xref: /freebsd/contrib/ntp/ntpd/ntp.keys.def (revision c203bd70b5957f85616424b6fa374479372d06e3)
1/* -*- Mode: Text -*- */
2
3autogen definitions options;
4
5#include copyright.def
6#include version.def
7
8// We want the synopsis to be "/etc/ntp.keys" but we need the prog-name
9// to be ntp.keys - the latter is also how autogen produces the output
10// file name.
11prog-name	= "ntp.keys";
12file-path	= "/etc/ntp.keys";
13prog-title	= "NTP symmetric key file format";
14
15/* explain: Additional information whenever the usage routine is invoked */
16explain = <<- _END_EXPLAIN
17	_END_EXPLAIN;
18
19doc-section	= {
20  ds-type	= 'DESCRIPTION';
21  ds-format	= 'mdoc';
22  ds-text	= <<- _END_PROG_MDOC_DESCRIP
23This document describes the format of an NTP symmetric key file.
24For a description of the use of this type of file, see the
25.Qq Authentication Support
26section of the
27.Xr ntp.conf 5
28page.
29.Pp
30.Xr ntpd 8
31reads its keys from a file specified using the
32.Fl k
33command line option or the
34.Ic keys
35statement in the configuration file.
36While key number 0 is fixed by the NTP standard
37(as 56 zero bits)
38and may not be changed,
39one or more keys numbered between 1 and 65535
40may be arbitrarily set in the keys file.
41.Pp
42The key file uses the same comment conventions
43as the configuration file.
44Key entries use a fixed format of the form
45.Pp
46.D1 Ar keyno type key opt_IP_list
47.Pp
48where
49.Ar keyno
50is a positive integer (between 1 and 65535),
51.Ar type
52is the message digest algorithm,
53.Ar key
54is the key itself, and
55.Ar opt_IP_list
56is an optional comma-separated list of IPs
57where the
58.Ar keyno
59should be trusted.
60that are allowed to serve time.
61Each IP in
62.Ar opt_IP_list
63may contain an optional
64.Cm /subnetbits
65specification which identifies the number of bits for
66the desired subnet of trust.
67If
68.Ar opt_IP_list
69is empty,
70any properly-authenticated message will be
71accepted.
72.Pp
73The
74.Ar key
75may be given in a format
76controlled by the
77.Ar type
78field.
79The
80.Ar type
81.Li MD5
82is always supported.
83If
84.Li ntpd
85was built with the OpenSSL library
86then any digest library supported by that library may be specified.
87However, if compliance with FIPS 140-2 is required the
88.Ar type
89must be either
90.Li SHA
91or
92.Li SHA1 .
93.Pp
94What follows are some key types, and corresponding formats:
95.Pp
96.Bl -tag -width RMD160 -compact
97.It Li MD5
98The key is 1 to 16 printable characters terminated by
99an EOL,
100whitespace,
101or
102a
103.Li #
104(which is the "start of comment" character).
105.Pp
106.It Li SHA
107.It Li SHA1
108.It Li RMD160
109The key is a hex-encoded ASCII string of 40 characters,
110which is truncated as necessary.
111.El
112.Pp
113Note that the keys used by the
114.Xr ntpq 8
115and
116.Xr ntpdc 8
117programs are checked against passwords
118requested by the programs and entered by hand,
119so it is generally appropriate to specify these keys in ASCII format.
120	_END_PROG_MDOC_DESCRIP;
121};
122
123doc-section	= {
124  ds-type	= 'FILES';
125  ds-format	= 'mdoc';
126  ds-text	= <<- _END_MDOC_FILES
127.Bl -tag -width /etc/ntp.keys -compact
128.It Pa /etc/ntp.keys
129the default name of the configuration file
130.El
131	_END_MDOC_FILES;
132};
133
134doc-section	= {
135  ds-type	= 'SEE ALSO';
136  ds-format	= 'mdoc';
137  ds-text	= <<- _END_MDOC_SEE_ALSO
138.Xr ntp.conf 5 ,
139.Xr ntpd 1ntpdmdoc ,
140.Xr ntpdate 1ntpdatemdoc ,
141.Xr ntpdc 1ntpdcmdoc ,
142.Xr sntp 1sntpmdoc
143	_END_MDOC_SEE_ALSO;
144};
145
146/*
147doc-section	= {
148  ds-type	= 'BUGS';
149  ds-format	= 'mdoc';
150  ds-text	= <<- _END_MDOC_BUGS
151.Xr ntpd 8
152has gotten rather fat.
153While not huge, it has gotten larger than might
154be desirable for an elevated-priority daemon running on a workstation,
155particularly since many of the fancy features which consume the space
156were designed more with a busy primary server, rather than a high
157stratum workstation, in mind.
158	_END_MDOC_BUGS;
159};
160*/
161
162doc-section	= {
163  ds-type	= 'NOTES';
164  ds-format	= 'mdoc';
165  ds-text	= <<- _END_MDOC_NOTES
166This document was derived from FreeBSD.
167	_END_MDOC_NOTES;
168};
169