Lines Matching +full:host +full:- +full:only
4 .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
6 .\" It has been AutoGen-ed May 25, 2024 at 12:04:46 AM by AutoGen 5.18.16
7 .\" From the definitions ntp-keygen-opts.def
8 .\" and the template file agmdoc-cmd.tpl
10 .Nm ntp-keygen
11 .Nd Create a NTP host key
17 .Op Fl \-option\-name Ns Oo Oo Ns "=| " Oc Ns Ar value Oc
25 if the OpenSSL software library has been installed, it can generate host keys,
34 All other files are in PEM\-encoded printable ASCII format,
40 produces a file containing ten pseudo\-random printable ASCII strings
44 hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
69 If no password is specified, the host name returned by the Unix
71 command, normally the DNS name of the host, is used as the the default read
89 If not specified, the host name is used.
93 without specifying an explicit password but only on the same host.
94 If the write password used for encryption is specified as the host name,
95 these files can be read by that host with no explicit password.
97 Normally, encrypted files for each host are generated by that host and
98 used only by that host, although exceptions exist as noted later on
107 NFS\-mounted networks and cannot be changed by shared clients.
125 and include the file type, generating host and filestamp,
150 host key and matching
151 .Cm RSA\-MD5
160 The host key is used to encrypt the cookie when required and so must be
163 By default, the host key is also the sign key used to encrypt signatures.
184 however, only
207 However, there should be only one
215 Installing the keys as root might not work in NFS\-mounted
229 Ordinarily, cryptographic files are generated by the host that uses them,
233 of the host generating the files, but can be changed by command line options.
236 The owner name is also used for the host and sign key files,
242 in NFS\-mounted networks.
246 Normally, the files for each host are generated by that host
247 and used only by that host, although exceptions exist
251 including the host key, sign key and identification parameters,
252 are permitted root read/write\-only;
290 Designate one of them as the trusted host (TH) using
298 ascendant host towards the TH to sign its certificate, which is then
299 provided to the immediately descendant host on request.
302 The host key is used to encrypt the cookie when required and so must be
304 By default, the host key is also the sign key used to encrypt
323 filestamps, which means the host should already be synchronized before
325 This of course creates a chicken\-and\-egg problem
326 when the host is started for the first time.
327 Accordingly, the host time
328 should be set by some other means, such as eyeball\-and\-wristwatch, at
330 After that and when the host is synchronized to a proventic source, the
331 certificate should be re\-generated.
334 .Dq Autokey Public\-Key Authentication
375 First, configure a NTP subnet including one or more low\-stratum
383 a certificate trail ending at a trusted host.
390 On each trusted host as root, change to the keys directory.
418 .Cm DSA Ns \-signed
434 from time to time, if only to extend the validity interval.
439 However, if the host or sign key is changed,
462 by a trusted host and certificate trails that end on that host.
463 The name of a trusted host is also the name of its sugroup
465 The TA is not necessarily a trusted host in this sense, but often is.
474 only as clients have key files that contain only client keys.
476 The PC scheme supports only one trusted host in the group.
477 On trusted host alice run
481 to generate the host key file
484 .Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
488 On each host
492 to the host key file and soft link
496 by trusted host alice.
506 and certificates for all group hosts, then for every trusted host in the group,
510 On trusted host alice run
522 If there are no hosts restricted to operate only as clients,
549 and certificates for all group hosts, then for every trusted host
553 On trusted host alice run
565 In addition, on each host
620 .Bl -tag -width indent
621 .It Fl b Fl \-imbits Ns = Ar modulus
629 .It Fl c Fl \-certificate Ns = Ar scheme
634 .Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
636 .Cm DSA\-SHA1 .
647 .Cm RSA\-MD5 .
648 If compatibility with FIPS 140\-2 is required, either the
649 .Cm DSA\-SHA
651 .Cm DSA\-SHA1
653 .It Fl C Fl \-cipher Ns = Ar cipher
655 The default without this option is three\-key triple DES in CBC mode,
656 .Cm des\-ede3\-cbc .
660 .It Fl d Fl \-debug\-level
662 This option displays the cryptographic data produced in eye\-friendly billboards.
663 .It Fl D Fl \-set\-debug\-level Ns = Ar level
666 This option displays the cryptographic data produced in eye\-friendly billboards.
667 .It Fl e Fl \-id\-key
678 .It Fl G Fl \-gq\-params
681 parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
687 .It Fl H Fl \-host\-key
690 public/private host key file.
