Next: <a href="#ntp_002dkeygen-config" accesskey="n" rel="next">ntp-keygen config</a>, Previous: <a href="#ntp_002dkeygen-mv_002dparams" accesskey="p" rel="prev">ntp-keygen mv-params</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1775 <span id="mv_002dkeys-option-_0028_002dv_0029"></span><h4 class="subsection">1.2.21 mv-keys option (-v)</h4>
1776 <span id="index-ntp_002dkeygen_002dmv_002dkeys"></span>
1790 <span id="ntp_002dkeygen-config"></span><div class="header">
1792 Next: <a href="#ntp_002dkeygen-exit-status" accesskey="n" rel="next">ntp-keygen exit status</a>, Previous: <a href="#ntp_002dkeygen-mv_002dkeys" accesskey="p" rel="prev">ntp-keygen mv-keys</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1794 <span id="presetting_002fconfiguring-ntp_002dkeygen"></span><h4 class="subsection">1.2.22 presetting/configuring ntp-keygen</h4>
1797 loading values from configuration ("rc" or "ini") files, and values from environment variables named <code>NTP-KEYGEN</code> and <code>NTP-KEYGEN_<OPTION_NAME></code>. <code><OPTION_NAME></code> must be one of
1799 The <code>NTP-KEYGEN</code> variable will be tokenized and parsed like
1810 are expanded and replaced when <samp>ntp-keygen</samp> runs.
1825 <pre class="example">[NTP-KEYGEN]
1829 <pre class="example"><?program ntp-keygen>
1836 <pre class="example"><option-name>
1837 <sub-opt>...&lt;...&gt;...</sub-opt>
1838 </option-name>
1840 <p>yielding an <code>option-name.sub-opt</code> string value of
1850 <span id="version-_0028_002d_0029"></span><h4 class="subsubheading">version (-)</h4>
1870 <span id="ntp_002dkeygen-exit-status"></span><div class="header">
1872 Next: <a href="#ntp_002dkeygen-Usage" accesskey="n" rel="next">ntp-keygen Usage</a>, Previous: <a href="#ntp_002dkeygen-config" accesskey="p" rel="prev">ntp-keygen config</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1874 <span id="ntp_002dkeygen-exit-status-1"></span><h4 class="subsection">1.2.23 ntp-keygen exit status</h4>
1889 it to autogen-users@lists.sourceforge.net. Thank you.
1893 <span id="ntp_002dkeygen-Usage"></span><div class="header">
1895 Next: <a href="#ntp_002dkeygen-Notes" accesskey="n" rel="next">ntp-keygen Notes</a>, Previous: <a href="#ntp_002dkeygen-exit-status" accesskey="p" rel="prev">ntp-keygen exit status</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1897 <span id="ntp_002dkeygen-Usage-1"></span><h4 class="subsection">1.2.24 ntp-keygen Usage</h4>
1899 <span id="ntp_002dkeygen-Notes"></span><div class="header">
1901 Next: <a href="#ntp_002dkeygen-Bugs" accesskey="n" rel="next">ntp-keygen Bugs</a>, Previous: <a href="#ntp_002dkeygen-Usage" accesskey="p" rel="prev">ntp-keygen Usage</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1903 <span id="ntp_002dkeygen-Notes-1"></span><h4 class="subsection">1.2.25 ntp-keygen Notes</h4>
1905 <span id="ntp_002dkeygen-Bugs"></span><div class="header">
1907 Previous: <a href="#ntp_002dkeygen-Notes" accesskey="p" rel="prev">ntp-keygen Notes</a>, Up: <a href="#ntp_002dkeygen-Invocation" accesskey="u" rel="up">ntp-keygen Invocation</a> </p>
1909 <span id="ntp_002dkeygen-Bugs-1"></span><h4 class="subsection">1.2.26 ntp-keygen Bugs</h4>
1912 <span id="Random-Seed-File"></span><div class="header">
1914 Next: <a href="#Cryptographic-Data-Files" accesskey="n" rel="next">Cryptographic Data Files</a>, Previous: <a href="#Running-the-Program" accesskey="p" rel="prev">Running the Program</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> </p>
1916 <span id="Random-Seed-File-2"></span><h3 class="section">1.3 Random Seed File</h3>
1920 pseudo-random number generator used by the OpenSSL library routines.
1925 starting the <code>ntp-keygen</code> program or <code>ntpd</code> daemon.
1933 Since both the <code>ntp-keygen</code> program and <code>ntpd</code> daemon must run
1940 <span id="Cryptographic-Data-Files"></span><div class="header">
1942 Previous: <a href="#Random-Seed-File" accesskey="p" rel="prev">Random Seed File</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> </p>
1944 <span id="Cryptographic-Data-Files-2"></span><h3 class="section">1.4 Cryptographic Data Files</h3>
1948 <code>name</code> is the host or group name and
1956 Key types include public/private keys host and sign, certificate cert
1969 using ASN.1 rules, then encrypted using the DES-CBC algorithm with
1970 given password and finally written in PEM-encoded printable ASCII text
1984 2 MD5 lu+H^tF46BKR-6~pV_5 # MD5 key
1986 4 MD5 |fdZrf0sF~;w-i^V # MD5 key
1989 7 MD5 c9x=M'CfLxax9v)PV-si # MD5 key
2019 compatibility with FIPS 140-2 is required, the key type must be either
2026 key consists of a hex-encoded ASCII string of 40 characters, which is
2035 <p>The <code>ntp-keygen</code> program generates a MD5 symmetric keys file
2040 The NTP daemon loads the file <code>ntp.keys</code>, so <code>ntp-keygen</code>