xref: /freebsd/contrib/ntp/ntpd/invoke-ntp.keys.texi (revision 2008043f386721d58158e37e0d7e50df8095942d)
1@node ntp.keys Notes
2@section Notes about ntp.keys
3@pindex ntp.keys
4@cindex NTP symmetric key file format
5@ignore
6#
7# EDIT THIS FILE WITH CAUTION  (invoke-ntp.keys.texi)
8#
9# It has been AutoGen-ed  June  6, 2023 at 04:37:41 AM by AutoGen 5.18.16
10# From the definitions    ntp.keys.def
11# and the template file   agtexi-file.tpl
12@end ignore
13
14
15
16This document describes the format of an NTP symmetric key file.
17For a description of the use of this type of file, see the
18"Authentication Support"
19section of the
20@code{ntp.conf(5)}
21page.
22
23@code{ntpd(8)}
24reads its keys from a file specified using the
25@code{-k}
26command line option or the
27@code{keys}
28statement in the configuration file.
29While key number 0 is fixed by the NTP standard
30(as 56 zero bits)
31and may not be changed,
32one or more keys numbered between 1 and 65535
33may be arbitrarily set in the keys file.
34
35The key file uses the same comment conventions
36as the configuration file.
37Key entries use a fixed format of the form
38
39@example
40@kbd{keyno} @kbd{type} @kbd{key} @kbd{opt_IP_list}
41@end example
42
43where
44@kbd{keyno}
45is a positive integer (between 1 and 65535),
46@kbd{type}
47is the message digest algorithm,
48@kbd{key}
49is the key itself, and
50@kbd{opt_IP_list}
51is an optional comma-separated list of IPs
52where the
53@kbd{keyno}
54should be trusted.
55that are allowed to serve time.
56Each IP in
57@kbd{opt_IP_list}
58may contain an optional
59@code{/subnetbits}
60specification which identifies the number of bits for
61the desired subnet of trust.
62If
63@kbd{opt_IP_list}
64is empty,
65any properly-authenticated message will be
66accepted.
67
68The
69@kbd{key}
70may be given in a format
71controlled by the
72@kbd{type}
73field.
74The
75@kbd{type}
76@code{MD5}
77is always supported.
78If
79@code{ntpd}
80was built with the OpenSSL library
81then any digest library supported by that library may be specified.
82However, if compliance with FIPS 140-2 is required the
83@kbd{type}
84must be either
85@code{SHA}
86or
87@code{SHA1}.
88
89What follows are some key types, and corresponding formats:
90
91@table @asis
92@item @code{MD5}
93The key is 1 to 16 printable characters terminated by
94an EOL,
95whitespace,
96or
97a
98@code{#}
99(which is the "start of comment" character).
100
101@item @code{SHA}
102@item @code{SHA1}
103@item @code{RMD160}
104The key is a hex-encoded ASCII string of 40 characters,
105which is truncated as necessary.
106@end table
107
108Note that the keys used by the
109@code{ntpq(8)}
110and
111@code{ntpdc(8)}
112programs are checked against passwords
113requested by the programs and entered by hand,
114so it is generally appropriate to specify these keys in ASCII format.
115
116This section was generated by @strong{AutoGen},
117using the @code{agtexi-cmd} template and the option descriptions for the @code{ntp.keys} program.
118This software is released under the NTP license, <http://ntp.org/license>.
119
120@menu
121* ntp.keys Files::                  Files
122* ntp.keys See Also::               See Also
123* ntp.keys Notes::                  Notes
124@end menu
125
126@node ntp.keys Files
127@subsection ntp.keys Files
128@table @asis
129@item @file{/etc/ntp.keys}
130the default name of the configuration file
131@end table
132@node ntp.keys See Also
133@subsection ntp.keys See Also
134@code{ntp.conf(5)},
135@code{ntpd(1ntpdmdoc)},
136@code{ntpdate(1ntpdatemdoc)},
137@code{ntpdc(1ntpdcmdoc)},
138@code{sntp(1sntpmdoc)}
139@node ntp.keys Notes
140@subsection ntp.keys Notes
141This document was derived from FreeBSD.
142