691 .It Fl I Fl \-iffkey
700 .It Fl i Fl \-ident Ns = Ar group
708 In that role, the default is the host name if no group is provided.
716 .Ar host @ group
722 .It Fl l Fl \-lifetime Ns = Ar days
726 .It Fl m Fl \-modulus Ns = Ar bits
732 .It Fl M Fl \-md5key
745 .It Fl p Fl \-password Ns = Ar passwd
748 These include the host, sign and identify key files.
752 .It Fl P Fl \-pvt\-cert
758 .It Fl q Fl \-export\-passwd Ns = Ar passwd
773 .It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
774 Specify the Autokey host name, where
775 .Ar host
776 is the optional host name and
779 The host name, and if provided, group name are used in
780 .Ar host @ group
784 is allowed, and results in leaving the host name unchanged, as with
786 The group name, or if no group is provided, the host name are also used in the
793 .Ar host
794 is not specified, the default host name is the string returned by the Unix
797 .It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
799 By default, the sign key is the host key and has the same type.
800 If compatibility with FIPS 140\-2 is required, the sign key type must be
802 .It Fl T Fl \-trusted\-cert
804 By default, the program generates a non\-trusted certificate.
805 .It Fl V Fl \-mv\-params Ar nkeys
808 encrypted server keys and parameters for the Mu\-Varadharajan (MV)
820 the internal pseudo\-random number generator used
833 can be used to do this and some systems have built\-in entropy sources.
877 The first line contains the file name, including the generated host name
884 is the host or group name and
892 names in generated link names include only lower case characters.
906 rules, then encrypted if necessary, and finally written in PEM\-encoded
914 .Bd -literal -unfilled -offset center
925 9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
946 is a positive integer in the range 1\-65535;
954 however, if compatibility with FIPS 140\-2 is required,
972 An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
989 it should be visible only to root and distributed by secure means
1006 .Bl -tag
1007 .It Fl b Ar imbits , Fl \-imbits Ns = Ns Ar imbits
1018 .in -4
1021 .It Fl c Ar scheme , Fl \-certificate Ns = Ns Ar scheme
1025 RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
1026 DSA\-SHA, or DSA\-SHA1.
1031 this option is RSA\-MD5.
1032 .It Fl C Ar cipher , Fl \-cipher Ns = Ns Ar cipher
1036 private keys. The default is three\-key triple DES in CBC mode,
1037 equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
1038 available in "\fBopenssl \-h\fP" output.
1039 .It Fl d , Fl \-debug\-level
1043 .It Fl D Ar number , Fl \-set\-debug\-level Ns = Ns Ar number
1048 .It Fl e , Fl \-id\-key
1054 .It Fl G , Fl \-gq\-params
1059 .It Fl H , Fl \-host\-key
1060 generate RSA host key.
1062 Generate new host keys, obsoleting any that may exist.
1063 .It Fl I , Fl \-iffkey
1068 .It Fl i Ar group , Fl \-ident Ns = Ns Ar group
1073 that role, the default is the host name if this option is not
1074 provided. The group name, if specified using \fB\-i/\-\-ident\fP or
1075 using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
1076 is also a part of the self\-signed host certificate subject and
1080 .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
1085 .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
1096 .in -4
1099 .It Fl M , Fl \-md5key
1103 .It Fl P , Fl \-pvt\-cert
1108 .It Fl p Ar passwd , Fl \-password Ns = Ns Ar passwd
1112 DES\-CBC algorithm and the specified password. The same password
1116 .It Fl q Ar passwd , Fl \-export\-passwd Ns = Ns Ar passwd
1120 encrypted with the DES\-CBC algorithm and the specified password.
1123 -\-id\-key (\-e) for unencrypted exports.
1124 .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
1125 set host and optionally group name.
1127 Set the Autokey host name, and optionally, group name specified
1128 following an '\fB@\fP' character. The host name is used in the file
1129 name of generated host and signing certificates, without the
1130 group name. The host name, and if provided, group name are used
1131 in \fBhost@group\fP form for the host certificate subject and issuer
1132 fields. Specifying '\fB\-s @group\fP' is allowed, and results in
1133 leaving the host name unchanged while appending \fB@group\fP to the
1134 subject and issuer fields, as with \fB\-i group\fP. The group name, or
1135 if not provided, the host name are also used in the file names
1137 .It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
1141 that may exist. By default, the program uses the host key as the
1143 .It Fl T , Fl \-trusted\-cert
1147 a non\-trusted certificate.
1148 .It Fl V Ar num , Fl \-mv\-params Ns = Ns Ar num
1152 Generate parameters and keys for the Mu\-Varadharajan (MV)
1154 .It Fl v Ar num , Fl \-mv\-keys Ns = Ns Ar num
1159 .It Fl \&? , Fl \-help
1161 .It Fl \&! , Fl \-more\-help
1163 .It Fl > Oo Ar cfgfile Oc , Fl \-save\-opts Oo Ns = Ns Ar cfgfile Oc
1167 .It Fl < Ar cfgfile , Fl \-load\-opts Ns = Ns Ar cfgfile , Fl \-no\-load\-opts
1169 The \fIno\-load\-opts\fP form will disable the loading
1170 of earlier config/rc/ini files. \fI\-\-no\-load\-opts\fP is handled early,
1172 .It Fl \-version Op Brq Ar v|c|n
1182 \fBNTP_KEYGEN_<option\-name>\fP or \fBNTP_KEYGEN\fP
1197 .Bl -tag
1206 it to autogen\-users@lists.sourceforge.net. Thank you.
1211 Copyright (C) 1992\-2024 The University of Delaware and Network Time Foundation all rights reserved.
1222 This manual page was \fIAutoGen\fP\-erated from the \fBntp\-keygen\fP